Summary: A significant spam campaign has exploited a vulnerability in Krpano, a widely used virtual tour software, leading to malicious redirects affecting numerous major organizations worldwide. The reflected XSS vulnerability allowed attackers to embed ads or redirect users to inappropriate sites. Despite a previous patch issued in 2020, the issue lingered, prompting renewed notifications and fixes from Krpano developers after the exploitation was reported.
Affected: Various private and government organizations, including major universities, hotel chains, and Fortune 500 companies.
Keypoints :
- More than 350 websites have been exploited, including those of universities, government bodies, and major corporations.
- The reflected XSS vulnerability (CVE-2020-24901) has been known since 2020 but remained inadequately addressed.
- Malicious content included advertisements for adult sites, online casinos, and hacking services, with some ads embedded directly on legitimate sites.
- Krpano released a patch (version 1.22.4) on February 24 to mitigate further abuse following the disclosure of the exploitation.
- Efforts to notify affected organizations were met with varied responses, with some taking corrective actions.