Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware

Trend Micro researchers observed vulnerability CVE-2022-29464 being exploited in the wild since April, allowing unrestricted file uploads resulting to arbitrary remote code execution (RCE). Disclosed and patched in April, the security gap was ranked Critical at 9.8 and affects a number of WSO2 products. It requires no user interaction and administrative privileges for abuse, and can be used to infiltrate networks when left unpatched.

The vulnerability in WSO2 products was disclosed on April 18 by a user named Orange Tsai, and subsequently given its respective CVE ID and patched. On April 20, a GitHub user with the handle “hakkivi” published a proof of the exploit, and we observed exploits to the affected environments the next day. Approximately a week later, the Metasploit module for the affected environment was available. The gap specifically affects WSO2 API Manager 2.2.0 and above, Identity Server 5.2.0 and above, Identity Server Analytics 5.4.0 to 5.6.0, Identity Server as Key Manager 5.3.0 and above, Open Banking AM 1.4.0 and above, and Enterprise Integrator 6.2.0 and above.

Read more…
Source: Trend Micro