Skip to main content
close search
site logo
Dive Brief

Yet again, threat actors exploit a critical file-transfer service CVE

File-transfer services are prime targets and vulnerabilities in the open source ownCloud mark the latest in a series of critical services under attack.

Published Dec. 1, 2023
Matt Kapko's headshot
Senior Reporter
Smiling businesswoman in headphones taking notes, working with laptop and talking smartphone, blue glowing information protection icons. Padlock, cloud and digital interface. Cyber security concept - stock photo
iStock via Getty Images

Dive Brief:

  • Threat actors are exploiting a critical vulnerability in the open source file-transfer service ownCloud that could reveal sensitive data, including admin passwords, mail server credentials and license keys, according to threat researchers. OwnCloud disclosed the vulnerability, CVE-2023-49103, Nov. 21 with a base CVSS rating of 10 out of 10.
  • The vulnerability was discovered by an external threat researcher in mid-September, patched by the company on Sept. 19 and customers were notified Sept. 20, a company spokesperson said Friday via email. “To our current knowledge, none of our customers were affected since we closed the security gap, updated our software and advised our customers how to secure their systems before the CVE was made public,” the spokesperson said. “No exploits are known at this time.”
  • Researchers contradict that assertion, noting threat actors started exploiting ownCloud instances on Nov. 25 and attempted exploits were observed as recently as Friday, according to data from Greynoise and the SANS Internet Storm Center. More than 11,000 ownCloud instances were exposed to the internet as of Monday, according to the Shadowserver Foundation.

Dive Insight:

The targeted attacks follow a concentrated and sustained period of malicious activity against file-transfer services. Progress Software’s MOVEit, Fortra’s GoAnywhere and IBM Aspera Faspex were hit by supply-chain attacks over a three-month span starting in March this year.

The ownCloud CVE impacts the Graph API app by exposing PHP environment configuration details. The vendor also disclosed an additional pair of CVEs, including a critical authentication bypass vulnerability and a subdomain validation bypass vulnerability.

The trio of vulnerabilities were disclosed the same day Kiteworks announced an agreement to merge with the Germany-based ownCloud and Dracoon, another file-sharing service for enterprises.

California-based Kiteworks said more than 3,800 global enterprises and government agencies use its content security and compliance platform. The concurrent mergers open new markets and customer bases for the company in German-speaking regions of Europe.

The critical vulnerability in ownCloud’s Graph API can expose “potentially sensitive configuration details that could be exploited by an attacker to gather information about the system,” ownCloud said.

Disabling the Graph API app does not eliminate the vulnerability. Users should change admin passwords, access keys, admin credentials and mail server credentials to mitigate the risk, ownCloud said.

The company said it disabled the “phpinfo” function in containers and plans to apply other fixes in future releases.

More than 600 enterprises and organizations use ownCloud, including European Investment Bank, European Commission, Wind River, the European Organization for Nuclear Research (CERN), Banco de Portugal and multiple Fortune 500 companies, the company said.

The Cybersecurity and Infrastructure Security Agency included the trio of ownCloud CVEs in its weekly vulnerability roundup on Monday.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell