Oracle, Apache, and TP-Link Vulnerabilities Are Being Actively Exploited

Based on evidence of ongoing exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included three vulnerabilities in its list of Known Exploited Vulnerabilities (KEV).

The identified security flaws are as follows:

• CVE-2023-1389, has a CVSS grade of 8. – Vulnerability in TP-Link Archer AX-21 Command Injection
• CVE-2021-45046 has a CVSS rating of 9. – Deserialization of Untrusted Data Vulnerability in Apache Log4j2
• CVSS score for CVE-2023-21839 is 7.5. – Unspecified Vulnerability in Oracle WebLogic Server
• CVE-2023-1389 is a command injection issue that affects TP-Link Archer AX-21 routers and might be used to execute malware remotely.

According to the Zero Day Initiative by Trend Micro, threat actors associated with the Mirai botnet have been actively exploiting this vulnerability since April 11, 2023.

CVE-2021-45046, which is a remote code execution vulnerability impacting the Apache Log4j2 logging library, has been added as the second vulnerability in the KEV catalogue. This vulnerability was identified in December 2021.

While data collected by GreyNoise suggests that there have been exploitation attempts from approximately 74 distinct IP addresses in the last 30 days, the specific method of exploiting this vulnerability in real-world scenarios remains unclear. This uncertainty also extends to CVE-2021-44228, commonly referred to as Log4Shell.

Completing the list is a significant issue found in Oracle WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, which poses a high severity risk by potentially granting unauthorized access to sensitive data. The issue was addressed through upgrades that became accessible in January 2023.

According to CISA, “Oracle WebLogic Server contains an ambiguous vulnerability that could allow an unauthenticated attacker with access to the network via T3, IIOP, to compromise Oracle WebLogic Server.”

While proof-of-concept (PoC) exploits exist for this flaw, there are currently no reported instances of malicious exploitation in the public domain.
As of May 22, 2023, it is mandated that Federal Civilian Executive Branch (FCEB) organizations implement the patches provided by vendors in order to safeguard their networks against the existing vulnerabilities.

Furthermore, this advice comes shortly after VulnCheck uncovered that the KEV catalogue is lacking around 40 security vulnerabilities, which are likely to have been exploited in the field during 2022.

Out of the 42 vulnerabilities, the majority, specifically 27, are associated with Mirai-like botnet exploitation. Additionally, 6 vulnerabilities are linked to ransomware gangs, while 9 vulnerabilities are attributed to other threat actors.

The disclosure of this information coincides with the discovery by cybersecurity company eSentire of new malicious activity directed at an unnamed education sector client. The attackers are exploiting the CVE-2023-27350 vulnerability to deliver an XMRig cryptocurrency miner.

Last week, Microsoft revealed that Iranian state-sponsored threat groups Mango Sandstorm (also known as MuddyWater or Mercury) and Mint Sandstorm (also known as Phosphorus) have recently initiated attacks targeting PaperCut print management services.