CISA Warns of Unpatched ScienceLogic SL1 Active Exploit Following Zero-Day Attack

• An unpatched vulnerability affects ScienceLogic SL1, formerly known as EM7, potentially allowing remote code execution.
• CISA added the flaw to its Known Exploited Vulnerabilities catalog following the discovery of active zero-day exploitation.
• Meanwhile, updates are available for some newer versions, and users can also find patches for earlier versions.

The Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical security vulnerability affecting ScienceLogic SL1, a widely used IT infrastructure monitoring and management platform, to its Known Exploited Vulnerabilities (KEV) catalog. This update follows reports of active zero-day exploitation.

The vulnerability, identified as CVE-2024-9537 with a CVSS v4 score of 9.3, is linked to an unspecified third-party component within ScienceLogic SL1. This flaw has the potential to allow remote code execution, posing a serious risk to affected systems. 

In response, updates have been released to address the issue in versions 12.1.3, 12.2.3, 12.3, and subsequent releases. Additionally, patches are available for earlier versions, such as 10.1.x, 10.2.x, 11.1.x, 11.2.x, and 11.3.x.

This exploitation incident follows cloud hosting provider Rackspace's acknowledgment of a related issue with the ScienceLogic EM7 Portal. Rackspace subsequently took its dashboard offline at the end of last month. 

According to a post by a user named ynezzor on X, the exploitation resulted in unauthorized access to three internal Rackspace monitoring web servers. Rackspace has confirmed that unauthorized access occurred and has reported the breach to all impacted customers.

Federal Civilian Executive Branch (FCEB) agencies are mandated to implement the necessary fixes by November 11, 2024, to mitigate potential threats to their networks.

Earlier this month, CISA also added another significant vulnerability affecting Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb (CVE-2024-23113, CVSS score 9.8) to its KEV catalog based on evidence of active exploitation.

In July, security researchers noticed a new variant of the infamous Cactus malware abusing a known flaw in the Fortinet VPN client. The vulnerability permits authentication bypassing on the admin interface due to a faulty Apache HTTPD configuration.