The CISA urges federal agencies to patch the Versa Director vulnerability by September.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability affecting Versa Director to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability, identified as CVE-2024-39717, carries a CVSS score of 6.6 and is classified as medium-severity. It involves a file upload flaw within the “Change Favicon” feature, which could enable an attacker to upload a malicious file disguised as a harmless PNG image.

According to CISA’s advisory, the Versa Director graphical user interface (GUI) has a vulnerability related to the unrestricted upload of files with dangerous types. This issue affects administrators with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges who can customize the user interface. The “Change Favicon” feature allows for the upload of a .png file, which can be exploited to upload a malicious file with a .PNG extension masquerading as an image.

Successful exploitation of this vulnerability requires that a user with the necessary privileges has already authenticated and logged in.

While the specifics of how CVE-2024-39717 was exploited remain unclear, the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) mentions that Versa Networks is aware of one confirmed case in which a customer was targeted. The description notes that the customer had not implemented firewall guidelines published in 2015 and 2017, leading to the exploitation of the vulnerability without the use of the GUI.

Federal Civilian Executive Branch (FCEB) agencies are mandated to safeguard against this vulnerability by applying the vendor-provided patches by September 13, 2024.

This update follows CISA’s recent addition of four other vulnerabilities from 2021 and 2022 to its KEV catalog, including:

• CVE-2021-33044 (CVSS score: 9.8) – Dahua IP Camera Authentication Bypass Vulnerability
• CVE-2021-33045 (CVSS score: 9.8) – Dahua IP Camera Authentication Bypass Vulnerability
• CVE-2021-31196 (CVSS score: 7.2) – Microsoft Exchange Server Information Disclosure Vulnerability
• CVE-2022-0185 (CVSS score: 8.4) – Linux Kernel Heap-Based Buffer Overflow Vulnerability

It’s noteworthy that CVE-2022-0185 was reportedly exploited by a China-linked threat actor known as UNC5174 (also referred to as Uteus or Uetus), according to a report from Mandiant in March of this year. CVE-2021-31196 was part of a broader set of Microsoft Exchange Server vulnerabilities, collectively referred to as ProxyLogon, ProxyShell, ProxyToken, and ProxyOracle. This particular vulnerability has been actively exploited in campaigns where attackers target unpatched Microsoft Exchange Server instances, seeking unauthorized access, privilege escalation, or the deployment of ransomware or other malware.