Markus Wulftange

**Name of the Vulnerable Software and Affected Versions** SmarterTools SmarterMail versions prior to build 9511 **Description** An issue exists in the 'ConnectToHub' API method, specifically at the endpoint '/api/v1/settings/sysadmin/connect-to-hub', due to missing authentication for a critical function. This allows an unauthenticated remote attacker to point the server to a malicious HTTP server using the `hubAddress` parameter. The server then fetches attacker-controlled JSON, which triggers the `CommandMount` function to execute arbitrary OS commands under the SYSTEM context. This flaw has been actively exploited in ransomware campaigns, including attacks by the Warlock ransomware group, which compromised SmarterTools' own internal infrastructure. Over 6,000 exposed instances have been identified globally, with more than 1,000 exploitation attempts observed within a two-week period. **Recommendations** Update SmarterMail to build 9511 or later. As a temporary workaround, restrict access to the '/api/v1/settings/sysadmin/connect-to-hub' API endpoint. Monitor SmarterMail logs for suspicious outbound connections to unknown HTTP endpoints and unexpected POST requests to the 'ConnectToHub' endpoint.

Name of the Vulnerable Software and Affected Versions: SmarterTools SmarterMail versions prior to build 9511 Description: SmarterTools SmarterMail contains an authentication bypass vulnerability in the password reset API. The `force-reset-password` endpoint at `/api/v1/admin/force-reset-password` permits anonymous requests and does not verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator `username` and a new `password` to reset the account, resulting in full administrative compromise of the SmarterMail instance. SmarterMail system administrator privileges grant the ability to execute operating system commands. This vulnerability has been actively exploited in the wild, with reports of Warlock ransomware operators gaining access and moving laterally through networks. Approximately 6,000 instances were identified as potentially vulnerable. Exploitation involves resetting admin passwords and leveraging built-in features for remote code execution. Recommendations: Upgrade to build 9511 or later immediately. Restrict API access via IP allowlisting. Deploy a Web Application Firewall (WAF) for the `/force-reset-password` endpoint. Implement geo-blocking for admin interfaces. Review access logs for external POST requests, unauthorized admin changes, and new account creations. Rotate exposed credentials.

**Name of the Vulnerable Software and Affected Versions** Progress® Telerik® Reporting versions prior to 2025 Q1 (19.0.25.211) **Description** Information disclosure is possible by a local threat actor through an absolute path vulnerability. This issue allows a local threat actor to potentially disclose sensitive information. **Recommendations** For versions prior to 2025 Q1 (19.0.25.211), update to a version released after 2025 Q1 (19.0.25.211) to resolve the issue. As a temporary workaround, consider restricting access to sensitive information and implementing additional security measures to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Microsoft SharePoint Server (affected versions not specified) Microsoft SharePoint Server Subscription Edition (affected versions not specified) Microsoft SharePoint Enterprise Server (affected versions not specified) Description: The issue is related to errors in handling relative directory paths, which can be exploited by a remote attacker to disclose protected information. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0 **Description** The issue is related to a vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware, specifically in the Core component. This vulnerability allows an unauthenticated attacker with network access via T3, IIOP to compromise the Oracle WebLogic Server. Successful attacks can result in the takeover of the Oracle WebLogic Server. It is estimated that over 18,000 services are potentially affected. The vulnerability can be exploited by sending specially crafted network packets, allowing an attacker to gain full access to the vulnerable software. **Recommendations** For Oracle WebLogic Server version 12.2.1.4.0, update to a newer version to mitigate the risk. For Oracle WebLogic Server version 14.1.1.0.0, update to a newer version to mitigate the risk. As a temporary workaround, consider restricting access to the T3 and IIOP protocols to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924) **Description** The issue is related to the insecure type resolution vulnerability in Progress Telerik Reporting, allowing for object injection and potentially enabling a remote attacker to execute arbitrary code. This vulnerability can be exploited through the injection of external input to select classes. **Recommendations** For versions prior to 2024 Q3 (18.2.24.924), update to version 2024 Q3 (18.2.24.924) or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable type resolution functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Telerik Report Server versions prior to 2024 Q3 (10.2.24.924) **Description** The issue is related to an insecure type resolution vulnerability, allowing a remote code execution attack through object injection. This vulnerability can be exploited by providing input that enables the selection of classes, potentially leading to arbitrary code execution. **Recommendations** For versions prior to 2024 Q3 (10.2.24.924), update to version 2024 Q3 (10.2.24.924) or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable component until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924) **Description** The issue is related to insecure expression evaluation, allowing for object injection and potentially leading to code execution attacks. This can be exploited by providing input that enables external control over class selection, which may permit an attacker to execute arbitrary code. **Recommendations** For versions prior to 2024 Q3 (18.2.24.924), update to version 2024 Q3 (18.2.24.924) or later to resolve the issue. As a temporary workaround, consider restricting the use of insecure expression evaluation until a patch is applied. Avoid using vulnerable functions or parameters that may facilitate object injection attacks.

Name of the Vulnerable Software and Affected Versions: In Progress Telerik Reporting versions prior to 18.1.24.709 Description: The issue is related to an insecure type resolution vulnerability, allowing for object injection and potentially enabling a code execution attack. This can be exploited by manipulating input data to select classes, which may permit a remote attacker to execute arbitrary code. The vulnerability can lead to unauthorized access, data theft, and system compromise. Recommendations: For versions prior to 18.1.24.709, upgrade the affected component to version 18.1.24.709 or later to resolve the issue. As a temporary workaround, consider restricting access to the reporting component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Microsoft .NET Framework versions prior to 4.8.4682.0/4.8.9206.0 **Description** The vulnerability is related to insufficient protection of service data when processing ObjRef objects, which may allow a remote attacker to gain unauthorized access to protected information. A successful exploit may allow an attacker to disclose sensitive information. The issue has been exploited in the wild and is tracked by CISA as a Known Exploited Vulnerability. **Recommendations** Upgrade .NET ASAP to the latest version to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to HTTP .NET Remoting to minimize the risk of exploitation. Avoid using ObjRef objects in HTTP .NET Remoting until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Hitachi Vantara Pentaho Data Integration & Analytics versions prior to 9.5.0.1 Hitachi Vantara Pentaho Data Integration & Analytics versions prior to 9.3.0.5 Hitachi Vantara Pentaho Data Integration & Analytics version 8.3.x **Description** The issue allows control of system level data sources due to the lack of restriction on JNDI identifiers during the creation of XActions. **Recommendations** For versions prior to 9.5.0.1, update to version 9.5.0.1 or later. For versions prior to 9.3.0.5, update to version 9.3.0.5 or later. For version 8.3.x, consider restricting the creation of XActions or disabling the feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ASP.NET (affected versions not specified) **Description** The issue is related to errors in security settings of the Microsoft .NET Framework platform. It allows a remote attacker to access a closed part of a web application by sending a specially formed request. This is a security-feature bypass issue that can affect the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft SharePoint Server (affected versions not specified) **Description** The issue is related to an elevation of privilege vulnerability in Microsoft SharePoint Server, which can be exploited by creating a specially crafted ASP.NET page. This could allow a remote attacker to gain administrator privileges. The vulnerability is associated with insufficient access restrictions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft SharePoint Server (affected versions not specified) Microsoft SharePoint Server Subscription Edition (affected versions not specified) Microsoft SharePoint Enterprise Server (affected versions not specified) **Description** The issue is related to insufficient input validation in Microsoft SharePoint Server, allowing a remote attacker to execute arbitrary code. This can affect the system. The vulnerability involves the `TemplateParser` and can be exploited to gain remote code execution (RCE) in SharePoint Online and On-Premise. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Orckestra C1 CMS versions prior to 6.13 **Description** A vulnerability in Orckestra C1 CMS allows remote attackers to execute arbitrary code on affected installations. Authentication is required to exploit this issue. The authenticated user may perform the actions unknowingly by visiting a specially crafted site. **Recommendations** For versions prior to 6.13, upgrade to C1 CMS v6.13 or newer to resolve the issue. As a temporary workaround, consider restricting access to the system to minimize the risk of exploitation until the upgrade can be applied.

**Name of the Vulnerable Software and Affected Versions** BMC Track-It! version 20.21.2.109 **Description** This issue allows remote attackers to execute arbitrary code on affected installations. Authentication is not required to exploit this issue. The specific flaw exists within the authorization of HTTP requests, resulting from the lack of authentication prior to allowing access to functionality. An attacker can leverage this issue to execute code in the context of the service account. **Recommendations** For version 20.21.2.109, consider restricting access to the HTTP module to minimize the risk of exploitation until a patch is available. As a temporary workaround, ensure proper authentication mechanisms are in place prior to allowing access to functionality. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** DevExpress (affected versions not specified) **Description** This issue allows remote attackers to execute arbitrary code on affected installations. Authentication is required to exploit this issue. The flaw exists within the SafeBinaryFormatter library due to the lack of proper validation of user-supplied data, resulting in deserialization of untrusted data. An attacker can leverage this issue to execute code in the context of the service account. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** ZK Framework versions 8.6.4.1, 9.0.1.2, 9.5.1.3, 9.6.0.1, 9.6.1 **Description** The issue is related to the AuUploader component of the ZK Framework, which allows attackers to access sensitive information via a crafted POST request. This can enable a remote attacker to gain unauthorized access to protected information. Approximately 5,600 instances are potentially affected. **Recommendations** For ZK Framework versions 8.6.4.1, 9.0.1.2, 9.5.1.3, 9.6.0.1, 9.6.1, consider disabling the AuUploader component until a patch is available to prevent exploitation. Restrict access to the AuUploader component to minimize the risk of unauthorized access. Avoid using the AuUploader component in the affected ZK Framework versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Microsoft Exchange Server (affected versions not specified) **Description** The issue is related to errors in code generation management. It allows a remote attacker to execute arbitrary code. The vulnerability can be exploited by an attacker acting remotely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BMC Track-It! version 20.21.01.102 **Description** This issue allows remote attackers to bypass authentication on affected installations. The flaw exists within the authorization of HTTP requests due to the lack of authentication prior to allowing access to functionality. An attacker can leverage this to bypass authentication on the system. **Recommendations** For version 20.21.01.102, consider restricting access to the HTTP module to minimize the risk of exploitation until a patch is available. As a temporary workaround, review and strengthen the authorization of HTTP requests to ensure proper authentication is required before allowing access to functionality.