CISA issues alert over two high-severity DrayTek vulnerabilities – here’s what you need to know

CISA has added three security flaws to its known exploited vulnerabilities (KEV) catalog, including two affecting DrayTek’s network equipment management software, VigorConnect.

The third vulnerability added to the catalog affects Kingsoft’s popular WPS Office productivity suite.

All three vulnerabilities were described as path traversal flaws, that allow attackers to read sensitive files they should not be able to access.

The two DrayTek vulnerabilities – CVE-2021-20123 and CVE-2021-20124 – were initially discovered back in 2021 by security researchers at Tenable, who described them as unauthenticated local file inclusion flaws affecting the VigorConnect’s DownloadFileServlet and WebServlet programs.

The flaws were patched back in October 2021, but their addition to the KEV catalog indicates many systems remain susceptible to compromise, and cyber criminals are targeting these vulnerable entities.

“An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges,” Tenable warned.

Tenable also published proof of concept exploits for CVE-2021-20123 and CVE-2021-20124. Both vulnerabilities were classified as high severity in the National Vulnerability Database (NVD), receiving a 7.5 rating on the CVSS.

CISA warned that path traversal vulnerabilities are frequent attack vectors for malicious cyber actors, and pose a significant risk to federal enterprises in particular.

Although added to the KEV “based on evidence of active exploitation”, at the time of writing there is no publicly available information on in-the-wild attacks exploiting the DrayTek vulnerabilities, but businesses are advised to patch affected systems as soon as possible to reduce their exposure.

Critical WPS flaw exploited by South Korean cyber gang

The third flaw, CVE-2024-7262 , stems from improper path validation in the promecefpluginhost.exe in versions 12.2.0.13110 to 12.2.0.16412 of Kingsoft WPS Office for Windows .

The vulnerability, with a critical 9.3 rating in the CVSS , could allow an attacker to load arbitrary Windows libraries onto the system, which could then lead to remote code execution, data exfiltration, and long-term persistence on the network.

An overview of 2023's threat landscape

Kingsoft WPS Office is a popular alternative to Microsoft’s productivity suite, widely used in China and East Asia, with roughly 500 million active users worldwide.

A blog published on 3 September by security firm Qualys reported APT-C-60, a South Korean-aligned cyber espionage group, had been exploiting CVE-2024-7262.

“Attackers exploited the vulnerability to install the SpyGlace backdoor on East Asian targets. Tracked as CVE-2024-7262, the vulnerability allows an attacker to perform remote code execution,” Qualys warned.

In its description of the flaw, the nonprofit security organization MITRE stated the vulnerability was found weaponized as a single-click exploit in a deceptive spreadsheet document.

Qualys revealed the spreadsheet was used by APT-C-60 to deceive users into clicking malicious hyperlinks embedded in a fake image, starting the attack’s kill chain.

Kingsoft has released a patch for CVE-2024-7262, and CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies patch the flaw, as well as the two DrayTek vulnerabilities, by 24 September 2024.