Based on evidence of active exploitation, the US Cybersecurity and Infrastructure Security Agency (CISA) has added two six-year-old security flaws that affect Sitecore CMS and Experience Platform (XP) to its known exploited vulnerabilities (KEV) catalogue.
The vulnerabilities are listed below –
CVE-2019-9874 (CVSS score: 9.8) – sitecore.security.anticsrf module relaxation vulnerability. This allows unauthorized attackers to send serialized .net objects with http posts in cve-2019-9875 (cve-2019-9875) in http posts. A de-izalisation vulnerability in the Sitecore.security.anticsRf module allows an authenticated attacker to send serialized .NET objects with HTTP POST PARAMETER __CSRFTOKEN to execute arbitrary code.
Currently in an update shared on March 30, 2020, Sitecore states that it is “aware of aggressive exploitation” of CVE-2019-9874, but there is no details as to whom the flaws are currently weaponized. The company has not mentioned the misuse of CVE-2019-9875.
In light of aggressive exploitation, federal agencies must ensure that they have their networks by April 16, 2025.
Akamai evolves as stated that early exploit attempts were observed to investigate potential servers with newly disclosed security flaws affecting the Next.JS Web Framework (CVE -2025‑29927, CVSS score: 9.1).
Exploitation, a vulnerability that bypasses authorization, could potentially circumvent middleware-based security checks by spoofing a header called “X-Middleware-SubRequest” that attackers use to manage internal request flows. This could allow unauthorized access to sensitive application resources, said Raphael Silva of CheckMarx.
“One of the identified payloads involves using X-Middleware-Request headers with the value SRC/Middleware: SRC/Middleware: SRC/Middleware: SRC/Middleware: SRC/Middleware: SRC/Middleware: SRC/Middleware: SRC/Middleware: SRC/Middleware”
“This approach simulates multiple internal subrequests within a single request and triggers internal redirection logic in next.js.
The disclosure also follows a warning from Greynoise about aggressive exploitation attempts recorded against some known vulnerabilities in Draytek devices.
The threat intelligence company said it saw wild activity observed for the following CVE identifiers –
CVE-2020-8515 (CVSS score: 9.8) – Operating system command injection vulnerability in multiple draytek router models that allow remote code execution as root as cgi-bin/mainfunction via shell metacharacter. An unauthorized attacker will allow downloading any file from the underlying operating system with root privileges via the download Fileservlet Endpoint CVE-2021-20124 (CVSS score: 7.5).
Indonesia, Hong Kong and the US have appeared as top countries in CVE-2020-8515 attack traffic, while Lithuania, the US and Singapore have been selected as part of the attacks that utilize CVE-2021-20123 and CVE-2021-20124.
Source link
