The Sensor Intel Series is created in partnership with Efflux, who maintains a globally distributed network of sensors from which we derive attack telemetry.
Introduction
Welcome to the February 2024 installment of the Sensor Intelligence Series, our monthly summary of vulnerability intelligence based on distributed passive sensor data. This month’s attack data is, at least in the most seen attacks, much like recent months. We continued to tweak our approach to threat hunting this month and managed to find 27 new to us CVEs buried in low volume traffic.
New CVE Signatures
Some of these you may recognize, such as CVE-2018-7600 (AKA “Drupalgeddon 2”), which was a very major issue when it came out. That we still see scans for this vulnerability, albeit at very low levels, may surprise some readers. We assume that this is most likely due to off the shelf vulnerability scanner activity, which may include payloads for many older vulnerabilities. It is however interesting to note that while none of these CVEs showed very high levels of activity, they all had at least some.
Cross Site Scripting (XSS) CVEs
- CVE-2005-3129 (Squirrelmail)
- CVE-2009-1872 (Adobe Cold Fusion)
- CVE-2011-4926 (Adminize WordPress plugin)
- CVE-2014-4535 (Import Legacy Media Wordpress plugin)
- CVE-2016-1000149 (simpel-reserveren WordPress plugin)
- CVE-2020-17453 (WSO2 Management Console)
- CVE-2020-27982 (IceWarp)
- CVE-2020-9344 (Subversion ALM)
- CVE-2021-21801 (Advantech R-SeeNet)
- CVE-2021-38702 (Cyberoam NetGenie devices)
- CVE-2022-0653 (Profile Builder – User Profile & User Registration Forms WordPress plugin)
- CVE-2022-22954 (VMware Workspace ONE Access and Identity Manager)
Remote Code Execution (RCE) CVEs
- CVE-2018-7600 (Drupal)
- CVE-2010-0219 (Apache Axis)
- CVE-2012-1823 (PHP)
- CVE-2015-2051 (D-Link DIR-645 Wired Wireless Router)
- CVE-2015-8562 (Joomla!)
- CVE-2020-24949 (PHP-Fusion)
- CVE-2021-25003 (WPCargo Track and Trace WordPress plugin)
- CVE-2022-0885 (Member Hero WordPress plugin)
Directory Traversal CVEs
- CVE-2015-4074 (Helpdesk Pro plugin for Joomla!)
- CVE-2018-20463 (JSmol2WP WordPress plugin)
- CVE-2022-40734 (UniSharp laravel-filemanager)
Unauthorized Data Access CVEs
- CVE-2019-2588 (BI Publisher component of Oracle Fusion Middleware)
SQL Injection CVEs
- CVE-2020-22211 (74cms)
- CVE-2023-25651 (ZTE mobile internet products)
With all that out of the way, let’s get to the numbers.
February Vulnerabilities by the Numbers
Figure 1 shows February attack traffic for the top ten CVEs that we track. CVE-2020-11625 which jumped to the top of our list last month and has remained there this month. This vulnerability has shown some odd patterns, having the exact identical number of requests for November and December 2023, before jumping up 250% to nearly 5700 connections in January, and now falling off to 3732 connections this month. This is a vulnerability in few different web-enabled video security cameras from brand AvertX. In other words, this is yet another IoT vulnerability, supporting the ongoing trend of IoT scanning and exploitation in our passive sensors. CVE-2020-8958, a perennial top scorer, fell several places this month, and CVE-2017-9841, an old but critical vulnerability in PHPUnit, replaces it in the number two spot.
Leaving the top ten, Table 1 shows the traffic volume for the top 19 vulnerabilities that we’re tracking, along with change from the previous month, CVSS score, and EPSS score. In terms of high-traffic CVEs, the percent change is usually instructive. We did this in part because the table was getting so large as to not be very useful, as well as being somewhat confusing for a quick visual scan, as small changes in low traffic vulnerabilities would show very large percentage change.