Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added multiple security flaws affecting products from Zyxel, North Grid Proself, ProjectSend, and CyberPanel to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-51378 (CVSS score: 10.0) - An incorrect default permissions
Analysis Summary
# Vulnerability: Multiple Critical Vulnerabilities in Zyxel, North Grid Proself, ProjectSend, CyberPanel, and I-O DATA Routers Cataloged by CISA
## CVE Details
This summary covers several vulnerabilities added to CISA's KEV catalog or reported as actively exploited.
| CVE ID | CVSS Score | Severity | Affected Product Context |
| :--- | :--- | :--- | :--- |
| **CVE-2024-51378** | 10.0 | Critical | CyberPanel/Ransomware activity |
| **CVE-2023-45727** | 7.5 | High | Not specified (Linked to Earth Kasha espionage) |
| **CVE-2024-11680** | 9.8 | Critical | ProjectSend/Weaponized for payloads |
| **CVE-2024-11667** | 7.5 | High | CyberPanel/Ransomware activity |
| **CVE-2024-45841** | 6.5 | Medium | I-O DATA Routers |
| **CVE-2024-47133** | 7.2 | High | I-O DATA Routers |
| **CVE-2024-52564** | 7.5 | High | I-O DATA Routers |
*Note: CWE information was not explicitly provided for all CVEs in the source material.*
## Affected Systems
* **Products:** CyberPanel, ProjectSend, I-O DATA Routers (UD-LT1, UD-LT1/EX), North Grid Proself (Inferred from overall CISA advisory inclusion).
* **Versions:** Specific vulnerable versions were not detailed, only that the following flaws are being exploited:
* CVE-2024-51378, CVE-2024-11667 (In CyberPanel)
* CVE-2024-11680 (In ProjectSend)
* CVE-2024-45841, CVE-2024-47133, CVE-2024-52564 (In I-O DATA UD-LT1/EX)
## Vulnerability Description
* **CVE-2024-51378 (CVSS 10.0):** Incorrect default permissions leading to **Authentication Bypass** and **Arbitrary Command Execution** via shell metacharacters in the `statusfile` property.
* **CVE-2023-45727 (CVSS 7.5):** Improper restriction of **XML External Entity (XXE) reference**, allowing unauthenticated remote XXE attacks.
* **CVE-2024-11680 (CVSS 9.8):** Improper authentication allowing a remote, unauthenticated attacker to **create accounts, upload web shells, and embed malicious JavaScript.**
* **CVE-2024-11667 (CVSS 7.5):** **Path Traversal** in the web management interface enabling file download or upload via a crafted URL.
* **CVE-2024-45841 (CVSS 6.5, I-O DATA):** Incorrect permission assignment allowing a guest account user to **read sensitive files/credentials.**
* **CVE-2024-47133 (CVSS 7.2, I-O DATA):** **OS Command Injection** allowing a logged-in administrator to execute arbitrary commands.
* **CVE-2024-52564 (CVSS 7.5, I-O DATA):** Inclusion of undocumented features allowing a remote attacker to **disable the firewall, execute arbitrary OS commands, or alter configuration.**
## Exploitation
* **Status:** **Exploited in the wild** for all listed CVEs (added to CISA KEV or actively reported as exploited).
* CVE-2023-45727 linked to China-nexus group Earth Kasha.
* CVE-2024-11680 actively weaponized since September 2024 for payload dropping.
* CVE-2024-51378 and CVE-2024-11667 attributed to ransomware campaigns (PSAUX, Helldown).
* **Complexity:** Generally **Low** to **Medium** given the unauthenticated nature of several flaws (e.g., RCE, account creation).
* **Attack Vector:** Primarily **Network**, due to remote, unauthenticated access vectors described for multiple flaws.
## Impact
| Metric | Impact Level | Notes |
| :--- | :--- | :--- |
| **Confidentiality** | High | Reading sensitive files (CVE-2024-45841); Information disclosure possible via XXE/Payloads. |
| **Integrity** | Critical | Arbitrary command execution, web shell upload, configuration alteration (CVE-2024-51378, CVE-2024-52564). |
| **Availability** | High | Potential denial of service or resource hijacking via command injection/payload execution. |
## Remediation
### Patches
* **I-O DATA Routers (CVE-2024-52564):** Patch available in firmware **Ver2.1.9**.
* **I-O DATA Routers (CVE-2024-45841, CVE-2024-47133):** Fixes expected in firmware **Ver2.2.0** (as of December 18, 2024).
* **Other CVEs (CVE-2024-51378, CVE-2023-45727, CVE-2024-11680, CVE-2024-11667):** Vendors (Zyxel, CyberPanel, ProjectSend) should have released updates corresponding to KEV catalog additions, requiring immediate application.
### Workarounds
* **I-O DATA Routers (While awaiting full patches):**
1. Limit exposure of the settings screen from the internet by **disabling remote management**.
2. Change default guest user passwords.
3. Ensure administrator passwords are not trivial.
* **General Mitigation:** Due to active exploitation across multiple platforms, prioritize patching the listed CVEs immediately. Federal Civilian Executive Branch (FCEB) agencies were directed to remediate by **December 25, 2024**.
## Detection
* **Indicators of Compromise:** Presence of newly created user accounts, unexpected web shells, suspicious outbound network traffic, or abnormal filesystem changes related to the affected products.
* **Detection Methods and Tools:** Monitor network traffic for payloads associated with known ransomware groups (PSAUX, Helldown) targeting these specific product types. Use threat intelligence feeds for signatures related to the exploitation techniques (e.g., statusfile injection, crafted path traversal URLs).
## References
* CISA KEV Catalog (General Advisory): hxxps://www.cisa.gov/news-events/alerts/2024/12/04/cisa-adds-one-known-exploited-vulnerability-catalog
* CISA KEV Catalog (General Advisory): hxxps://www.cisa.gov/news-events/alerts/2024/12/03/cisa-adds-three-known-exploited-vulnerabilities-catalog
* CVE-2024-51378 Details: hxxps://attacke.rs/posts/cyberpanel-command-injection-vulnerability/
* I-O DATA Advisory: hxxps://www.iodata.jp/support/information/2024/11_ud-lt1/index.htm
* JPCERT/CC Advisory: hxxps://jvn.jp/en/jp/JVN46615026/index.html