Summary: CISA has identified three critical vulnerabilities in its KEV catalog, emphasizing their active exploitation and urging immediate patching by organizations. Notably, vulnerabilities in Draytek routers and Kingsoft WPS Office pose significant risks, including unauthorized access and potential data breaches.
Threat Actor: APT-C-60 | APT-C-60
Victim: Kingsoft WPS Office | Kingsoft WPS Office
Key Point :
- CISA added CVE-2021-20123 and CVE-2021-20124 affecting Draytek routers to its KEV catalog due to active exploitation.
- CVE-2024-7262, a zero-day vulnerability in Kingsoft WPS Office, allows remote code execution and has been exploited by APT-C-60 to deploy malware.
- Federal agencies must patch these vulnerabilities by September 24, 2024, with a strong recommendation for all organizations to act promptly.
The Cybersecurity and Infrastructure Security Agency (CISA) has added three critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, highlighting their active exploitation in the wild and urging organizations to prioritize patching.
Draytek Routers Face Serious Risks
Two of the vulnerabilities, CVE-2021-20123 and CVE-2021-20124, affect Draytek VigorConnect routers, enabling unauthenticated attackers to gain unauthorized access to sensitive files on the underlying operating system. This poses a significant risk of data breaches and potential system compromise.
Kingsoft WPS Office Zero-Day Targeted in Espionage Campaign
CVE-2024-7262 affects Kingsoft WPS Office, a widely used office suite, particularly in China and East Asia. This path traversal vulnerability, with a CVSS score of 9.8, allows an attacker to load an arbitrary Windows library via the promecefpluginhost.exe component on Windows systems.
This flaw has been actively exploited in the wild by a South Korea-aligned cyber espionage group known as APT-C-60. The attackers have leveraged this zero-day vulnerability to deploy a custom backdoor dubbed SpyGlace, which has been used to infect targeted users with sophisticated malware. The malicious activity has predominantly targeted Chinese and East Asian users, highlighting the geopolitical implications of this cyber espionage campaign.
The vulnerability stems from inadequate validation of user-provided file paths, enabling adversaries to upload and execute arbitrary Windows libraries. This capability can lead to remote code execution, allowing attackers to take full control of the affected system, exfiltrate data, and maintain long-term persistence.
Mandatory Patching for Federal Agencies
CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies patch these vulnerabilities by September 24, 2024. However, all organizations are strongly advised to take immediate action to protect their infrastructure.