DIVD CSIRT

Case closed: DIVD-2026-00006 - Vulnerability found in DIVD App VerySecureApp

Thu, 07 May 2026 02:00:00 +0200

The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration.

Case update: DIVD-2026-00005 - Salesforce Experience Cloud – Data Exposure via Misconfiguration

21 Apr 2026 02:00:00 +0200

Last event: 21 Apr 2026 - Casefile published. Notifications to affected organizations are ongoing.

Case update: DIVD-2026-00003 - Mendix Applications – Data Exposure due to Authorization Misconfiguration

05 Mar 2026 01:00:00 +0100

Last event: 05 Mar 2026 - Casefile published. Notifications to affected organizations are ongoing.

Case update: DIVD-2026-00002 - DIVD-2026-00002 – Ivanti Endpoint Manager Mobile Vulnerabilities

05 Feb 2026 01:00:00 +0100

Last event: 05 Feb 2026 - Scanned instances and send out the notifications

Case closed: DIVD-2025-00042 - React2shell vulnerability

Thu, 11 Dec 2025 01:00:00 +0100

A vulnerability in React Server components allow unauthorized access via Remote Code Execution.

Case update: DIVD-2025-00041 - Victim Notification Operation Endgame S03E01

13 Nov 2025 01:00:00 +0100

Last event: 13 Nov 2025 - Case file is public and first data avaiable

Case update: DIVD-2025-00022 - SolarEdge SE3680H and SolarEdge Monitoring Platform vulnerabilities

18 Dec 2025 01:00:00 +0100

Last event: 18 Dec 2025 - CVE records have been published.

Data available from Operation Endgame S03E01

Thu, 13 Nov 2025 00:00:00 +0100

As part of Operation End S03E01 law enforcement has seized stealer logs.

We have received the first dataset from the Dutch Police containing credentions of over 94M accounts from al least 3M users.

We encourage certs, csirts and security teams to look at the extracts we made from this information and request information about domains in ther constituency. See the Endgame S03E01 case file for more information.

Case closed: DIVD-2025-00040 - Oracle E-Business Suite Vulnerabilities

Wed, 08 Oct 2025 02:00:00 +0200

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite could allow attackers to bypass security controls and gain unauthorized access.

Case closed: DIVD-2025-00039 - Cisco ASA WebVPN Vulnerabilities

Fri, 03 Oct 2025 02:00:00 +0200

Multiple vulnerabilities in Cisco ASA WebVPN could allow attackers to bypass security controls and gain unauthorized access.

Case closed: DIVD-2025-00038 - Found webshells in FreePBX due to RCE vulnerability

Thu, 28 Aug 2025 02:00:00 +0200

FreePBX has assigned CVE-2025-57819 to vulnerabilities in its administrator interface that are actively targeted when exposed to the Internet. Administrators are urged to restrict access and harden their systems.

Case closed: DIVD-2025-00037 - Critical vulnerabilities in Citrix ADC and Gateway systems

Thu, 25 Sep 2025 02:00:00 +0200

Citrix has released security updates for vulnerabilities in NetScaler ADC and Gateway that could lead to memory overflows, denial of service, or remote code execution.

Case closed: DIVD-2025-00035 - Sharepoint Mass-Exploitation (ToolShell) through CVE-2025-53770

Thu, 24 Jul 2025 02:00:00 +0200

Threat actors are targeting Sharepoint installations with CVE-2025-53770. Immediate action is required.

Case closed: DIVD-2025-00034 - Remote Code Execution in IBM WebSphere version 8.5 and 9.0

Mon, 08 Sep 2025 02:00:00 +0200

A critical vulnerability in IBM WebSphere was discovered in versions 8.5 and 9.0 that allows a remote code execution

Case closed: DIVD-2025-00033 - Remote Code Execution in GeoServer versions below 2.27.0, 2.26.2 and 2.25.6

Mon, 08 Sep 2025 02:00:00 +0200

A critical vulnerability in GeoServer was discovered in versions below 2.27.0, 2.26.2, and 2.25.6 that allows a remote code execution via injecting XML code

Case closed: DIVD-2025-00032 - Unauthenticated Arbitrary Remote Code Execution in Pterodactyl

Wed, 20 Aug 2025 02:00:00 +0200

A critical vulnerability in Pterodactyl was discovered in versions below 1.11.11 that allows unauthenticated user preform remote code execution

Case closed: DIVD-2025-00031 - Critical vulnerabilities in Citrix ADC and Gateway systems

Fri, 22 Aug 2025 02:00:00 +0200

Citrix has released security updates for vulnerabilities in Citrix ADC and Gateway appliances that may lead to memory overreads or memory overflow.

Case closed: DIVD-2025-00019 - Unauthenticated file upload in Visual Composer (VCFRAMEWORK)

Tue, 15 Jul 2025 02:00:00 +0200

SAP NetWeaver Visual Composer Metadata Uploader lacks proper authorization, allowing unauthenticated users to upload malicious files that can compromise the host system.

Case update: DIVD-2025-00018 - Victim Notification Operation Endgame 2.0

07 Jul 2025 02:00:00 +0200

Last event: 07 Jul 2025 - DIVD starts sharing victim information with certs, csirts and security teams.

Case closed: DIVD-2025-00016 - Unauthenticated Remote Code Execution in Ingress-Nginx.

Wed, 09 Jul 2025 02:00:00 +0200

Unauthenticated Remote Code Execution in Ingress-Nginx can result in cluster takeover.

Case closed: DIVD-2025-00015 - Various vulnerabilities found in SolaX Cloud platform for solarpanel inverters

Wed, 10 Sep 2025 02:00:00 +0200

A number of vulnerabilities have been found in SolaX Power’s cloud platform for solarpanel inverters of which at least one is considered critical.

Case closed: DIVD-2025-00005 - Exposed Automated Tank Gauge Systems

Fri, 18 Jul 2025 02:00:00 +0200

Automated Tank Gauge (ATG) systems at gas stations and critical facilities are exposed to the internet without proper authentication, allowing unauthorized access to fuel monitoring systems.

Endgame 2.0 Stealer logs

Mon, 07 Jul 2025 00:00:00 +0200

As part of Operation End 2.0 law enforcement has seized stealer logs containing credentions of over 62M accounts.

DIVD allows certs, csirts and security teams to look at the extracts we made from this information and request information about domains in ther constituency. See the dedicated sub page for more information.

Case closed: DIVD-2025-00017 - Authentication Bypass and Remote Code Execution in Ivanti EPMM

Tue, 03 Jun 2025 02:00:00 +0200

Authentication bypass in Ivanti EPMM chained together with a remote code execution vulnerability, could lead to unauthenticated remote code execution.

Case closed: DIVD-2025-00010 - Stack-based buffer overflow in Ivanti Connect Secure

Wed, 04 Jun 2025 02:00:00 +0200

A critical stack-based buffer overflow in Ivanti Connect Secure allows unauthenticated attackers to achieve remote code execution by abusing the X-Forwarded-For header.

Case closed: DIVD-2025-00007 - Authentication bypass in CrushFTP service

Thu, 08 May 2025 02:00:00 +0200

A critical vulnerability in CrushFTP was discovered in versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 that allows unauthenticated attackers to bypass authentication and gain unauthorized access

Case closed: DIVD-2025-00002 - Authentication bypass in SonicWall SSL-VPN service

Sat, 10 May 2025 02:00:00 +0200

SonicWall has identified an Improper Authentication vulnerability in the SSLVPN authentication mechanism that allows a remote attacker to bypass authentication, posing a serious threat by allowing attackers access to private networks

Case update: DIVD-2025-00001 - Multiple vulnerabilities in Sicomm BASEC Service

12 Jun 2025 02:00:00 +0200

Last event: 12 Jun 2025 - Minimum wait time for full disclosure

Case closed: DIVD-2024-00043 - CyberAudit-Web - SSRF and Authentication bypass CVEs Registered

Sat, 24 May 2025 02:00:00 +0200

Two vulnerabilities have been found in Videx’s CyberAudit-Web. These vulnerabilities could allow an attacker to take over the underlying system.

Case update: DIVD-2021-00020 - OSNexsus QuantaStor limited disclosure and product warning

07 May 2025 02:00:00 +0200

Last event: 07 May 2025 - Full disclosure

Full disclosure DIVD-2021-00020

Wed, 07 May 2025 00:00:00 +0200

We have disclosed the full techncial details for case DIVD-2021-00020

The vulnerabilities are:

Case update: DIVD-2025-00012 - Four vulnerabilities in Schneider Electric EVLink Wallbox

23 Apr 2025 02:00:00 +0200

Last event: 23 Apr 2025 - Time to patch (N/A)

Case update: DIVD-2025-00009 - Sungrow's iSolarCloud MQTT lacking permissions

24 Apr 2025 02:00:00 +0200

Last event: 24 Apr 2025 - Time to patch

Case closed: DIVD-2025-00004 - Authentication Bypass in PAN-OS Management Web Interface

Sun, 04 May 2025 02:00:00 +0200

Due to confusion between the ngnix and apache web servers/proxies used to serve the PAN-OS web managmenet interface, it is possible to access certain PHP scripts on Palo Alto devices running PAN-OS without authentication as described in CVE-2025-0108. Running these scripts can lead to a compromise of the confidentiality and integrity of the device.

Case update: DIVD-2021-00021 - Qlik Sense Enterprise domain user enumeration

25 Apr 2025 02:00:00 +0200

Last event: 25 Apr 2025 - Full disclosure

SicommNet BASEC product warning

Mon, 14 Apr 2025 00:00:00 +0200

DIVD researcher Jesse Meijer has identified three critical vulnerabilities in the SicommNet BASEC e-procurement system. These vulnerabilities were discovered on the 14th of December 2021. With these vulnerabilities an attacker can bypass all security measures in the tool and access and alter the database of the tool and all data for any customer of SicommNet BASEC.

Despite several attempts over the years, neither Jesse Meijer, DIVD CSIRT nor CISA has been able to solicit a meaningful response from SicommNet. In line with our CNA policy we are now issuing this product warning.

UPDATE 21 Apr 2025: CVE-2025-22371 has been fixed in production on 16 Apr 2025 at 23:00 EST. Given this it might be safe again to use this tool after rotating all user passwords and validating all data in the tool.

Product warning

If you are currently using or in the past have used SicommNet BASEC, we urge you to:

Stop using the tool
Consider all data in the tool compromised:
- Do not trust any data in the tool, because it might have been altered by a malicious actor
- Consider all data in the tool as leaked
- Inform any person of which personal identifiable data (PII) is stored in the tool that their PII has leaked
- Inform any overseeing bodies of a data leak (if applicable)

Our case file DIVD-2025-00001 contains the full details of the vulnerabilities found.

The vulnerabilities are:

CVE-2025-22371 - SQL-injection in admin_login_handler allows unauthenticated user to log in as an administrator in SicommNet BASEC
CVE-2025-22372 - Insecure password storage in SicommNet BASEC
CVE-2025-22373 - XSS, HTML and Style injection on login page of SicommNet BASEC

Case opened: DIVD-2025-00011 - Severe vulnerabilities in Growatt portal

Fri, 11 Apr 2025 02:00:00 +0200

Authentication vulnerability in the plant transfer function of the Growatt cloud portal allowed an attacker with an account to take over any plant form any user.

Case closed: DIVD-2025-00006 - Next.js Middleware Authorization Bypass

Sat, 22 Mar 2025 01:00:00 +0100

The vulnerability affects the middleware functionality in Next.js, an attacker can completely circumvent these middleware controls by adding a specially crafted ‘x-middleware-subrequest’ header to their HTTP requests.

Case update: DIVD-2025-00003 - Multiple vulnerabilities in Mennekes Smart / Premium Charging stations

16 Jan 2025 01:00:00 +0100

Last event: 16 Jan 2025 - Time to patch

Case closed: DIVD-2024-00052 - Remote code execution in Cleo Harmony, VLCTrader and LexiCom

Wed, 05 Feb 2025 01:00:00 +0100

Cleo has identified an unrestricted file upload and download vulnerability (CVE-2024-50623) that could lead to remote code execution

Case closed: DIVD-2024-00051 - Improper authorization vulnerabilty in ProjectSend,

Wed, 12 Mar 2025 01:00:00 +0100

Improper authorization vulnerabilty, CVE-2024-11680, in open-source file-sharing application: ProjectSend,

Case closed: DIVD-2024-00050 - Path traversal vulnerabilty in Mitel MiCollab

Mon, 03 Feb 2025 01:00:00 +0100

A path traversal vulnerability, CVE-2024-41713, in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab could allow an unauthenticated attacker to conduct a path traversal attack due to insufficient input validation

Case closed: DIVD-2024-00049 - Vulnerabilities in D-Link NAS: Backdoor and Command Injection Exploits

Wed, 09 Apr 2025 02:00:00 +0200

D-Link NAS are affected by a backdoor vulnerability facilitated by hardcoded credentials and a command injection vulnerability.

Case closed: DIVD-2024-00048 - VMware vCenter Server heap-overflow and remote code execution vulnerabilities

Mon, 10 Mar 2025 01:00:00 +0100

The vCenter Server contains a heap-overflow vulnerability and a privilege escalation vulnerability

Case closed: DIVD-2024-00045 - SysAid ITSM SQL Injection vulnerability

Wed, 22 Jan 2025 01:00:00 +0100

In March 2024, a SQL Injection vulnerability has been discovered in SysAid ITSM that has been reported to be actively exploited as recent as October 2024. Exploitation can result in unauthorized access to your ITSM system.

Case closed: DIVD-2024-00044 - Missing authentication in Fortinet FortiManager fgfmsd

Wed, 09 Apr 2025 02:00:00 +0200

A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

Case closed: DIVD-2024-00038 - Remote Code Execution CUPS

Thu, 23 Jan 2025 01:00:00 +0100

A remote attacker can replace or install printers with malicious IPP URLs, leading to arbitrary command execution when a print job is started.

Case closed: DIVD-2024-00031 - Unauthenticated Local File Inclusion vulnerability in ComfortKey

Wed, 26 Feb 2025 01:00:00 +0100

An Unauthenticated Local File Inclusion vulnerability has been found in ComfortKey, a product of Celsius Benelux. Using this vulnerability, an unauthenticated attacker may retrieve sensitive information about the underlying system.

Case closed: DIVD-2024-00022 - Millions of credentials scraped from Telegram

Wed, 15 Jan 2025 01:00:00 +0100

DIVD was contacted by a source, who scraped millions of credentials from Telegram. DIVD is offering fellow CSIRTs, CERTs, and security teams the opportunity to, after verification, get an extract of the data pertaining to their domains.

Case closed: DIVD-2024-00004 - 2024-00004 Global NGOs

Mon, 31 Mar 2025 02:00:00 +0200

This initiative focuses on identifying and addressing vulnerabilities in the publicly accessible assets of NGOs.

Wilco van Beijnum and Harm van den Brink found 17 vulnerabilities in Iocharger EV chargers. 16 fixed, 1 unfixed.

Thu, 09 Jan 2025 00:00:00 +0100

External researcher Wilco van Beijnum together with DIVD researcher Harm van den Brink have found a total of 17 vulnerabilities applicable to at least all Iocharger AC EV chargers. The vulnerabilities were found in the Iocharger Home and the Iocharger Pedestal models, but the firmware is used in all Iocharger AC models, including those sold as white label solutions under other brands.

Updated firmware is available that fixes 16 of the 17 vulnerabilities. Iocharger does not have a customer facing website where firmware, release notes or security bulletins can be found. Instead it has notified its distributor(s) of the need to update the firmware. Customers who have a Iocharger device, but whose installation is or cannot be updated by a distributor or other service organisation can contact sales@iocharger.com directly for updated firmware.

As a general principle we recommend that owners of Iocharger chargers make sure their devices are not accessible from untrusted networks (e.g. the public internet or a guest network).

This discovery fits into DIVD’s ongoing research into vulnerabilities that effect the smart grid, which is becoming more and more distributed in nature. In households that have electric vehicles (EVs), these vehicles are most of the time the biggest consumers of electricity in the house. The ability to control large numbers of EV chargers may ultimately lead to a situation where, by stopping and starting EV chargers in large numbers, a malicious actor may be able to affect the stability of the electricity grid.

More information in our casefile.

Case closed: DIVD-2024-00047 - Multiple critical vulnerablilties in Palo Alto Networks PAN-OS devices

Mon, 06 Jan 2025 01:00:00 +0100

An authentication bypass in Palo Alto Networks PAN-OS software (CVE-2024-0012) enables an unauthenticated attacker with network access to the management interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474

Case closed: DIVD-2024-00046 - Multiple critical vulnerablilties in Ivanti Cloud Services Appliance (CSA)

Mon, 06 Jan 2025 01:00:00 +0100

Ivanti CSA is affected by two critical vulnerabilities, allowing a remote unauthenticated attacker bypass admin authentication and execute arbitrary commands on the appliance.

Case closed: DIVD-2024-00042 - Multiple critical vulnerabilities in Solarwinds Web Help Desk

Wed, 20 Nov 2024 01:00:00 +0100

The SolarWinds Web Help Desk software is affected by three critical vulnerabilities, allowing remote unauthenticated user to access internal functionality and run commands on the host machine.

Case closed: DIVD-2024-00041 - Progress Software WhatsUp Gold SQL Injection Authentication Bypass

Tue, 12 Nov 2024 01:00:00 +0100

A SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password

Case closed: DIVD-2024-00040 - Zimbra Collaboration (ZCS) vulnerable for RCE under specific conditions

Tue, 26 Nov 2024 01:00:00 +0100

The postjournal in Zimbra Collaboration (ZCS) sometimes allows unauthenticated users to execute commands

Case closed: DIVD-2024-00039 - Incorrect authorization vulnerability in Apache OFBiz resulting in RCE

Mon, 02 Dec 2024 01:00:00 +0100

In Apache OFBiz, version 18.12.14 and below, an Incorrect Authorization vulnerability exists that allows pre-authentication remote code execution (RCE) resulting in an attacker being able to execute arbitrary commands on the affected system by sending a specially crafted HTTP request.

Case update: DIVD-2024-00035 - 17 vulnerabilities in Iocharger devices

15 Aug 2024 02:00:00 +0200

Last event: 15 Aug 2024 - Time to full disclosure

Case closed: DIVD-2024-00033 - ServiceNow - unauthenticated remote code execution (RCE)

Wed, 18 Sep 2024 02:00:00 +0200

Multiple vulnerabilities have been found in ServiceNow. Combining these vulnerabilities could enable an unauthenticated user to remotely execute code within the context of the Now Platform

Case closed: DIVD-2024-00032 - Unauthenticated Remote Code Execution (RCE) vulnerability in Geoserver

Sat, 14 Sep 2024 02:00:00 +0200

Geoserver has a Remote Code Execution (RCE) vulnerability in evaluating property name expressions

Case closed: DIVD-2024-00030 - Zyxel NAS - unauthenticated OS command injection

Thu, 03 Oct 2024 02:00:00 +0200

Multiple vulnerabilities have been found in the firmware of the Zyxel NAS devices NAS326 and NAS542. Those vulnerabilities allow an unauthenticated attacker to get full root access to the device.

Case closed: DIVD-2024-00028 - Local File Inclusion in SolarWinds U-Serv

Thu, 17 Oct 2024 02:00:00 +0200

SolarWinds U-Serv was susceptible to a Path Traversal vulnerability, resulting in a Local File Inclusion vulnerability that allows an attack to read sensitive information on the server.

Case closed: DIVD-2024-00025 - QNAP - OS command injection as Admin user possible via quick.cgi

Thu, 03 Oct 2024 02:00:00 +0200

Two OS command injection vulnerabilities via quick.cgi file are found in QNAP QTS, QuTS hero and QuTScloud software/firmware versions

Case closed: DIVD-2024-00024 - Multiple vulnerabilities found in the SOPlanning tool

Wed, 16 Oct 2024 02:00:00 +0200

In the SOPlanning Online Planning tool, multiple critical vulnerabilities were found, including an unauthenticated SQL injection. When the non-default public view setting is enabled, it results in several Remote Code Execution (RCE) vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to execute code on the underlying system and access the database.

Case closed: DIVD-2024-00016 - Command injection vulnerabilities in QNAP devices

Mon, 21 Oct 2024 02:00:00 +0200

Several (OS) command injection vulnerabilities are found in QNAP QTS, QuTS hero and QuTScloud software/firmware versions

Research of Wietse Boonstra and Hidde Smit featured in Follow the Money and at EenVandaag

Mon, 12 Aug 2024 00:00:00 +0200

On Monday the 12 Aug 2024, the Top Sector Energie has published a report about an investigation into the vulnerability of the Dutch Solar Power systems, performed by Secura at the request of Netherlands Enterprise Agency and Top Sector Energie.

The report concludes that the solar power sector in The Netherlands has a “significant attack surface that is most likely to grow in the future”. According to the report, the consequences of a cyber attack in the Dutch solar power sector are potentially disastrous and can result in possibly devastating effects, causing major economic, physical, and social disruptions.

The report also states that if we proceed with the current energy transition, we are moving away from Russian gas towards using ‘Chinese power’. The report of the Dutch Enterprise Agency has garnered significant attention in the Dutch media.

The Dutch online platform for independent investigative journalism “Follow The Money” has recently published a article about the investigation into vulnerabilities in Dutch Solar Power systems. The investigation was performed by Wietse Boonstra and Hidde Smit, both researchers of DIVD, in case DIVD-2024-00011.

On Tuesday, August 13, 2024, at 18:35 CEST, the Dutch Current Affairs TV show EenVandaag broadcasts an episode discussing the topic. In this episode, the researchers of DIVD demonstrated how they were able exploit the vulnerability and take control of a solar panel.

Case closed: DIVD-2024-00029 - VMware vCenter Server multiple heap-overflow vulnerabilities

Tue, 06 Aug 2024 02:00:00 +0200

The vCenter Server contains multiple heap-overflow vulnerabilities in the implementation of the DCERPC protocol

Case closed: DIVD-2024-00026 - Unauthenticated RCE in Rejetto HTTP File Server

Sat, 13 Jul 2024 02:00:00 +0200

In Rejetto HTTP File Server, version 2.3x up to 2.4 RC07, a vulnerability exists that allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. This vulnerability affects both the Windows and Wine versions.

Case closed: DIVD-2024-00023 - Authentication Bypass Vulnerability in Progress Telerik Report Server

Sat, 13 Jul 2024 02:00:00 +0200

In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier on IIS, an unauthenticated attacker can exploit an authentication bypass vulnerability to access restricted functionality. Report Servers with a version 2024 Q1 (10.0.24.130) or earlier are vulnerable for an insecure deserialization attack to achieve full unauthenticated Remote Code Execution (RCE).

Case closed: DIVD-2024-00021 - Local File Inclusion in Check Point Security Gateway software

Tue, 16 Jul 2024 02:00:00 +0200

An unauthenticated local file inclusion vulnerability was present in Check Point Security Gateway software

Case closed: DIVD-2024-00020 - Authentication Bypass in GitHub Enterprise Server (GHES)

Thu, 20 Jun 2024 02:00:00 +0200

An authentication bypass vulnerability was present in GitHub Enterprise Server (GHES) when utilizing SAML Single Sign-On authentication with the optional encrypted assertions feature.

Case update: DIVD-2024-00019 - Victim Notification Operation Endgame

30 May 2024 02:00:00 +0200

Last event: 30 May 2024 - DIVD sends out first notifications

Case closed: DIVD-2024-00018 - Out-Of-Bounds memory read vulnerability in Citrix Netscaler and Gateway

Sat, 13 Jul 2024 02:00:00 +0200

In Citrix Netscaler and Gateway products (VPN virtual server, ICA Proxy, CVPN, RDP Proxy), an Out-Of-Bounds Memory Read vulnerability has been found by BishopFox. This vulnerability lets unauthenticated attackers obtain information from memory. However, it does not allow attackers to retrieve controlled information from memory.

Case closed: DIVD-2024-00015 - Remote Command Execution in CrushFTP

Sat, 01 Jun 2024 02:00:00 +0200

CrushFTP has a RCE vulnerability that can be exploited without authentication if anonymous web access is enabled

Case closed: DIVD-2024-00014 - Qlik Sense Remote Code Execution

Wed, 03 Jul 2024 02:00:00 +0200

Multiple unauthenticated remote code execution vulnerabilities in Qlik Sense

Case update: DIVD-2024-00011 - Six vulnerabilities in Enphase IQ Gateway devices

10 Aug 2024 02:00:00 +0200

Last event: 10 Aug 2024 - Limited disclosure of CVEs by DIVD following Enphase disclosure

Case closed: DIVD-2024-00008 - Authentication Bypass and Remote Code Execution in ConnectWise ScreenConnect

Sat, 01 Jun 2024 02:00:00 +0200

Successful exploitation of CVE-2024-1708 and CVE-2024-1709 allows an unauthenticated attacker to bypass the authentication and execute remote code or directly impact confidential data or critical systems.

Case update: DIVD-2024-00003 - Unauthenticaded Remote Code Execution in CrushFTP

01 Jun 2024 02:00:00 +0200

Last event: 01 Jun 2024 - Case closed

Case closed: DIVD-2024-00002 - Account takeover vulnerability in Gitlab CE/EE

Sat, 01 Jun 2024 02:00:00 +0200

Gitlab CE/EE critical account takeover vulnerability

Case closed: DIVD-2023-00039 - VMware vCenter Server RCE

Mon, 22 Jul 2024 02:00:00 +0200

VMware has released security updates for vCenter Server that could result in Remote Command Execution.

Case closed: DIVD-2023-00028 - SQL Injection in MOVEit Transfer - CVE-2023-36934

Mon, 22 Jul 2024 02:00:00 +0200

A new SQL Injection vulnerability has been found in MOVEit Transfer.

Case closed: DIVD-2023-00010 - Remote Code Execution in Microsoft Exchange Server

Mon, 22 Jul 2024 02:00:00 +0200

Remote Code Execution vulnerability was found and fixed in Microsoft Exchange Server, the DIVD is scanning for vulnerable systems and notifying owners of vulnerable systems

Case closed: DIVD-2022-00064 - Multiple injection vulnerabilities identified within Axiell Iguana CMS

Mon, 22 Jul 2024 02:00:00 +0200

Multiple injection vulnerabilities have been identified within Axiell Iguana CMS, each of which can lead to compromise of the system.

Case update: DIVD-2022-00061 - KNXNet/IP gateways often left open to the internet

01 Jun 2024 02:00:00 +0200

Last event: 01 Jun 2024 - Case closed

Case update: DIVD-2022-00055 - Server Management Interfaces security issues

01 Jun 2024 02:00:00 +0200

Last event: 01 Jun 2024 - Case closed.

Case closed: DIVD-2022-00052 - Multiple vulnerabilities is Cloudflow software

Sun, 21 Jul 2024 02:00:00 +0200

DIVD is scanning for parties vulnerable to CVE-2022-41216 and CVE-2022-41217

DIVD CSIRT performs victim notification for Operation Endgame

Thu, 30 May 2024 00:00:00 +0200

As part of our core task “Analyzing databases with leaked credentials and reporting to the organisations or people who are compromised to take appropriate measures.”, we are collaborating with the Dutch National Police on notifying victims of data that is obtained in Operation Endgame.

Operation Endgame is the largest (international) police operation against botnet operators to date. It involves amongst others the Smokeloader, IcedId, Pikabot, SystemBC and Bumblebee botnets. During this operation, victim data for millions of individuals across tens of thousands of organizations have been obtained.

We are running a large effort to send a notification email to each of the victims and all of the organizations alongside actions to take for remediation.

More information can be found in the case file for DIVD-2024-00019.

We would like to congratulate the Dutch Police and their counterparts in Germany, France, Denmark, the United States and the United Kingdom as well as Europol and Eurojust on a successful operation.

Case closed: DIVD-2023-00035 - Remote Code Execution in Juniper Networks SRX- and EX-Series

Mon, 06 May 2024 02:00:00 +0200

By chaining multiple vulnerabilities an attacker is able to execute arbitrary code or commands via specifically crafted requests.

DIVD CSIRT Congratulates Project Melissa

Thu, 25 Apr 2024 00:00:00 +0200

The DIVD CSIRT wants to congratulate all participants of Project Melissa on the recent success in notifying (potential) victims of a vulnerability in Qlik Sense and the prevention of more Cactus ransomware victims.

It was our honor and pleasure to work together with all of you and we are looking forward to further collaboration in the future.

Case closed: DIVD-2024-00013 - Palo Alto PAN-OS Command Injection Vulnerability in GlobalProtect

Tue, 23 Apr 2024 02:00:00 +0200

A command injection vulnerability has been discovered in the GlobalProtect feature of Palo Alto Networks PAN-OS software

Case closed: DIVD-2024-00010 - Unauthenticated Command Injection In Progress Kemp LoadMaster

Tue, 23 Apr 2024 02:00:00 +0200

Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.

Case closed: DIVD-2024-00009 - Authentication Bypass in JetBrains TeamCity

Thu, 28 Mar 2024 01:00:00 +0100

Successful exploitation of CVE-2024-27198 and CVE-2024-27199 allows an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.

Case closed: DIVD-2024-00006 - Authentication Bypass in JetBrains TeamCity

Thu, 28 Mar 2024 01:00:00 +0100

Successful exploitation of CVE-2024-23917 allows an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.

Case closed: DIVD-2024-00005 - Remote code execution in FortiOS

Thu, 15 Feb 2024 01:00:00 +0100

A new RCE vulnerability in FortiOS SSL VPN could lead to full compromise of your system.

Case closed: DIVD-2024-00001 - Auth. Bypass and Command Injection in Ivanti VPN appliance

Mon, 12 Feb 2024 01:00:00 +0100

Ivanti warns of an authentication bypass and command injection exploited by threat actors in its Connect Secure and Policy Secure products.

Case closed: DIVD-2023-00045 - Confluence RCE Vulnerability In Confluence Data Center and Confluence Server

Sun, 14 Apr 2024 02:00:00 +0200

Confluence Data Center and Server RCE vulnerability allow an authorized user, including one with anonymous access, to inject unsafe user input into a Confluence page

Case closed: DIVD-2023-00042 - Confluence improper authorization vulnerability

Sun, 14 Apr 2024 02:00:00 +0200

Confluence Data Center and Server allow unauthorized users to set Confluence in setup mode leading to the possibility to create administrator accounts that have the capabilities for RCE

Case closed: DIVD-2023-00040 - Critical F5 BIG-IP unauthenticated RCE Vulnerability

Thu, 09 Nov 2023 01:00:00 +0100

This vulnerability (CVE-2023-46747) may allow an unauthenticated adversary with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.”

Case closed: DIVD-2023-00038 - Global Cisco IOS-XE (CVE-2023-20198) Implants

Fri, 01 Dec 2023 01:00:00 +0100

An unknown threat actor is using a recent authentication bypass vulnerability (CVE-2023-20198) on Cisco IOS-XE to backdoor Cisco appliances worldwide.

Case closed: DIVD-2023-00037 - Security Feature Bypass in MinIO

Thu, 30 Nov 2023 01:00:00 +0100

An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket, resulting in compromise of the server.

Case closed: DIVD-2023-00036 - Authentication Bypass in JetBrains TeamCity

Sat, 16 Dec 2023 01:00:00 +0100

Successful exploitation of CVE-2023-42793 allows an unauthenticated attacker with HTTP(S) access to a TeamCity server to perform a remote code execution attack and gain administrative control of the server.

Case closed: DIVD-2023-00034 - API Authentication Bypass Vulnerability in Ivanti Sentry

Tue, 26 Sep 2023 02:00:00 +0200

Ivanti Sentry has an API authentication bypass vulnerability with CVSS 9.8. System owners are advised to limit access to port 8443.

Case closed: DIVD-2023-00033 - Citrix systems exploited with CVE-2023-3519

Tue, 26 Sep 2023 02:00:00 +0200

DIVD is notifying owners of exploited Citrix ADC and Gateway systems, based on scanning data obtained from Fox-IT.

Case closed: DIVD-2023-00032 - Access Control Bypass - CVE-2023-29298 & CVE-2023-38205

Fri, 11 Aug 2023 02:00:00 +0200

Both vulnerabilities allow an attacker to bypass the product feature that restricts external access to the ColdFusion Administrator.

Case closed: DIVD-2023-00031 - Ivanti MobileIron vulnerable for CVE-2023-35078

Tue, 26 Sep 2023 02:00:00 +0200

DIVD is notifying owners of vulnerable Ivanti MobileIron

Case closed: DIVD-2023-00030 - Citrix systems vulnerable for CVE-2023-3519

Mon, 24 Jul 2023 02:00:00 +0200

DIVD is notifying owners of vulnerable Citrix ADC and Gateway systems, based on scanning data obtained from Fox-IT.

Case closed: DIVD-2023-00029 - Critical Fortinet SSL-VPN RCE Vulnerability

Tue, 26 Sep 2023 02:00:00 +0200

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

Case closed: DIVD-2023-00027 - Ignite Realtime Openfire auth bypass - CVE-2023-32315

Wed, 06 Sep 2023 02:00:00 +0200

Ignite Realtime Openfire version 3.10.0 through 4.6.8 (excluded) and 4.7.0 to 4.7.5 (excluded) are vulnerable to a Path traversal vulnerability

Case closed: DIVD-2023-00025 - Multiple vulnerabilities in Danfoss AK-SM800A

Wed, 20 Dec 2023 01:00:00 +0100

Danfoss AK-SM800A has multiple web-related vulnerabilities. It is advised to install the provided patch.

Case closed: DIVD-2023-00024 - SQL injection in GeoServer - CVE-2023-25157

Tue, 26 Sep 2023 02:00:00 +0200

GeoServer has a critical SQL injection vulnerability.

Case closed: DIVD-2023-00023 - SQL injection in MOVEit Transfer - CVE-2023-34362

Thu, 27 Jul 2023 02:00:00 +0200

MOVEit Transfer has a critical SQL injection vulnerability that is actively exploited for data theft.

Case closed: DIVD-2023-00022 - OS command injection vulnerability of Zyxel firewalls

Wed, 20 Dec 2023 01:00:00 +0100

Zyxel has released patches for an OS command injection vulnerability found by TRAPA Security and urges uses to install them for optimal protection.

Case closed: DIVD-2023-00021 - Multiple vulnerabilities in Danfoss AK-EM 100

Wed, 20 Dec 2023 01:00:00 +0100

Danfoss AK-EM 100 has multiple web-related vulnerabilities. It is advised to phase out this product, as this product is End of Life.

Case closed: DIVD-2023-00017 - Cisco Small Business Router Authentication Bypass

Tue, 26 Sep 2023 02:00:00 +0200

Cisco RV016, RV042, RV042G and RV082 contain an authentication bypass vulnerability.

Case closed: DIVD-2023-00011 - FortiNAC and FortiWeb RCE Vulnerability

Wed, 20 Dec 2023 01:00:00 +0100

Fortinet has released security updates for its FortiNAC and FortiWeb products to fix two critical vulnerabilities.

Case closed: DIVD-2023-00009 - Cisco RV Series Remote Command Execution

Fri, 04 Aug 2023 02:00:00 +0200

Cisco RV340, RV340W, RV345 and RV345P contain a Remote Command Execution vulnerability.

Case closed: DIVD-2022-00065 - Multiple Critical Vulnerabilities in multiple Zyxel EOL devices

Thu, 20 Jul 2023 02:00:00 +0200

Based on disclosure by Sec Consult, DIVD performed scans of end of life device impacted by multiple vulnerabilities.

Case closed: DIVD-2022-00048 - Dossier Energy Transition

Mon, 01 Apr 2024 02:00:00 +0200

In this dossier we are tracking cases and other findings related to the global energy transition

Limited disclosure of 6 vulnerabilities in OSNexus Quantastor

Mon, 10 Jul 2023 00:00:00 +0200

The story of DIVD case DIVD-2021-00020 is a story that started more then 1.5 years ago, when DIVD researcher Wietse Boondsta discovered six vulnerabilities ( CVE-2021-42079, CVE-2021-42080, CVE-2021-42080, CVE-2021-42080, CVE-2021-42080, and CVE-2021-4066 ) in OSNexus Quantastor.

As per our CNA policy we tried to contact the vendor and this was not a smooth ride. We started the process in November 2021 and it took us a lot of effort, and help from NCSC-NL and its US partners to finally, on the 12th of November 2022, get confiormation that our report was received and that these vulnerabilities would be addressed.

When OSNexus released version 6.0.0.533 of their product on 22 Nov 2022 of which they stated that these vulnerabilities would be fixed, we had good hopes to close this case, but it turned out that only two of the six vulnerabilities were fixed CVE-2021-42080 and CVE-2021-42083.

We again tried to address the remaining vulnerabilities with OSNexus and again we were unable to get a reply from, or any kind of dialog with the vendor.

In line with our CNA policy we are now at a point where we feel that a limited disclosure of these vulnerabilities and a product warning is in order.

If you are using any version of OSNexus QuantaStor we strongly recommend that you make sure it can only be accessed from trusted networks or by trusted individuals, as it may or may not contain Server Side Request Forgery (SSRF), Remote Command Execution and Local Privilege Escalation vulnerabilities that can be combined to fully own the device.

We strongly hope that OSNexus will reach out to us (via csirt@divd.nl) so we can work together to fix these vulnerabilities, but until that time we see disclosing these vulnerabilities and this product warning as our only option to make sure adminisrators can take the required measures.

For more information see:

Case closed: DIVD-2023-00026 - Apache Superset authentication bypass leads to RCE - CVE-2023-27524

Fri, 07 Jul 2023 02:00:00 +0200

Apache Superset, up to and including 2.0.1 vulnerable to bypass that can lead to an RCE.

Case closed: DIVD-2023-00020 - PaperCut MF/NG Authentication Bypass

Wed, 10 May 2023 02:00:00 +0200

This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut MF/NG 22.0.5 (Build 63914).

Case closed: DIVD-2023-00016 - GLPI Remote Code Execution

Thu, 25 May 2023 02:00:00 +0200

GLPI version below 9.5.9 & 10.0.3 are vulnerable to Remote Code Execution

Case closed: DIVD-2023-00014 - Critical Broken Authentication Flaw in Jira Service Management Products

Wed, 05 Apr 2023 02:00:00 +0200

Vulnerable Jira Service Management Server and Data Center versions allow an attacker to impersonate another user and gain access under certain circumstances.

Case closed: DIVD-2023-00012 - Unauthenticated Remote Command Execution in IBM Aspera Faspex

Thu, 20 Apr 2023 02:00:00 +0200

IBM Aspera Faspex 4.4.1 could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Case closed: DIVD-2023-00007 - Global VMware ESXi Ransomware Attack

Tue, 18 Apr 2023 02:00:00 +0200

Criminals are attacking VMware ESXi servers vulnerable to CVE-2021-21974 worldwide to deploy ransomware.

Case closed: DIVD-2023-00006 - Unauthenticated code injection in QNAP QTS and QuTS hero

Wed, 22 Mar 2023 01:00:00 +0100

QNAP has released an advisory for devices running QTS 5.0.1 and QuTS hero h5.0.1. Those devices might be vulnerable for code injection.

Case closed: DIVD-2023-00004 - Unauthenticated Remote Command Execution using SAML in Zoho ManageEngine

Mon, 17 Apr 2023 02:00:00 +0200

Use of outdated Apache Santuario library in Zoho ManageEngine causes an unauthenticated RCE vulnerability by sending a malicious SAML response.

Case closed: DIVD-2023-00001 - Citrix systems vulnerable for CVE-2022-27510 and/or CVE-2022-27518

Wed, 24 May 2023 02:00:00 +0200

Based on scanning data obtained from Fox-IT, DIVD is notifying owners of vulnerable Citrix ADC and Gateway systems

Case closed: DIVD-2022-00068 - Multiple vulnerabilities identified within White Rabbit Switch from CERN

Wed, 31 May 2023 02:00:00 +0200

Multiple vulnerabilities have been identified in White Rabbit Switch from CERN. Leveraging these vulnerabilities could allow an attacker to compromise the system.

Case closed: DIVD-2022-00063 - Memory overflow vulnerability in FortiOS SSL VPN

Wed, 31 May 2023 02:00:00 +0200

DIVD is scanning for parties vulnerable to CVE-2022-42475

Case closed: DIVD-2022-00060 - Command Injection vulnerability in Bitbucket Server and Data Center

Mon, 13 Mar 2023 01:00:00 +0100

DIVD is scanning for parties vulnerable to CVE-2022-43781

Case closed: DIVD-2022-00058 - ZK Framework - ZK AuUploader Servlet Upload Vulnerability

Sun, 21 May 2023 02:00:00 +0200

DIVD is scanning for parties vulnerable to CVE-2022-36537.

Case closed: DIVD-2022-00056 - Critical authentication bypass affecting Fortigate products

Wed, 05 Apr 2023 02:00:00 +0200

DIVD is scanning for parties vulnerable to CVE-2022-40684

Case closed: DIVD-2022-00054 - ProxyNotShell - Microsoft Exchange SSRF and RCE

Mon, 10 Apr 2023 02:00:00 +0200

DIVD is scanning for parties vulnerable to CVE-2022-41040 and CVE-2022-41082 (nicknamed ProxyNotShell).

Case closed: DIVD-2022-00042 - Canon print portals facing the internet

Wed, 05 Apr 2023 02:00:00 +0200

Easily accessible Canon print portals facing towards the internet can lead to full access to the administration interface of the printer.

Case closed: DIVD-2022-00038 - Vulnerable Oracle WebLogic Server

Tue, 07 Mar 2023 01:00:00 +0100

Patch vulnerable Oracle WebLogic servers immediately as some versions are vulnerable for an Local File Inclusion Attack, which causes secrets and sourcecode to be readable by malicious attackers. DIVD is actively notifying owners of vulnerable systems

Case closed: DIVD-2022-00020 - Inproper input validation vulnerabilities identified within Feathers.js

Sat, 27 May 2023 02:00:00 +0200

Inproper input validation vulnerabilities are identified in Feathers.js, these can result in SQL-injection on the system.

Case closed: DIVD-2022-00017 - Global Healthcare Vulnerabilities

Wed, 01 Mar 2023 01:00:00 +0100

DIVD is researching vulnerabilities in healthcare services globally and notifying these services.

Case closed: DIVD-2021-00014 - Kaseya Unitrends

Wed, 05 Jul 2023 02:00:00 +0200

Users of on-premise Kaseya Unitrends are advised to not expose this service directly to the internet

DIVD’s response regard the involvement of a DIVD volunteer in a major data theft case

Fri, 24 Feb 2023 00:00:00 +0100

On Thursday, February 23, at around 5:00 PM, news broke of the arrest of three young Dutch hackers in connection with a significant data theft and extortion case. One of them was an active volunteer for DIVD in the past year. We are deeply shocked by the facts that have come to light.

The mission of DIVD is to make the internet safer. The allegations against the volunteer are entirely at odds with this mission. It should be clear that we had no knowledge of any criminal activities by the volunteer, nor did we suspect he was involved in such activities.

As soon as we learned of his arrest, we formed a crisis team, blocking the volunteer’s account and denying him access to DIVD systems. Shortly after that, we launched an internal investigation to determine if DIVD knowledge or resources were used in violation of the DIVD code of conduct. No concrete evidence of such abuse was found. DIVD is not part of the police investigation, and they have not requested us for any data.

Volunteering for DIVD as a helpful hacker is never compatible with cybercrime. We have suspended the volunteer’s membership.

More than 100 volunteers are active as helpful hackers at DIVD. They have all endorsed our code of conduct. Anyone who violates this code is immediately suspended and is no longer welcome at DIVD. We have accomplished a great deal together over the past years, and we are very sorry that the actions of one volunteer have now cast a shadow on our work.