CISA Adds ScienceLogic SL1 Vulnerability to Exploited Catalog After Active Zero-Day Attack

Summary: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in ScienceLogic SL1 to its Known Exploited Vulnerabilities catalog due to active exploitation, while Fortinet has released updates to address a flaw reportedly exploited by China-linked threat actors. The vulnerabilities have raised concerns over unauthorized access to internal systems and the need for timely patching by federal agencies.

Threat Actor: Unknown | unknown
Victim: Rackspace | Rackspace

Key Point :

  • CISA added CVE-2024-9537, a critical vulnerability in ScienceLogic SL1, to its KEV catalog after reports of active exploitation.
  • Fortinet released security updates for FortiManager to address a vulnerability exploited by China-linked threat actors, with details still unclear.
  • Federal agencies must apply fixes for the ScienceLogic vulnerability by November 11, 2024, to protect their networks.
  • Security researcher Kevin Beaumont highlighted the confusion surrounding the Fortinet flaw, dubbed FortiJump, which may involve the FGFM protocol.
Zero-Day Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical security flaw impacting ScienceLogic SL1 to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation as a zero-day.

The vulnerability in question, tracked as CVE-2024-9537 (CVSS v4 score: 9.3), refers to a bug involving an unspecified third-party component that could lead to remote code execution.

The issue has since been addressed in versions 12.1.3, 12.2.3, and 12.3 and later. Fixes have also been made available for version 10.1.x, 10.2.x, 11.1.x, 11.2.x, and 11.3.x.

Cybersecurity

The development comes weeks after cloud hosting provider Rackspace acknowledged that it “became aware of an issue with the ScienceLogic EM7 Portal,” prompting it to take its dashboard offline towards the end of last month.

“We have confirmed that the exploit of this third-party application resulted in access to three internal Rackspace monitoring web servers,” an account named ynezzor said in an X post on September 28, 2024.

It’s not clear who is behind the attack, although Rackspace has confirmed to Bleeping Computer that the zero-day exploitation led to unauthorized access to its internal performance reporting systems and that it has notified all impacted customers. The breach was first reported by The Register.

Federal Civilian Executive Branch (FCEB) agencies are required to apply the fixes by November 11, 2024, to counter possible threats to their networks.

Fortinet Patches Likely Exploited Flaw

The development comes as Fortinet has released security updates for FortiManager to remediate a vulnerability that is reportedly being exploited by China-linked threat actors.

Details about the flaw are presently unknown, although Fortinet, in the past, has sent out confidential customer communications in advance to help them bolster their defenses prior to it being released to a broader audience. The Hacker News has reached out to the company, and we will update the story if we hear back.

Cybersecurity

“FortiGate have released one of the six new versions of FortiManager which fix the actively exploited zero day in the product… but they’ve not issued a CVE or documented the issue existing in the release notes. Next week maybe?,” security researcher Kevin Beaumont said on Mastodon.

“Fortigate currently having the world’s least secret zero day used by China play out, including in FortiManager Cloud… but everybody is confused.”

Beaumont, who has given the flaw the moniker FortiJump, said the vulnerability likely resides in the FortiGate to FortiManager (FGFM) protocol. A search on the Shodan search engine shows close to 60,000 instances that are exposed to the internet.

Earlier this month, CISA added another critical flaw impacting Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb (CVE-2024-23113, CVSS score: 9.8) to its KEV catalog, based on evidence of in-the-wild exploitation.

Source: https://thehackernews.com/2024/10/cisa-adds-sciencelogic-sl1.html