Latest Zero-Day Attacks and Exploits — 2023

A zero-day (0day) vulnerability is a security flaw for which no mitigation or patch exists when it is disclosed or made public. Such vulnerabilities pose a significant security risk as current software patches are ineffective against zero-day exploits.

These attacks are akin to a pathogen for which there is no vaccine until the underlying vulnerability is addressed. Organizations face a serious threat as they lack the means to defend against these exploits until a solution is developed.

This write-up delves into the latest developments in zero-day vulnerabilities and exploits, shedding light on the most recent news surrounding these unresolved bugs. The information provided aims to offer insights into the ongoing challenges posed by these security vulnerabilities and the potential risks they present to organizations.

1. Cisco IOS XE Web UI Remote Code Execution (CVE-2023–20198)

Published: 2023–10–17
Risk: Critical
Patch Availability: NO
CVE-ID: CVE-2023–20198
CWE-ID: CWE-269
Exploitation Vector: Network
Public Exploit: Yes (This vulnerability is being exploited in the wild.)

Vulnerable Software:

• Cisco IOS XE
• Operating systems & Components / Operating system
• Vendor: Cisco Systems, Inc

Description:
A critical vulnerability, identified as CVE-2023–20198, has been discovered in Cisco IOS XE, exposing systems to remote code execution. The issue stems from improper privilege management in the web UI feature, enabling an unauthenticated remote attacker to create an account with privilege level 15 access by sending a specially crafted HTTP request. Importantly, this vulnerability is actively being exploited in the wild.

Mitigation:
As of the latest information, there is no official solution provided to address this vulnerability. Organizations are strongly advised to stay informed and regularly monitor official channels for updates.

External Links:

• Cisco Bug Search
• Cisco Security Advisory

2. Microsoft WordPad NTLM Hash Disclosure (CVE-2023–36563)

Published: 2023–10–10
Risk: High
Patch Availability: YES
CVE-ID: CVE-2023–36563
CWE-ID: CWE-200
Exploitation Vector: Network
Public Exploit: Yes (This vulnerability is being exploited in the wild.)

Vulnerable Software:

• Windows: 10–11 22H2
• Windows Server: 2008–2022 20H2

Vendor: Microsoft

Description:
A high-risk vulnerability (CVE-2023–36563) has been identified in Microsoft WordPad, posing a significant threat. The flaw exposes NTLM hashes, enabling a remote attacker to potentially access sensitive information. Exploitation occurs when a victim opens a specially crafted file manipulated by the attacker. Notably, this vulnerability is actively being exploited in the wild.

Mitigation:
Users are strongly advised to address this issue by installing the latest updates available from the official Microsoft website.

External Links:
For further details, please refer to Microsoft’s official security advisory: CVE-2023–36563.

3. Skype for Business Server Information Disclosure (CVE-2023–41763)

Published: 2023–10–10
Risk: High
Patch Availability: YES
CVE-ID: CVE-2023–41763
CWE-ID: CWE-200
Exploitation Vector: Network
Public Exploit: Yes (This vulnerability is being exploited in the wild.)

Vulnerable Software:

• Skype for Business Server
• Server applications / Conferencing, Collaboration, and VoIP solutions

Vendor: Microsoft

Description:
The vulnerability allows a remote attacker to gain access to potentially sensitive information. This arises due to excessive data output by the Skype for Business Server application. An unauthorized remote attacker can exploit this to access IP addresses, port numbers, or both.

Mitigation:
To address this issue, users are strongly advised to install the available updates from the vendor’s website.

Vulnerable Software Versions:

• Skype for Business Server: Before 7.0.246.530

External Links:

• Microsoft Security Guidance Advisory — CVE-2023–41763

4. Confluence Data Center and Server Remote Code Execution (CVE-2023–22515)

Published: 2023–10–05
Risk: Critical
Patch Availability: YES
CVE-ID: CVE-2023–22515
CWE-ID: CWE-287
Exploitation Vector: Network
Public Exploit: Yes (This vulnerability is being exploited in the wild.)

Vulnerable Software:

• Confluence Server and Data Center
• Server applications / Other server solutions

Vendor: Atlassian

Description:
The vulnerability allows a remote attacker to compromise the affected system by exploiting missing authentication at the “/setup/setupadministrator.action” endpoint. A remote non-authenticated attacker can send specially crafted requests to the server, creating an administrative account and gaining unauthorized access to the system. Importantly, this vulnerability is actively being exploited in the wild.

Mitigation:
To address this issue, users are strongly advised to install the available updates from the vendor’s website.

Vulnerable Software Versions:

• Confluence Server and Data Center: 8.0.0–8.5.1

External Links:

• Atlassian Jira — CONFSERVER-92457
• Atlassian Confluence Knowledge Base
• Atlassian Confluence Security Advisory
• CVE-2023–22515 Privilege Escalation Vulnerability

5. Google Pixel Security Features Bypass (CVE-2023–4211)

Published: 2023–09–18
Risk: High
Patch Availability: YES
CVE-ID: CVE-2023–4211
CWE-ID: CWE-416
Exploitation Vector: Local
Public Exploit: This vulnerability is being exploited in the wild.

Vulnerable Software:

• Pixel
• Mobile applications / Mobile firmware & hardware

Vendor: Google

Description:
The vulnerability allows a local application to escalate privileges on the system. It exists due to a use-after-free error within the Mali GPU Kernel Driver. A local application can trigger memory corruption and execute arbitrary code with elevated privileges. Importantly, this vulnerability is actively being exploited in the wild.

Mitigation:
To address this issue, users are strongly advised to install the available updates from the vendor’s website.

Vulnerable Software Versions:

• Pixel: Before 2023–09–01

External Links:

• Google Pixel Security Bulletin — 2023–09–01

6. Trend Micro Apex One and Worry-Free Business Privilege Escalation (CVE-2023–41179)

Published: 2023–09–19
Risk: High
Patch Availability: YES
CVE-ID: CVE-2023–41179
CWE-ID: CWE-78 — Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Exploitation Vector: Local
Public Exploit: This vulnerability is being exploited in the wild.

Vulnerable Software:

• Apex One
• Client/Desktop applications / Antivirus software/Personal firewalls
• Worry-Free Business Security
• Client/Desktop applications / Software for system administration

Vendor: Trend Micro

Description:
The vulnerability allows a local user to escalate privileges on the system. It exists due to improper input validation within the third-party AV uninstaller module shipped with the software. A local user can execute arbitrary commands with elevated privileges. Importantly, this vulnerability is actively being exploited in the wild.

Mitigation:
To address this issue, users are strongly advised to install the available updates from the vendor’s website.

Vulnerable Software Versions:

• Apex One: 2019 — SP1 b11564
• Worry-Free Business Security: 9.5 — xg

External Links:

• Trend Micro Solution — CVE-2023–41179
• Apex One Patch Readme
• Worry-Free Business Security Patch Information

7. Microsoft Streaming Service Proxy Privilege Escalation (CVE-2023–36802)

Published: 2023–09–12
Risk: High
Patch Availability: YES
CVE-ID: CVE-2023–36802
CWE-ID: CWE-119 — Memory Corruption
Exploitation Vector: Local
Public Exploit: This vulnerability is being exploited in the wild.

Vulnerable Software:

• Windows
• Operating systems & Components / Operating system
• Windows Server
• Operating systems & Components / Operating system

Vendor: Microsoft

Description:
The vulnerability allows a local user to escalate privileges on the system. It exists due to a boundary error within the Microsoft Streaming Service Proxy. A local user can trigger memory corruption and execute arbitrary code with SYSTEM privileges. Notably, this vulnerability is actively being exploited in the wild.

Mitigation:
To address this issue, users are strongly advised to install the available updates from the vendor’s website.

Vulnerable Software Versions:

• Windows: 10–11 22H2
• Windows Server: 2019–2022 20H2

External Links:

• Microsoft Security Advisory — CVE-2023–36802

8. Microsoft Word Information Disclosure (CVE-2023–36761)

Published: 2023–09–12
Risk: High
Patch Availability: YES
CVE-ID: CVE-2023–36761
CWE-ID: CWE-200 — Information Exposure
Exploitation Vector: Network
Public Exploit: This vulnerability is being exploited in the wild.

Vulnerable Software:

• Microsoft Office
• Client/Desktop applications / Office applications
• Microsoft Word
• Client/Desktop applications / Office applications
• Microsoft 365 Apps for Enterprise
• Client/Desktop applications / Other client software

Vendor: Microsoft

Description:
The vulnerability allows a remote attacker to gain access to potentially sensitive information. It exists because the application can reveal sensitive information to a third party. A remote attacker can trick the victim into opening or previewing a specially crafted file and obtain the NTLM hash of the current account. Importantly, this vulnerability is actively being exploited in the wild.

Mitigation:
To address this issue, users are strongly advised to install the available updates from the vendor’s website.

Vulnerable Software Versions:

• Microsoft Office: 365–2019
• Microsoft Word: Before 16.0.5413.1000
• Microsoft 365 Apps for Enterprise: Before 16.0.5413.1000

External Links:

• Microsoft Security Advisory — CVE-2023–36761

9. Adobe Acrobat and Reader Remote Code Execution (CVE-2023–26369)

Published: 2023–09–12
Risk: Critical
Patch Availability: YES
CVE-ID: CVE-2023–26369
CWE-ID: CWE-787 — Out-of-bounds write
Exploitation Vector: Network
Public Exploit: This vulnerability is being exploited in the wild.

Vulnerable Software:

• Adobe Reader
• Client/Desktop applications / Office applications
• Adobe Acrobat
• Client/Desktop applications / Office applications

Vendor: Adobe

Description:
The vulnerability allows a remote attacker to compromise a vulnerable system. It exists due to a boundary error when processing PDF. A remote attacker can create a specially crafted PDF file, trick the victim into opening it using the affected software, trigger an out-of-bounds write, and execute arbitrary code on the target system. Notably, this vulnerability is actively being exploited in the wild.

Mitigation:
To address this issue, users are strongly advised to install the available updates from the vendor’s website.

Vulnerable Software Versions:

• Adobe Reader: 20.005.30331–2020.013.20074
• Adobe Acrobat: 15.006.30306–23.003.20284
  CPE2.3:

External Links:

• Adobe Security Bulletin (APSB23–34)

10. Google Chrome Remote Code Execution (CVE-2023–5129, CVE-2023–4863)

Published: 2023–09–11 | Updated: 2023–09–27
Risk: Critical
Patch Availability: YES
CVE-ID: CVE-2023–5129, CVE-2023–4863
CWE-ID: CWE-122 — Heap-based Buffer Overflow
Exploitation Vector: Network
Public Exploit: Vulnerability #1 is being exploited in the wild.

Vulnerable Software:

• Google Chrome
• Client/Desktop applications / Web browsers

Vendor: Google

Description:
The vulnerability allows a remote attacker to execute arbitrary code on the target system. It exists due to a boundary error when processing WebP images within the libwebp library. A remote attacker can trick the victim into visiting a malicious website, triggering a heap-based buffer overflow and executing arbitrary code on the target system. Successful exploitation of this vulnerability may result in the complete compromise of the vulnerable system. This vulnerability affects all modern browsers that support WebP image processing. Notably, this vulnerability is actively being exploited in the wild.

Mitigation:
To address this issue, users are strongly advised to install the available updates from the vendor’s website.

Vulnerable Software Versions:

• Google Chrome: 100.0.4896.60–116.0.5845.180

External Links:

• Google Chrome Releases
• Chromium Bug Report
• Libwebp Source Code (Commit 2af26267)
• Libwebp Source Code (Commit 902bc919)

I express my gratitude to https://www.cybersecurity-help.cz/ for providing a reference for this research.

Thanks for exploring this with me. You can connect with me on LinkedIn at linkedin.com/in/ajithchandranr