Watchtowr

**Name of the Vulnerable Software and Affected Versions** cPanel and WHM versions prior to 11.110.0.97 cPanel and WHM versions prior to 11.118.0.63 cPanel and WHM versions prior to 11.126.0.54 cPanel and WHM versions prior to 11.132.0.29 cPanel and WHM versions prior to 11.134.0.20 cPanel and WHM versions prior to 11.136.0.5 WP Squared versions prior to 136.1.7 **Description** A critical authentication bypass exists in the pre-authentication session logic of the `cpsrvd` service daemon. The issue stems from improper sanitization of the `Authorization` header, allowing a Carriage Return Line Feed (CRLF) injection—a technique where special characters (`r `) are used to split a single line of text into multiple lines. By sending a specially crafted Basic Authorization request, an unauthenticated remote attacker can inject arbitrary properties, such as `user=root`, into temporary session files stored on disk. By subsequently manipulating cookies and triggering a session reload, the attacker can trick the system into recognizing these injected values as valid, granting full root administrative access without a password. Approximately 1.5 to 2 million instances are estimated to be exposed worldwide. The flaw has been actively exploited by various actors, including the Sorry ransomware group and the threat actor Mr Rot13. Real-world impacts include the deployment of Golang-based ransomware, the installation of the Filemanager backdoor, and the theft of credentials via fake login pages. Attackers have also used the access to implant SSH public keys and deploy PHP webshells for remote command execution. **Recommendations** Update to versions 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5 as applicable. Update WP Squared to version 136.1.7 or later. As a temporary mitigation, block inbound traffic on ports '2082', '2083', '2086', '2087', '2095', and '2096' or restrict access to trusted static IP addresses via a VPN. As a temporary workaround, stop the `cpsrvd` or `cpdavd` services until patching is complete. Perform a full rotation of all root, WHM, reseller, and user passwords, as well as API tokens, SSL private keys, and SSH keys.

Name of the Vulnerable Software and Affected Versions: Arcserve Unified Data Protection (UDP) versions prior to 10.2 Arcserve Unified Data Protection (UDP) versions 8.0 through 10.1 Arcserve Unified Data Protection (UDP) versions 7.x and earlier Description: An authentication bypass in Arcserve Unified Data Protection (UDP) allows unauthenticated attackers to gain unauthorized access to protected functionality or user accounts. Attackers can bypass login mechanisms without valid credentials and access administrator-level features by manipulating request parameters or exploiting a logic flaw. Recommendations: Upgrade to Arcserve Unified Data Protection (UDP) version 10.2. Apply the available patch for Arcserve Unified Data Protection (UDP) versions 8.0 through 10.1. Upgrade to Arcserve Unified Data Protection (UDP) version 10.2 from versions 7.x and earlier.

Name of the Vulnerable Software and Affected Versions: Arcserve Unified Data Protection (UDP) versions prior to 10.2 Arcserve Unified Data Protection (UDP) versions 8.0 through 10.1 Arcserve Unified Data Protection (UDP) versions 7.x and earlier Description: A reflected cross-site scripting (XSS) vulnerability exists in the web interface of Arcserve Unified Data Protection (UDP), where unsanitized user input is improperly reflected in HTTP responses. This flaw allows remote attackers with low privileges to craft malicious links that, when visited by another user, execute arbitrary JavaScript in the victim’s browser. Successful exploitation may lead to session hijacking, credential theft, or other client-side impacts. The vulnerability requires user interaction and occurs within a shared browser context. Recommendations: Arcserve Unified Data Protection (UDP) versions prior to 10.2: Upgrade to version 10.2 to remediate the issue. Arcserve Unified Data Protection (UDP) versions 8.0 through 10.1: Apply the necessary patch or upgrade to version 10.2. Arcserve Unified Data Protection (UDP) versions 7.x and earlier: Upgrade to version 10.2 to remediate the issue.

Name of the Vulnerable Software and Affected Versions: Arcserve Unified Data Protection (UDP) versions 7.x and earlier Arcserve Unified Data Protection (UDP) versions 8.0 through 10.1 Arcserve Unified Data Protection (UDP) versions prior to 10.2 Description: A heap-based buffer overflow vulnerability exists in the input parsing logic of Arcserve Unified Data Protection (UDP). This flaw can be triggered without authentication by sending specially crafted input to the target system. Improper bounds checking allows an attacker to overwrite heap memory, potentially leading to application crashes or remote code execution. Exploitation occurs in the context of the affected process and does not require user interaction. The vulnerability poses a high risk due to its pre-authentication nature and potential for full compromise. Recommendations: Arcserve Unified Data Protection (UDP) versions 7.x and earlier: Upgrade to version 10.2 to remediate the issue. Arcserve Unified Data Protection (UDP) versions 8.0 through 10.1: Apply the necessary patch or upgrade to version 10.2. Arcserve Unified Data Protection (UDP) versions prior to 10.2: Upgrade to version 10.2.

Name of the Vulnerable Software and Affected Versions: Arcserve Unified Data Protection (UDP) versions prior to 10.2 Arcserve Unified Data Protection (UDP) versions 8.0 through 10.1 Arcserve Unified Data Protection (UDP) versions 7.x and earlier Description: A heap-based buffer overflow vulnerability exists in the network-facing input handling routines of Arcserve Unified Data Protection (UDP). The flaw is reachable without authentication and results from improper bounds checking when processing attacker-controlled input. A remote attacker can send specially crafted data to corrupt heap memory, potentially causing a denial of service or enabling arbitrary code execution depending on the memory layout and exploitation techniques used. No user interaction is required, and exploitation occurs in the context of the vulnerable process. Recommendations: Arcserve Unified Data Protection (UDP) versions prior to 10.2: Upgrade to version 10.2 to remediate the issue. Arcserve Unified Data Protection (UDP) versions 8.0 through 10.1: Apply the necessary patch or upgrade to version 10.2. Arcserve Unified Data Protection (UDP) versions 7.x and earlier: Upgrade to version 10.2 to remediate the issue.

**Name of the Vulnerable Software and Affected Versions** Commvault Command Center Innovation Release versions 11.38.0 through 11.38.19 **Description** A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution. This issue has been actively exploited, and it is recommended to patch immediately to prevent remote code execution. The vulnerability affects Commvault Command Center versions 11.38.0 to 11.38.19. Federal agencies have been directed to apply fixes by May 23, 2025. **Recommendations** For Commvault Command Center Innovation Release versions 11.38.0 through 11.38.19, update to version 11.38.20 or 11.38.25 to resolve the vulnerability. As a temporary workaround, consider restricting access to the vulnerable endpoint until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Kentico Xperience versions through 13.0.180 **Description** An unsafe reflection vulnerability in Kentico Xperience allows an unauthenticated attacker to kill the current process, leading to a Denial-of-Service condition. **Recommendations** For versions through 13.0.180, update to a version that includes a fix for this issue to prevent Denial-of-Service conditions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SysAid On-Prem versions 23.3.40 and earlier **Description** SysAid On-Prem is affected by an unauthenticated XML External Entity (XXE) issue in the Server URL processing functionality. This allows for administrator account takeover and file read operations. The issue is due to improper restriction of XML external entity references. Reports indicate active exploitation of this issue. **Recommendations** Versions prior to 23.3.40 should be updated.

**Name of the Vulnerable Software and Affected Versions** SysAid On-Prem versions 23.3.40 and earlier **Description** SysAid On-Prem software is affected by an unauthenticated XML External Entity (XXE) issue in the `lshw` processing functionality. Exploitation of this issue may allow a remote attacker to take control of administrator accounts and read files. The vulnerability resides in the `doPost` method of the `com.ilient.agentApi.LshwAgent` component when processing requests to the `/lshw` API endpoint. The issue involves improper restriction of XML references to external entities. The vulnerable parameter is not explicitly specified. **Recommendations** SysAid On-Prem versions 23.3.40 and earlier should be updated to a newer, fixed version.

**Name of the Vulnerable Software and Affected Versions** SysAid On-Prem versions 23.3.40 and earlier **Description** SysAid On-Prem is affected by an unauthenticated XML External Entity (XXE) issue in the Checkin processing functionality. This allows for administrator account takeover and file read capabilities. Multiple reports indicate this issue, identified as CVE-2025-2775, can be chained with other flaws to achieve remote code execution (RCE). The vulnerability resides in the improper restriction of XML external entity references, specifically when processing check-in requests. Exploitation involves submitting malicious XML payloads, potentially through the `/api/v1/servicenow` endpoint. The `XML` input is vulnerable. This allows attackers to potentially exfiltrate sensitive data. Several sources indicate the vulnerability is actively exploited. **Recommendations** Update SysAid On-Prem to version 24.4.60 b16 or later. As a temporary workaround, disable XXE processing. Monitor API logs for suspicious activity. Restrict access to the Checkin processing functionality.