U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Roughly 500,000 Ubiquiti devices may be affected by flaw already exploited in the wild

Security experts identified nearly 500,000 Ubiquit devices that may be affected by a vulnerability that has already been exploited in the wild. Security experts are warning Ubiquit users of a vulnerability that has already been exploited in the wild. Last week, the researcher Jim Troutman, consultant and director of the Northern New England Neutral Internet Exchange (NNENIX), revealed that […]

ubiquiti vulnerable

Security experts identified nearly 500,000 Ubiquit devices that may be affected by a vulnerability that has already been exploited in the wild.

Security experts are warning Ubiquit users of a vulnerability that has already been exploited in the wild.

Last week, the researcher Jim Troutman, consultant and director of the Northern New England Neutral Internet Exchange (NNENIX), revealed that threat actors had been targeting Ubiquiti installs exposed online. Remote attackers were targeting the networking devices exposed via a discovery service accessible on UDP port 10001.

According to the expert, the devices are affected by a DoS flaw that attackers were attempting to trigger.

The vulnerability is not a novelty in the security and Ubiquiti communities, in June the issue was discussed in a thread on the Ubiquiti forums where users were warning of a possible exploit used in the wild.

Now security experts at Rapid7 revealed that they were monitoring suspicious traffic destined for port 10001 for at least one year.

Ubiquiti is aware of the issue and is currently working on a firmware update that will address it anyway it is trying to downplay it.

“There has been some discussion lately about a bug in airOS which can result in management access to airOS devices becoming inoperable until these devices are rebooted. This issue appears to be caused by external access to airOS devices using port 10001. As a temporary workaround for this issue while it is being investigated and resolved by the development team, network operators can block port 10001 at the network perimeter.” reads the advisory published by Ubiquit.

“To our current knowledge, this issue cannot be used to gain control of network devices or to create a DDoS attack.” 

Waiting for a fix, Ubiquiti recommends blocking UDP port 10001, but this solution could have a disruptive effect on some services.

Scanning the Internet for vulnerable devices using the Rapid7’s Sonar project, experts found roughly 490,000 devices exposed online. Most of the vulnerable Ubiquiti devices are located in Brazil, followed by the United States, and Spain.

ubiquiti vulnerable

“By decoding the responses, we are able to learn about the nature of these devices and clues as to how or why they are exposed publicly.” continues Rapid7. For example, by grouping by the model names returned by these responses, we see big clusters around all sorts of Ubiquiti models/devices:”

Productn
NanoStation172,563
AirGrid131,575
LiteBeam43,673
PowerBeam40,092

The analysis of the names of the device revealed that in 17,000 cases they contain the string “HACKED-ROUTER-HELP-SOS,” a circumstance that suggests that they have already been hacked by exploiting other vulnerabilities.

Rapid7 reported its findings to US-CERT, CERT Brazil, and of course Ubiquiti.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – hacking, Ubiquiti)

[adrotate banner=”5″]

[adrotate banner=”13″]