Win3Zz

**Name of the Vulnerable Software and Affected Versions** BeyondTrust Remote Support versions prior to 25.3.2 BeyondTrust Privileged Remote Access versions prior to 25.1.1 **Description** BeyondTrust Remote Support and Privileged Remote Access contain a critical pre-authentication remote code execution flaw. The issue stems from an OS command injection weakness in a Bash script named `thin-scc-wrapper` that improperly handles the `remoteVersion` parameter during client-server negotiations. An unauthenticated remote attacker can exploit this by sending specially crafted requests to the `/get portal info` endpoint to extract the `x-ns-company` value and subsequently establish a WebSocket channel via the `/nw` endpoint to execute arbitrary operating system commands in the context of the site user. This issue has been actively exploited in global campaigns targeting the finance, healthcare, legal, and technology sectors across the US, France, Germany, Australia, and Canada. Attackers have used this flaw to deploy web shells, backdoors such as `VShell` and `SparkRAT`, and other remote monitoring tools like `SimpleHelp` and `AnyDesk` to achieve persistence, perform lateral movement, and exfiltrate sensitive data, including full PostgreSQL database dumps. The flaw has also been weaponized in ransomware attacks. Approximately 11,000 exposed instances were identified worldwide. **Recommendations** Update BeyondTrust Remote Support to version 25.3.2 or later, or apply patch BT26-02-RS. Update BeyondTrust Privileged Remote Access to version 25.1.1 or later, or apply patch BT26-02-PRA. As a temporary mitigation, take the portal offline or restrict access to internal IP addresses to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Milesight UR5X, UR32L, UR32, UR35, UR41 versions prior to 35.3.0.7 **Description** A cross-site scripting (XSS) issue was discovered in the admin panel of the affected devices. This issue allows for malicious scripts to be injected into the website, potentially leading to unauthorized access or control. **Recommendations** For Milesight UR5X, UR32L, UR32, UR35, UR41 versions prior to 35.3.0.7, update to version 35.3.0.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin panel until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Milesight UR5X, UR32L, UR32, UR35, UR41 versions prior to 35.3.0.7 **Description** An information disclosure issue exists in Milesight routers. This allows attackers to access sensitive router components. Reports indicate that approximately 19,000 Milesight routers with exposed APIs have been identified, with at least 572 publicly accessible without authentication. This has been exploited in real-world attacks, primarily in Europe (Sweden, Italy, Belgium), to send SMS spam containing phishing links. The vulnerability allows attackers to view system logs, locate, and compromise administrator passwords. These compromised credentials can then be used to abuse the router's SMS API to send malicious messages. The API can be exploited due to misconfigurations or the presence of the vulnerability. The attackers are leveraging the SMS notification feature commonly found in industrial routers to send spam messages. Some malicious URLs include JavaScript that checks for mobile access before delivering harmful content. Connections to a Telegram bot named GroozaBot have also been observed. The `SMS API` is being abused in these attacks. **Recommendations** Update Milesight UR5X, UR32L, UR32, UR35, and UR41 routers to version 35.3.0.7 or later. Restrict access to the `SMS API` to prevent unauthorized use. Ensure proper configuration of the SMS notification feature to prevent abuse. Monitor system logs for suspicious activity. Change default administrator passwords to strong, unique credentials. Disable the SMS notification feature if it is not required.