Security News > 2024 > May > Over 50,000 Tinyproxy servers vulnerable to critical RCE flaw
Nearly 52,000 internet-exposed Tinyproxy instances are vulnerable to CVE-2023-49606, a recently disclosed critical remote code execution flaw.
Cisco warned at the time that despite its efforts to alert Tinyproxy's developers of the critical flaw, it received no response, and no patch was available for users to download. On Saturday, Censys reported seeing 90,000 internet-exposed Tinyproxy services online, of which about 57% were vulnerable to CVE-2023-49606.
The Tinyproxy maintainer disputed that Cisco properly disclosed the bug, stating they never received the report via the project's requested disclosure channels.
"This is a quite nasty bug, and could potentially lead to RCE - though i haven't seen a working exploit yet," continued the Tinyproxy maintainers.
HPE Aruba Networking fixes four critical RCE flaws in ArubaOS. New Ivanti RCE flaw may impact 16,000 exposed VPN gateways.
Over 1,400 CrushFTP servers vulnerable to actively exploited bug.
News URL
Related news
- Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks (source)
- A critical vulnerability in Delinea Secret Server allows auth bypass, admin access (source)
- HPE Aruba Networking fixes four critical RCE flaws in ArubaOS (source)
- Four Critical Vulnerabilities Expose HPE Aruba Devices to RCE Attacks (source)
- Critical Git vulnerability allows RCE when cloning repositories with submodules (CVE-2024-32002) (source)
- Critical GitHub Enterprise Server Flaw Allows Authentication Bypass (source)
- GitHub Enterprise Server patches 10-outta-10 critical hole (source)
- TP-Link fixes critical RCE bug in popular C5400X gaming router (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-05-01 | CVE-2023-49606 | A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. | 9.8 |