A vulnerability affecting the ThreatSonar Anti-Ransomware product of Taiwan-based cybersecurity firm TeamT5 has been exploited in the wild, the US cybersecurity agency CISA warned on Tuesday.
CISA added the ThreatSonar Anti-Ransomware flaw, tracked as CVE-2024-7694, to its Known Exploited Vulnerabilities (KEV) catalog and instructed federal agencies to address it by March 10.
TeamT5’s website indicates that the company’s threat intelligence and protection solutions are used in the United States, Japan, and Taiwan, including by government agencies.
This could explain why CISA added the vulnerability to its KEV list, which focuses on security holes that could pose a threat to US government organizations.
CVE-2024-7694 is a high-severity arbitrary file-upload issue affecting TeamT5’s ThreatSonar Anti-Ransomware product. The issue was patched in August 2024.
“ThreatSonar Anti-Ransomware from TeamT5 does not properly validate the content of uploaded files. Remote attackers with administrator privileges on the product platform can upload malicious files, which can be used to execute arbitrary system command on the server,” reads an advisory published at the time of patching by Taiwan’s TWCERT/CC.
Based on TWCERT/CC’s note that admin privileges are required for exploitation, the flaw has likely been chained with a different vulnerability.
There appears to be no public information on attacks involving CVE-2024-7694, but the fact that the affected product comes from a Taiwanese cybersecurity firm and serves government clients naturally raises the possibility of involvement by China-linked threat actors, although this remains entirely speculative without supporting evidence.
SecurityWeek has reached out to both TeamT5 and TWCERT/CC for comment on the attacks and will update this article if they respond. However, the responses may be delayed due to the Lunar New Year in Taiwan.
UPDATE, February 24: TeamT5 and TWCERT have responded to SecurityWeek. TeamT5 has published a blog post clarifying that it’s not aware of any customers still running a vulnerable version of its software.
In addition, TeamT5 confirmed for SecurityWeek that Chinese APTs are likely behind the attacks, but noted that all the attacks occurred back in 2024. SecurityWeek has published a follow-up article with additional clarifications.
Related: Dell RecoverPoint Zero-Day Exploited by Chinese Cyberespionage Group
Related: Singapore: Rootkits, Zero-Day Used in Chinese Attack on Major Telecom Firms
Related: China Revives Tianfu Cup Hacking Contest Under Increased Secrecy
Related: Web Hosting Firms in Taiwan Attacked by Chinese APT for Access to High-Value Targets
