The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a significant vulnerability in Microsoft COM for Windows, tracked as CVE-2018-0824, to its Known Exploited Vulnerabilities (KEV) catalog. This deserialization of untrusted data vulnerability, with a CVSS score of 7.5, poses a substantial risk by enabling remote code execution. The vulnerability arises when an application deserializes data from an untrusted source without proper validation, potentially allowing attackers to execute arbitrary code.
A recent advisory from Microsoft highlighted the dangers associated with this vulnerability. In an email attack scenario, an attacker could send a specially crafted file to the user, convincing them to open it, thereby triggering the exploit. Similarly, in a web-based attack, an attacker could host or compromise a website to contain the malicious file, tricking the victim into visiting the site and executing the file. Both scenarios underline the critical need for organizations to secure their systems against such threats.
The vulnerability has already been exploited by the China-linked APT41 group in a campaign targeting a Taiwanese government-affiliated research institute. According to Cisco Talos researchers, this campaign began in July 2023 and involved the deployment of ShadowPad malware, Cobalt Strike, and other post-exploitation tools. APT41 created a custom loader to inject a proof-of-concept for CVE-2018-0824 directly into memory, achieving local privilege escalation and facilitating further malicious activities.
To mitigate the risk associated with this vulnerability, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies address CVE-2018-0824 by August 26, 2024, as per Binding Operational Directive (BOD) 22-01. CISA also recommends that private organizations review the KEV catalog and take necessary actions to secure their infrastructure. Addressing this vulnerability is crucial to protecting networks from potential exploitation and ensuring overall cybersecurity resilience.
Reference:
