The Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerability (KEV) catalog during this week, effectively creating a "remediation hitlist" for federal agencies and enterprises. The updates highlighted active exploitation of older vulnerabilities that saw a resurgence in late 2023/early 2024.
Affected Software: ZK Framework versions 9.6.0 through 9.6.2 and 10.0.0 Severity: 9.8 (Critical)
On October 3rd, a security researcher in Vietnam uploaded a proof-of-concept for an authentication bypass affecting enterprise web applications built on ZK (a popular Java framework for ERP systems). The vulnerability allowed unauthenticated attackers to execute arbitrary code via crafted serialized objects in the rmi binding.
The Hitlist Connection: This 0day was immediately added to several hitlists targeting US healthcare providers still running legacy ERP portals. 0day and hitlist week 01102024 work
Work Required for Defenders:
Affected Software: Windows Kernel-Mode Driver (WDM) versions 10.0.19041 to 10.0.22000 Severity: 8.1 (High) / 7.5 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
The first 0day of the week was reported by Microsoft's Threat Intelligence Center (MSTIC) on October 2nd. Exploitation chains observed in the wild used a malicious printer driver to escape Low Integrity Level sandboxes. The key nuance? This 0day bypassed Patch Tuesday’s August mitigations for a related bug (CVE-2024-38124). Affected Software: ZK Framework versions 9
Work Required for Defenders:
Preparation:
Response:
For penetration testers authorized to use these exploits, the "work" involved context switching:
A hitlist, in the context of cybersecurity, is essentially a list of targets (IPs, domains, etc.) that attackers have identified as vulnerable. These targets are often chosen based on a variety of factors, including but not limited to, the presence of specific software vulnerabilities, the likelihood of a successful exploit yielding valuable data or access, and the potential for financial gain through ransomware or other forms of cyber extortion.
The hitlist from 01102024 proved that attackers are moving away from generic ransomware to strategic compromise. The inclusion of Git repos and CRM systems indicates a shift toward "living off the land" for espionage, not just extortion. Response : For penetration testers authorized to use