The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Versa Director Dangerous File Type Upload Vulnerability CVE-2024-39717 (CVSS score: 6.6) to its Known Exploited Vulnerabilities (KEV) catalog.
The vulnerability CVE-2024-39717 resides in the “Change Favicon” feature in Versa Director’s GUI, it allows administrators with specific privileges to upload a malicious file disguised as a PNG image. Exploitation requires successful authentication by a user with the necessary privileges. Although details are limited, Versa Networks confirmed one case where the vulnerability was exploited due to a customer’s failure to implement recommended firewall guidelines. This oversight allowed the attacker to exploit the vulnerability without needing to access the GUI.
” Versa Networks is aware of one confirmed customer reported instance where this vulnerability was exploited because the Firewall guidelines which were published in 2015 & 2017 were not implemented by that customer.” reads the advisory. “This non-implementation resulted in the bad actor being able to exploit this vulnerability without using the GUI.”
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by September 13, 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)