Actively Exploited ServiceNow and Acronis Vulnerabilities Pose Significant Threats to Government and Private Sectors

by do son · July 29, 2024

In a critical update from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), three newly identified security flaws have been added to the Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. These vulnerabilities, primarily targeting the ServiceNow Now Platform and Acronis ACI servers, present significant risks to both government agencies and private enterprises.

CVE-2024-4879 and CVE-2024-5217, both rated with a critical CVSS score above 9. These input validation vulnerabilities reside in the Vancouver and Washington DC releases of ServiceNow’s widely used platform.

On July 10, 2024, ServiceNow released security updates addressing this critical issue, along with an additional flaw, CVE-2024-5178. These vulnerabilities, when exploited together, can grant threat actors full access to databases and MID servers within an organization’s internal network. MID servers act as proxy servers, facilitating connections between internal networks and the ServiceNow cloud, making them prime targets for exploitation.

Assetnote researchers, who first discovered CVE-2024-4879, published a detailed analysis on July 11, 2024. Their report triggered a wave of activity on GitHub, where threat actors quickly leveraged the disclosed information to develop and share working exploits. According to Resecurity, these exploits were rapidly incorporated into bulk network scanners, leading to a surge in exploitation attempts.

Imperva, a leading cybersecurity firm, reported observing over 6,000 exploitation attempts. Resecurity’s monitoring identified multiple victims, including government agencies, data centers, energy providers, and software development firms, all of whom suffered data theft attacks due to these vulnerabilities.

Adding to the urgency is CVE-2023-45249, an unauthenticated remote code execution vulnerability with a CVSS score of 9.8, affecting Acronis ACI servers. This flaw, requiring low-complexity attacks without user interaction, has been actively exploited in the wild. Last week, Acronis issued a security advisory urging immediate patching of this critical vulnerability to prevent potential breaches.

Acronis stressed the importance of installing the latest security updates, warning administrators that the vulnerability is known to be exploited and poses a significant risk to unpatched systems.

In light of the escalating threat, CISA has issued a dire warning, strongly recommending that federal agencies apply patches for all three vulnerabilities by August 19, 2024. The urgency underscores the severity of the situation and the potential for widespread damage.