FISA

  Rapid7 has patched a critical  SQL injection  vulnerability in Nexpose, its on-premises vulnerability management software. The flaw, which has a CVSS rating of 9.8, arose because valid search operators were not defined, according to the  CVE description  for the bug, which is tracked as CVE-2022-0757. Consequently, attackers can inject SQL code after manipulating the ‘ALL’ or ‘ANY’ filter query operators in the SearchCriteria. This issue affects all versions of Nexpose – alternately known as Security Console – up to and including 6.6.128. XSS in the mix Rapid7, a Massachusetts-based cybersecurity firm, addressed the issue in Nexpose version  6.6.129 , released March 2. The latest version also includes support for TLS 1.3 services, an added vulnerability check for Log4j, and additional Metasploit-based vulnerability coverage. The Nexpose  vulnerability scanner  also contained a medium severity  cross-site scripting  (XSS) flaw. Residing in the shared scan configuration, the  reflected

Rapid7 is tracking reports of ongoing exploitation of   CVE-2023-28771 , a critical unauthenticated command injection vulnerability affecting multiple Zyxel networking devices. The vulnerability is present in the default configuration of vulnerable devices and is exploitable in the Wide Area Network (WAN) interface, which is intended to be exposed to the internet. A VPN does not need to be configured on a device for it to be vulnerable. Successful exploitation of CVE-2023-28771 allows an unauthenticated attacker to execute code remotely on the target system by sending a specially crafted IKEv2 packet to UDP port 500 on the device. Zyxel released an advisory  for CVE-2023-28771 on April 25, 2023. On May 19, Rapid7 researchers published a  technical analysis  of the vulnerability on AttackerKB, underscoring the likelihood of exploitation. As of May 19, there were at least  42,000 instances  of Zyxel devices on the public internet. However, as Rapid7 researchers  noted , this number only