Overview 

Vulnerabilities in Ivanti products, AVTECH IP cameras, and WordPress plugins have recently been among the dozens of attempted exploits detected by Cyble honeypot sensors. 

The attack attempts were detailed in the threat intelligence company’s weekly sensor intelligence reports to clients. The Cyble reports have also examined persistent attacks against Linux systems and network and IoT devices, as threat actors scan for vulnerable devices for ransomware attacks and add to DDoS and crypto mining botnets. The reports have also examined banking malware, brute-force attacks, vulnerable ports, and phishing campaigns. 

Here are some of the recent attack campaigns covered in the Cyble sensor reports. Users could be vulnerable to attack if affected product versions aren’t patched and mitigated. 

Vulnerability Exploits Detected by Cyble 

Ivanti Vulnerabilities

Here are some of the vulnerabilities targeted in recent attack attempts detected by Cyble sensors. 

 CVE-2024-22024 is an XML External Entity (XXE) vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x), and ZTA gateways. This vulnerability allows an attacker to access certain restricted resources without authentication. 

CVE-2024-7593 is a vulnerability in Ivanti Virtual Traffic Manager (vTM) that enables a remote, unauthenticated attacker to bypass admin panel authentication due to a flawed implementation of the authentication algorithm. 

AVTECH IP Camera Command Injection Vulnerability 

Exploiting this vulnerability (CVE-2024-7029) could enable an attacker to inject and execute commands with the process owner’s privileges. The vulnerability has been used to spread the Corona Mirai botnet variant and was the subject of a CISA ICS advisory. Cyble sensors have detected steady attacks against this vulnerability since it was first reported. 

XWiki Remote Code Execution Vulnerability 

A critical vulnerability in the XWiki Platform tracked as CVE-2025-24893 allows unauthenticated remote code execution (RCE) through the SolrSearch macro. Attackers can exploit this flaw to execute arbitrary Groovy code on affected servers, potentially resulting in data breaches, privilege escalation, and full system compromise. 

SQL Injection Vulnerability in Zabbix Server Audit Log 

CVE-2024-22120 is a vulnerability in Zabbix Server where the “clientip” field in the Audit Log is not properly sanitized. This could allow an attacker to inject SQL commands, potentially exploiting the system through time-based blind SQL injection. 

Apache OFBiz Pre-Auth RCE Vulnerability 

CVE-2024-38856 affects Apache OFBiz up to version 18.12.14, potentially allowing remote, unauthenticated attackers to execute arbitrary code. The vulnerability stems from incorrect authorization, where specific endpoints don’t properly check user permissions, potentially leading to unauthorized screen rendering and exploitation. Upgrading to version 18.12.15 is strongly recommended. 

WordPress Plugin Vulnerabilities

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to a PHP Object Injection vulnerability in all versions up to and including 3.14.1 due to the deserialization of untrusted input from the ‘give_title’ parameter. This vulnerability (CVE-2024-5932) could allow unauthenticated attackers to inject a PHP Object and, with a present POP chain, execute remote code and delete arbitrary files. 

The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to an arbitrary file upload vulnerability in all versions up to and including 1.22.21 due to missing file type validation in the UploadHandler.php file and the absence of direct file access prevention. This vulnerability (CVE-2024-8856) could allow unauthenticated attackers to upload arbitrary files to the affected site’s server, potentially leading to remote code execution. 

OSGeo GeoServer GeoTools Eval Injection Vulnerability 

CVE-2024-36401 identifies a critical RCE vulnerability in GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2. The flaw arises from the unsafe evaluation of OGC request parameters as XPath expressions, allowing unauthenticated users to execute arbitrary code on default installations. The issue affects all GeoServer instances due to improper handling of simple feature types. Patches are available, and a workaround involves removing the vulnerable gt-complex library, though it may impact functionality. 

VICIdial Unauthenticated SQL Injection 

An unauthenticated attacker can leverage a time-based SQL injection vulnerability CVE-2024-8503 in the VICIdial contact center solution to enumerate database records. By default, VICIdial stores plaintext credentials within the database. 

SPIP Unauthenticated RCE Vulnerability 

The porte_plume plugin used by the SPIP publishing system before versions 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability (CVE-2024-7954). This vulnerability could allow a remote, unauthenticated attacker to execute arbitrary PHP code as the SPIP user by sending a specially crafted HTTP request. 

Recommendations and Mitigations 

Cyble researchers recommend the following security controls: 

• Blocking target hashes, URLs, and email info on security systems (Cyble clients receive a separate IoC list). 

• Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks. 

• Continually checking for attackers’ ASNs and IPs (included in the full Cyble reports). 

• Blocking Brute Force attack IPs and the targeted ports listed in the reports. 

• Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes. 

• For servers, setting up strong passwords that are difficult to guess. 

Conclusion 

The high volume of attack attempts detected by Cyble sensors means that organizations must remain vigilant in the face of constant threats against both new and older vulnerabilities, patching quickly and applying mitigations where patching isn’t possible. 

To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach is critical for defending against exploits and data breaches. 

To access full sensor intelligence reports from Cyble, along with IoCs and additional insights and details, click here. 

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.