FortiGuard Labs is aware that a WSO2 vulnerability (CVE-2022-29464) that was patched in February 2022 and was disclosed in April is still being actively exploited in the field. CVE-2022-29464 is an unrestricted arbitrary file upload, and remote code execution vulnerability that allows unauthenticated and remote attackers to execute arbitrary code in the vulnerable WSO2 products. Why is this Significant?This is significant because despite the fact CVE-2022-29464 was patched in February and was disclosed in April, the vulnerability is still being actively exploited. This means that attacks that leverage CVE-2022-29464 have some level of success rate even now. With the vulnerability being actively exploited and a Proof-of-Concept (POC) code became publicly available in late April. users and administrators should review the WSO2’s advisory and apply the patch or necessary workaround.Also, CVE-2022-29464 is included in the CISA’s Known Exploited Vulnerabilities Catalog, which lists vulnerabilities that US federal agencies are required to patch their information systems within specific timeframes and deadlines.What is CVE-2022-29464?CVE-2022-29464 is a vulnerability in multiple WSO2 products that allows unauthenticated and remote attackers to execute arbitrary code on the affected systems. The vulnerability is rated Critical and has a CVSS Score of 9.8. The advisory has the following products as vulnerable:WSO2 API Manager 2.2.0, up to 4.0.0WSO2 Identity Server 5.2.0, up to 5.11.0 WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0WSO2 Identity Server as Key Manager 5.3.0, up to 5.11.0WSO2 Enterprise Integrator 6.2.0, up to 6.6.0WSO2 Open Banking AM 1.4.0, up to 2.0.0 WSO2 Open Banking KM 1.4.0, up to 2.0.0What Malware were Deployed after Successful Exploitation of CVE-2022-29464?Cobalt Strike, backdoor, cryptocoin miner and hacktool are reported to have been deployed to the compromised systems.Has the Vendor Released an Advisory?Yes. See the Appendix for a link to “Security Advisory WSO2-2021-1738”.Has the Vendor Released a Patch for CVE-2022-29464?Yes. According to the WSO’s advisory, WSO2 released temporary mitigations in January 2022 and released permanent fixes for all the supported product versions in February.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against files associated with CVE-2022-29464:W64/Agent.CY!trELF/Agent.AR!trELF/BitCoinMiner.HF!trJava/Agent.AUJ!trJava/Webshell.E!trJava/Webshell.0CC4!trRiskware/Generic.H2Malicious_Behavior.SBFortiGuard Labs provides the following IPS coverage against CVE-2022-29464:WSO2.fileupload.Arbitrary.File.Upload (default action is set to pass)Known network IOCs for CVE-2022-29464 are blocked by the WebFiltering client.
More Stories
openjpeg2-2.5.3-1.fc40
FEDORA-2024-272544ceb9 Packages in this update: openjpeg2-2.5.3-1.fc40 Update description: Update to openjpeg-2.5.3 Fix 2 heap-buffer-overflow Read More
libxml2-2.12.9-1.fc40
FEDORA-2024-9f3765a04b Packages in this update: libxml2-2.12.9-1.fc40 Update description: Update to 2.12.9 Fixes CVE-2024-40896 Read More
libxml2-2.12.9-1.fc41
FEDORA-2024-867a14de12 Packages in this update: libxml2-2.12.9-1.fc41 Update description: Update to 2.12.9 Fixes CVE-2024-40896. Read More
iwd-3.3-1.fc40 libell-0.71-1.fc40
FEDORA-2024-0fa283c43a Packages in this update: iwd-3.3-1.fc40 libell-0.71-1.fc40 Update description: iwd 3.3: Fix issue with handling External Authentication. iwd 3.2: Fix...
iwd-3.3-1.fc41 libell-0.71-1.fc41
FEDORA-2024-256818da09 Packages in this update: iwd-3.3-1.fc41 libell-0.71-1.fc41 Update description: iwd 3.3: Fix issue with handling External Authentication. iwd 3.2: Fix...
A Vulnerability in Apache Struts2 Could Allow for Remote Code Execution
A vulnerability has been discovered in Apache Struts2, which could allow for remote code execution. Apache Struts2 is an open-source...