Versa Networks fixes actively exploited vulnerability in Director platform
Take action: If you are running Versa Networks Director platform, make sure it's management ports are accessible only from local networks and apply the hardening instructions by Versa. Make sure your administrators are very cautious about malware on their endpoints and phishing attacks. Then patch the platform, since all other mitigating measures will eventually fail.
Learn More
Versa Networks has patched a high-severity vulnerability in the Versa Director platform that is actively exploited in the wild. The flaw, tracked as CVE-2024-39717 (CVSS score 7.2), is an unrestricted file upload vulnerability in the "Change Favicon" feature of the Versa Director GUI. It allows attackers with administrator privileges to upload malicious files disguised as PNG images. The vulnerability affects users with “Provider-Data-Center-Admin” or “Provider-Data-Center-System-Admin” privileges, who may unintentionally expose their systems if proper system hardening and firewall guidelines are not followed.
The issue was exploited by an Advanced Persistent Threat (APT) actor, believed to be the Chinese-backed group Volt Typhoon known for targeting critical infrastructure. The group used this flaw to deploy custom web shells and harvest credentials to infiltrate downstream networks of managed service providers (MSPs) and internet service providers (ISPs). The exploitation is believed to have been ongoing since at least June 12, 2024.
Affected Versions are Versa Director versions prior to 22.1.4
The commonly used attack vector is the exposed management ports due to lack of system hardening and misconfiguration of firewall settings, combined with weak credentials or phishing.
Versa Networks initially warned customers on July 26, 2024, to review firewall settings and issued an advisory about the zero-day on August 9, 2024. The company emphasized that customers who implemented proper system hardening measures and followed firewall guidelines, available since 2015 and 2017, were not impacted.
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-39717 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies secure their systems by September 13, 2024.
Organizations using Versa Director are advised to implement Versa’s recommended hardening and firewall measures, apply the latest updates to patch the vulnerability and review the /var/versa/vnms/web/custom_logo/ directory for suspicious files
Update - A Chinese state-sponsored hacking group has been observed using a zero-day exploit to infiltrate at least two US internet service providers (ISPs), managed service providers (ISPs) and IT sectors since at least June 12, 2024.
