Security News > 2024 > May > Over 50,000 Tinyproxy servers vulnerable to critical RCE flaw

Over 50,000 Tinyproxy servers vulnerable to critical RCE flaw
2024-05-07 17:07

Nearly 52,000 internet-exposed Tinyproxy instances are vulnerable to CVE-2023-49606, a recently disclosed critical remote code execution flaw.

Cisco warned at the time that despite its efforts to alert Tinyproxy's developers of the critical flaw, it received no response, and no patch was available for users to download. On Saturday, Censys reported seeing 90,000 internet-exposed Tinyproxy services online, of which about 57% were vulnerable to CVE-2023-49606.

The Tinyproxy maintainer disputed that Cisco properly disclosed the bug, stating they never received the report via the project's requested disclosure channels.

"This is a quite nasty bug, and could potentially lead to RCE - though i haven't seen a working exploit yet," continued the Tinyproxy maintainers.

HPE Aruba Networking fixes four critical RCE flaws in ArubaOS. New Ivanti RCE flaw may impact 16,000 exposed VPN gateways.

Over 1,400 CrushFTP servers vulnerable to actively exploited bug.


News URL

https://www.bleepingcomputer.com/news/security/over-50-000-tinyproxy-servers-vulnerable-to-critical-rce-flaw/