Wöchentliches Briefing: Top 5 Hacker-relevante Schwachstellen
10.01.2025
ENTRYZERO
Alle 15 Minuten tritt eine neue Schwachstelle auf, was zu durchschnittlich etwa 650 neuen Schwachstellen pro Woche führt – eine überwältigende Rate, die schwer zu bewältigen ist. Die durchschnittlichen Kosten eines Sicherheitsvorfalls sind weltweit auf ein Rekordhoch von 4,45 Millionen US-Dollar gestiegen. Um Organisationen zu helfen, ihre Ressourcen effektiv zuzuweisen und sich auf die risikoreichsten Schwachstellen zu konzentrieren, entwickeln wir einen neuartigen, entscheidungsbaum-basierten Priorisierungsansatz. Dieser wird auf Basis von über 100.000 Schwachstellen- und Bedrohungsinformationen trainiert und erweitert Industriestandards wie CVSS und EPSS, um das Echtzeitrisiko und den Kontext neuer Schwachstellen besser zu erfassen (ein großes Dankeschön an VulnCheck für die Bereitstellung umfassender und aktueller CVE-Daten). In dieser Serie präsentieren wir die Top 5 Schwachstellen der Woche, basierend auf einem Teilbaum unseres Modells.
Product | Access Vector | Description | CVE | References
Calendar Week 02 2025
Aviatrix Controller | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-50603 | Details, PoC
WordPress GiveWP Donation Plugin and Fundraising Platform | Unauthenticated Remote Attack | PHP Object Injection Vulnerability | CVE-2024-8353 | Details, PoC
Ivanti Connect Secure, Policy Secure, and ZTA Gateways | Unauthenticated Remote Attack | Stack-Based Buffer Overflow Vulnerabilities | CVE-2025-0282, CVE-2025-0283 | Details
Oracle WebLogic Server | Unauthenticated Remote Attack | Improper Deserialization Vulnerability | CVE-2020-2883 | Details, PoC
SonicWall SonicOS SSLVPN | Unauthenticated Remote Attack | Authentication Bypass Vulnerability | CVE-2024-53704 | Details
Calendar Week 01 2025
Windows Lightweight Directory Access Protocol (LDAP) | Unauthenticated Remote Attack | Denial of Service Vulnerability | CVE-2024-49113 | Details, PoC
Apache Traffic Control | Authenticated Remote Attack | SQL Injection Vulnerability | CVE-2024-45387 | Details, PoC
Oracle WebLogic Server | Unauthenticated Remote Attack | Java Naming and Directory Interface (JNDI) Injection Vulnerability | CVE-2024-21182 | Details, PoC
Progress WhatsUp Gold | Unauthenticated Remote Attack | Multiple Vulnerabilities Including Authentication Bypass and LDAP Configuration | CVE-2024-12106, CVE-2024-12108 | Details
D-Link DIR-845L router | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-33112 | Details
Calendar Week 52 2024
Apache Tomcat | Unauthenticated Remote Attack | Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability | CVE-2024-56337 | Details, PoC
Splunk Enterprise | Unauthenticated Remote Attack | Path Traversal Vulnerability | CVE-2024-36991 | Details, PoC
Craft CMS | Unauthenticated Remote Attack | Code Injection Vulnerability | CVE-2024-56145 | Details, PoC
libxml2 | Unauthenticated Remote Attack | External Entity Injection Vulnerability | CVE-2024-40896 | Details
Adobe ColdFusion | Unauthenticated Remote Attack | Path Traversal Vulnerability | CVE-2024-53961 | Details
Calendar Week 51 2024
Apache Tomcat | Unauthenticated Remote Attack | Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability | CVE-2024-50379 | Details, PoC
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-12356 | Details
Spring Framework | Unauthenticated Remote Attack | Path Traversal Vulnerability | CVE-2024-38819 | Details, PoC
Sophos Firewall | Unauthenticated Remote Attack | Multiple Vulnerabilities Including Code Injection, Weak Credentials and SQL Injection | CVE-2024-12727, CVE-2024-12728, CVE-2024-12729 | Details
Kerio Control | Unauthenticated Remote Attack | HTTP Response Splitting Vulnerability | CVE-2024-52875 | Details, PoC
Calendar Week 50 2024
Cleo Harmony, VLTrader and LexiCom | Unauthenticated Remote Attack | Unrestricted File Upload and Download Vulnerability | CVE-2024-50623 | Details, PoC
Ivanti Cloud Service Appliance | Unauthenticated Remote Attack | Authentication Bypass Vulnerability | CVE-2024-11639 | Details
WordPress Plugins - Widget Options, WP Umbrella, My Geo Posts | Unauthenticated Remote Attack | Multiple Vulnerabilities Including Improper Input Sanitization, Arbitrary File Upload and Deserialization of Untrusted Data | CVE-2024-8672, CVE-2024-12209, CVE-2024-52433 | Details1, Details2, Details3, PoC1, PoC2, PoC3
Microsoft Windows LDAP and Common Log File Systems | Unauthenticated Remote Attack | Multiple Vulnerabilities Including Remote Code Execution and Heap-based Buffer Overflow | CVE-2024-49112, CVE-2024-49138 | Details1, Details2
Apache Struts | Unauthenticated Remote Attack | Unrestricted File Upload Vulnerability | CVE-2024-53677 | Details
Calendar Week 49 2024
Zabbix Server | Authenticated Remote Attack | SQL Injection Vulnerability | CVE-2024-42327 | Details, PoC
ProjectSend | Unauthenticated Remote Attack | Improper Authentication Vulnerability | CVE-2024-11680 | Details, PoC
SailPoint IdentityIQ | Unauthenticated Remote Attack | Improper Access Control Vulnerability | CVE-2024-10905 | Details
TP-Link Archer, Deco, and Tapo Series Routers | Authenticated Remote Attack | Command Injection Vulnerability | CVE-2024-53375 | Details, PoC
7-Zip Zstandard Decompression | Unauthenticated Remote Attack | Integer Underflow Vulnerability | CVE-2024-11477 | Details, PoC
Calendar Week 48 2024
CleanTalk Spam Protection and Firewall Plugin for WordPress | Unauthenticated Remote Attack | Authorization Bypass Vulnerability | CVE-2024-10542 | Details, PoC
OpenSSL | Unauthenticated Remote Attack | Memory Corruption and Command Injection Vulnerabilities | CVE-2024-5535, CVE-2022-2274, CVE-2022-1292, CVE-2022-2068 | Details, PoC1, PoC2
Zyxel ATP and USG Flex Firewall | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-42057 | Details
QNAP QuRouter | Unauthenticated Remote Attack | Command Injection Vulnerabilities | CVE-2024-48860, CVE-2024-48861 | Details
Kubernetes Kubelet | Authenticated Remote Attack | Path Traversal Vulnerability | Details
Calendar Week 47 2024
Palo Alto PAN-OS | Unauthenticated Remote Attack | Authentication Bypass and Command Injection Vulnerabilities | CVE-2024-0012, CVE-2024-9474 | Details1, Details2, PoC1, PoC2
WordPress WP Time Capsule Backup and Staging Plugin | Unauthenticated Remote Attack | Arbitrary File Upload Vulnerability | CVE-2024-8856 | Details, PoC
WordPress Really Simple Security Plugin | Unauthenticated Remote Attack | Authentication Bypass Vulnerability | CVE-2024-10924 | Details, PoC
Citrix Session Recording | Authenticated Remote Attack | Authenticated Remote Attack | CVE-2024-8069 | Details, PoC
SAP BusinessObjects Business Intelligence Platform | Unauthenticated Remote Attack | Missing Authentication Check Vulnerability | CVE-2024-41730 | Details, PoC
Calendar Week 46 2024
Rocket.Chat | Unauthenticated Remote Attack | Server-Side Request Forgery (SSRF) Vulnerability | CVE-2024-39713 | Details, PoC
D-Link NAS Devices | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-10914 | Details, PoC
Fortinet FortiManager | Unauthenticated Remote Attack | Missing Authentication Vulnerability | CVE-2024-47575 | Details, PoC
Nginx UI | Unauthenticated Remote Attack | Logrotate Misconfiguration Vulnerability | CVE-2024-49368 | Details, PoC
LiteSpeed Cache | Unauthenticated Remote Attack | Insufficiently Protected Credentials Vulnerability | CVE-2024-44000 | Details, PoC
Calendar Week 45 2024
Jenkins Command Line Interface | Unauthenticated Remote Attack | Path Traversal Vulnerability | CVE-2024-23987 | Details, PoC
ScienceLogic SL1 | Unauthenticated Remote Attack | Remote Code Execution Vulnerability | CVE-2024-9537 | Details
Cisco Ultra-Reliable Wireless Backhaul Access Points | Unauthenticated Remote Attack | Improper Input Validation Vulnerability | CVE-2024-20418 | Details
HPE Aruba Networking Access Points | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-42509 | Details
Symphony PHP framework | Unauthenticated Remote Attack | Improper Input Validation Vulnerability | CVE-2024-50340 | Details, PoC
Calendar Week 44 2024
CyberPanel | Unauthenticated Remote Attack | Authentication Bypass and Command Injection Vulnerabilities | CVE-2024-51567, CVE-2024-51378 | Details, PoC1, PoC2
RoundCube Webmail | Unauthenticated Remote Attack | Cross-Site Scripting (XSS) Vulnerability | CVE-2024-37383 | Details, PoC
PyTorch | Unauthenticated Remote Attack | Insecure Deserialization Vulnerability | CVE-2024-48063 | Details, PoC
Microsoft Sharepoint | Authenticated Remote Attack | Insecure Deserialization Vulnerability | CVE-2024-38094 | Details
Microsoft Windows Server | Authenticated Remote Attack | Elevation of Privilege Vulnerability | CVE-2024-43532 | Details
Calendar Week 43 2024
Grafana | Authenticated Remote Attack | Code Injection Vulnerability | CVE-2024-9264 | Details, PoC1, PoC2
pfSense | Unauthenticated Remote Attack | Cross-Site Scripting (XSS) Vulnerability | CVE-2024-46538 | Details, PoC
Fortinet FortiManager | Unauthenticated Remote Attack | Missing Authentication Vulnerability | CVE-2024-47575 | Details1, Details2
WordPress TI WooCommerce Wishlist Plugin | Unauthenticated Remote Attack | SQL Injection Vulnerability | CVE-2024-43917 | Details, PoC
WordPress Premium ARForms Form Builder Plugin | Unauthenticated Remote Attack | Unauthenticated File Upload Vulnerability | CVE-2024-4620 | Details, PoC
Calendar Week 42 2024
ConnectWise ScreenConnect | Unauthenticated Remote Attack | Authentication Bypass Vulnerability | CVE-2024-1709 | Details
GitHub Enterprise Server | Unauthenticated Remote Attack | Improper Verification of Cryptographic Signature | CVE-2024-9487 | Details
Ruby SAML | Unauthenticated Remote Attack | Improper Verification of SAML Response Signature | CVE-2024-45409 | Details, PoC
Mozilla Firefox and Firefox ESR | Unauthenticated Remote Attack | Use After Free Vulnerability | CVE-2024-9680 | Details, PoC
Veeam Backup and Replication | Unauthenticated Remote Attack | Deserialization of Untrusted Data Vulnerability | CVE-2024-40711 | Details, PoC
Calendar Week 41 2024
Palo Alto Networks Expedition | Unauthenticated Remote Attack | OS and SQL Injection Vulnerabilities | CVE-2024-9463, CVE-2024-9464, CVE-2024-9465 | Details, PoC1, PoC2
Mozilla Firefox and Firefox ESR | Unauthenticated Remote Attack | Use After Free Vulnerability | CVE-2024-9680 | Details
Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb | Unauthenticated Remote Attack | Format String Vulnerability | CVE-2024-23113 | Details
Windows RDP | Unauthenticated Remote Attack | Use After Free Vulnerability | CVE-2024-43582 | Details
PostgreSQL pgAdmin | Unauthenticated Remote Attack | Insufficiently Protected Credentials in OAuth2 Authentication | CVE-2024-9014 | Details, PoC
Calendar Week 40 2024
Cisco IOS XE | Unauthenticated Remote Attack | Improper Resource Management Vulnerability | CVE-2024-20467 | Details
OpenPrinting CUPS | Unauthenticated Remote Attack | Binding to an Unrestricted IP Address and Input Validation Vulnerabilities | CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177 | Details, PoC1, PoC2
Check Point Quantum Security Gateways | Unauthenticated Remote Attack | Information Disclosure Vulnerability | CVE-2024-24919 | Details, PoC
Synacor Zimbra Collaboration | Unauthenticated Remote Attack | Improper Access Control Vulnerability | CVE-2024-45519 | Details, PoC
Broadcom VMware vCenter Server | Unauthenticated Remote Attack | Heap Overflow Vulnerability | CVE-2024-38812 | Details
Calendar Week 39 2024
OpenPrinting CUPS | Unauthenticated Remote Attack | Binding to an Unrestricted IP Address and Input Validation Vulnerabilities | CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177 | Details, PoC
Aruba Access Points | Unauthenticated Remote Attack | Command Injection Vulnerabilities | CVE-2024-42505, CVE-2024-42506, CVE-2024-42507 | Details
Cisco Smart Licensing Utility | Unauthenticated Remote Attack | Use of Hard-coded Credentials Vulnerability | CVE-2024-20439 | Details, PoC
MediaTek Wi-Fi Chipsets | Unauthenticated Remote Attack | Out-of-Bounds Write Vulnerability | CVE-2024-20017 | Details, PoC
Keycloak | Authenticated Remote Attack | Improper Signature Verification Vulnerability | CVE-2024-8698 | Details
Calendar Week 38 2024
Apache HugeGraph | Unauthenticated Remote Attack | Improper Access Control Vulnerability | CVE-2024-27348 | Details, PoC
Ivanti Endpoint Manager | Unauthenticated Remote Attack | Improper Deserialization of Untrusted Data Vulnerability | CVE-2024-29847 | Details, PoC
Thinkphp | Unauthenticated Remote Attack | Improper Deserialization of Untrusted Data Vulnerability | CVE-2024-44902 | Details, PoC
Raisecom Gateway Devices | Unauthenticated Remote Attack | Command Injection Vulnerability | Details, PoC
Broadcom vCenter Server | Unauthenticated Remote Attack | Heap Overflow Vulnerability | Details
Calendar Week 37 2024
Kemp LoadMaster | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-1212 | Details, PoC
Qualitor ITSM | Unauthenticated Remote Attack | Arbitrary File Upload Vulnerability | CVE-2024-44849 | Details, PoC
Apache OFBiz | Unauthenticated Remote Attack | Server-Side Request Forgery Vulnerability | CVE-2024-45507 | Details, PoC
SonicWall SonicOS | Unauthenticated Remote Attack | Improper Access Control Vulnerability | CVE-2024-40766 | Details
GitLab CE/EE | Authenticated Remote Attack | Pipeline Execution Vulnerability | CVE-2024-6678 | Details
Calendar Week 36 2024
Cisco Smart Licensing Utility | Unauthenticated Remote Attack | Sensitive Information in Log Files and Static Admin Credentials Vulnerabilities | CVE-2024-20439, CVE-2024-20440 | Details, PoC1, PoC2
Veeam Backup & Replication | Unauthenticated Remote Attack | Remote Code Execution Vulnerability | CVE-2024-40711 | Details
Ivanti Virtual Traffic Manager | Unauthenticated Remote Attack | Admin Authentication Bypass Vulnerability | CVE-2024-7593 | Details, PoC
Zyxel APs and Security Router Devices | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-7261 | Details
WhatsUp Gold | Unauthenticated Remote Attack | SQL Injection Vulnerability | CVE-2024-6670 | Details, PoC
Calendar Week 35 2024
Wordpress Litespeed Cache | Unauthenticated Remote Attack | Incorrect Privilege Assignment Vulnerability | CVE-2024-28000 | Details, PoC
AVTECH IP Cameras | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-7029 | Details, PoC
Apache OFBiz | Unauthenticated Remote Attack | Path Traversal and Incorrect Authorization Vulnerabilities | CVE-2024-32113, CVE-2024-38856 | Details, PoC1, PoC2
Google Chromium V8 | Unauthenticated Remote Attack | Confusion and Inappropriate Implementation Vulnerabilities | CVE-2024-5274, CVE-2024-7965 | Details, Details, PoC1
SonicWall SonicOS | Unauthenticated Remote Attack | Improper Access Control Vulnerability | CVE-2024-40766 | Details
Calendar Week 34 2024
GitHub Enterprise Server | Unauthenticated Remote Attack | Authentication Bypass Vulnerability | CVE-2024-6800 | Details
Ingress Nginx Controller | Authenticated Remote Attack | Annotation Validation Bypass Vulnerability | CVE-2024-7646 | Details, PoC
ServiceNow | Unauthenticated Remote Attack | Input Validation and Incomplete List of Disallowed Inputs Vulnerabilities | CVE-2024-5217, CVE-2024-4879 | Details, PoC1, PoC2
Dahua IP Cameras, Video Intercom, NVR, XVR devices | Unauthenticated Remote Attack | Authentication Bypass Vulnerabilities | CVE-2021-33044, CVE-2021-33045 | Details, PoC
Apache HTTP Server | Unauthenticated Remote Attack | Substitution Encoding Vulnerabilities | CVE-2024-38474, CVE-2024-38475 | Details, PoC
Calendar Week 33 2024
TOTOLINK EX1800T and A3700R | Unauthenticated Remote Attack | Command Injection Vulnerabilities | CVE-2024-34257, CVE-2023-46574 | Details, PoC1, PoC2
Windows 10, 11, and Server | Unauthenticated Remote Attack | TCP/IP Buffer Overflow Vulnerability in IPv6 Stack | CVE-2024-38063 | Details, PoC
VMware ESXi | Authenticated Remote Attack | Authentication Bypass Vulnerability | CVE-2024-37085 | Details, PoC
SolarWinds Web Help Desk | Unauthenticated Remote Attack | Deserialization of Untrusted Data Vulnerability | CVE-2024-28986 | Details
Ivanti Virtual Traffic Manager | Unauthenticated Remote Attack | Admin Authentication Bypass Vulnerability | CVE-2024-7593 | Details
Calendar Week 33 2024
Cacti Network Monitoring and Fault Management Framework | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-29895 | Details, PoC
Jenkins | Unauthenticated Remote Attack | Path Traversal Vulnerability | CVE-2024-43044 | Details, PoC
ServiceNow | Unauthenticated Remote Attack | Input Validation and Incomplete List of Disallowed Inputs Vulnerabilities | CVE-2024-5217, CVE-2024-4879 | Details, PoC1, PoC2
Progress WhatsUpGold | Unauthenticated Remote Attack | Improper Path Validation Vulnerability | CVE-2024-4885 | Details, PoC
Apache OFBiz | Unauthenticated Remote Attack | Path Traversal and Incorrect Authorization Vulnerabilities | CVE-2024-32113, CVE-2024-38856 | Details, PoC1, PoC2