Security News > 2024 > May > Over 50,000 Tinyproxy servers vulnerable to critical RCE flaw
![Over 50,000 Tinyproxy servers vulnerable to critical RCE flaw](/static/build/img/news/over-50000-tinyproxy-servers-vulnerable-to-critical-rce-flaw-medium.jpg)
Nearly 52,000 internet-exposed Tinyproxy instances are vulnerable to CVE-2023-49606, a recently disclosed critical remote code execution flaw.
Cisco warned at the time that despite its efforts to alert Tinyproxy's developers of the critical flaw, it received no response, and no patch was available for users to download. On Saturday, Censys reported seeing 90,000 internet-exposed Tinyproxy services online, of which about 57% were vulnerable to CVE-2023-49606.
The Tinyproxy maintainer disputed that Cisco properly disclosed the bug, stating they never received the report via the project's requested disclosure channels.
"This is a quite nasty bug, and could potentially lead to RCE - though i haven't seen a working exploit yet," continued the Tinyproxy maintainers.
HPE Aruba Networking fixes four critical RCE flaws in ArubaOS. New Ivanti RCE flaw may impact 16,000 exposed VPN gateways.
Over 1,400 CrushFTP servers vulnerable to actively exploited bug.
News URL
Related news
- Critical RCE flaws in vCenter Server fixed (CVE-2024-37079, CVE-2024-37080) (source)
- Week in review: CDK Global cyberattack, critical vCenter Server RCE fixed (source)
- Progress warns of critical RCE bug in Telerik Report Server (source)
- Progress fixes critical RCE flaw in Telerik Report Server, upgrade ASAP! (CVE-2024-6327) (source)
- PHP fixes critical RCE flaw impacting all versions for Windows (source)
- TellYouThePass ransomware exploits recent PHP RCE flaw to breach servers (source)
- VMware fixes critical vCenter RCE vulnerability, patch now (source)
- Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool (source)
- Ollama drama as 'easy-to-exploit' critical flaw found in open source AI server (source)
- New regreSSHion OpenSSH RCE bug gives root on Linux servers (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-05-01 | CVE-2023-49606 | A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. | 9.8 |