Security News > 2021 > July > Critical RCE Vulnerability in ForgeRock OpenAM Under Active Attack
Attackers are actively exploiting a critical, pre-authorization remote-code execution vulnerability in the popular Access Management platform from digital identity management firm ForgeRock.
On Monday morning, the Cybersecurity and Infrastructure Security Agency warned that the vulnerability could enable attackers to execute commands in the context of the current user.
ForgeRock said in an updated security advisory that the flaw doesn't affect Access Management 7 and above.
Within hours of Stepankin's post on June 29, ForgeRock released a workaround and advisory to its customers to protect them from the vulnerability.
Even in solutions designed for authentication, you can find a big attack surface available without any auth.
Marcus Hartwig, manager of security analytics at cybersecurity firm Vectra, told Threatpost on Monday that identity and access management platforms like OpenAM are "Always ripe targets for attackers since they allow attackers to access multiple downstream applications federated with the solution."
News URL
https://threatpost.com/critical-vulnerability-rce-forgerock-openam/167679/
Related news
- Critical vulnerability in the RADIUS protocol leaves networking equipment open to attack (source)
- CISA warns critical Geoserver GeoTools RCE flaw is exploited in attacks (source)
- Critical Apache HugeGraph Vulnerability Under Attack - Patch ASAP (source)
- CISA warns critical SolarWinds RCE bug is exploited in attacks (source)
- CISA Warns of Critical Jenkins Vulnerability Exploited in Ransomware Attacks (source)
- RCE bug in widely used Ghostscript library now exploited in attacks (source)
- RADIUS Protocol Vulnerability Exposes Networks to MitM Attacks (source)
- Critical Windows licensing bugs, plus two others under attack, top Patch Tuesday (source)
- PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks (source)
- Critical Exim Mail Server Vulnerability Exposes Millions to Malicious Attachments (source)