Trusted security alerts have compromised admin consoles on over a dozen IP devices.
A security advisory for a vulnerability published by MITRE has accidentally been exposing links to remote admin consoles of over a dozen vulnerable IP devices, according to a report by BleepingComputer. They say the problem has been going on since at least April 2022.
BleepingComputer became aware of this issue yesterday, after getting tipped off by a reader who prefers to remain anonymous. The reader was baffled by seeing several links to vulnerable systems listed within the ‘references’ section of the CVE advisory.
CVE advisories published by MITRE get spread verbatim across a large number of public sources, feeds, infosec news sites and vendors providing data to their customers.
The ‘references’ section of these advisories typically lists links to the original source (a writeup, blog post or PoC demo) that explains the vulnerability. However, including links to publicly exposed unpatched systems can potentially allow threat actors to target these systems.
An ironic twist of fate
BleepingComputer conducted some additional investigation as to how this issue may have occurred and reached out to MITRE as well as some security experts to better understand if this is a normal, or even acceptable, practice.
It isn’t unusual for security advisories to include a ‘reference’ section with several links that validate the existence of a vulnerability. But, any such links typically lead to a proof of concept (PoC) demonstration or writeups explaining the vulnerability rather than to vulnerable systems themselves.
After vulnerabilities are made public, attackers use public IoT search engines like Shodan or Censys to hunt for and target vulnerable devices. All of which makes this a particularly uncanny case for a public security bulletin to list not one but locations of several vulnerable devices that are still connected to the internet.
Because a large number of sources rely on MITRE and NVD/NIST for receiving vulnerability feeds, the CVE advisory (redacted) has already been syndicated by several vendors, public sources, and services providing CVE data.