A Chinese cyber-espionage group, known as Volt Typhoon, has been exploiting a newly discovered security flaw in Versa Networks' SD-WAN Director servers. This zero-day vulnerability, identified as CVE-2024-39717, has already been used to infiltrate several organizations. Given the seriousness of this issue, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has listed it among known exploited vulnerabilities, urging immediate corrective actions.
The CVE-2024-39717 vulnerability impacts all versions of Versa Director released before version 22.1.4. The issue originates from a feature in the system's graphical user interface (GUI) that allows for customisation. Versa Director is a crucial part of Versa Networks' software-defined wide area networking (SD-WAN) solutions, which are used by ISPs, MSPs, and large corporations to manage network devices, route traffic, and enforce security policies. Unfortunately, this vulnerability enables attackers to steal user credentials, potentially leading to further attacks.
Dan Maier, Versa's Chief Marketing Officer, noted that this flaw could allow attackers to escalate privileges without authorization. Attackers can initially access Versa Director through high-availability management ports 4566 and 4570, particularly if these ports are left open to the internet. Once inside, they can gain administrator-level credentials, giving them complete control over the system. Maier emphasised that Versa has long advised customers to limit access to these critical ports to prevent such security breaches.
The vulnerability was first discovered by researchers at Lumen Technologies' Black Lotus Labs. They found that Volt Typhoon had been exploiting this flaw since at least June 2024. The attackers used small office/home office (SOHO) devices, a common tactic for this group, to infiltrate vulnerable Versa Director systems via the exposed management ports. After gaining access, the attackers deployed a custom web shell named "VersaMem" to capture plaintext user credentials and monitor the Apache Tomcat web server's incoming traffic.
On June 21, Lumen researchers informed Versa about the vulnerability, shortly after they believed Volt Typhoon started exploiting it. Versa responded by issuing advisories on July 26 and August 8, outlining steps to reduce the risk. By August 26, they had published a detailed security bulletin describing the flaw and providing guidance for customers to protect their systems.
At least five organisations, including four based in the United States, have been compromised due to this vulnerability. These organisations are primarily from the managed service provider, internet service provider, and IT sectors. Given the seriousness of the situation, CISA has mandated that federal agencies apply the necessary mitigations by September 13 or cease using the vulnerable technology until it is secured.
Although the vulnerability was rated as moderately severe with a CVSS score of 6.6 out of 10, Versa has highlighted the significant risks associated with it. While the vulnerability is complex to exploit and requires high-level privileges, it becomes much easier to exploit if the management ports are exposed. In such cases, attackers can upload unauthorized files and execute code via the VersaMem web shell, leading to severe security breaches.
Versa has strongly advised its customers to update their systems to the latest versions, which include security enhancements that make the software more resistant to attacks. They have also recommended following their system hardening and firewall guidelines to reduce the likelihood of exploitation.
The Volt Typhoon group’s exploitation of the CVE-2024-39717 vulnerability highlights the ongoing threat posed by state-backed cyber actors. Although Versa has patched the vulnerability, organizations using Versa Director must act quickly to secure their systems and prevent further breaches. This incident serves as a reminder of the importance of keeping software updated and securing all network entry points to defend against sophisticated cyber threats.
