Connect with us

Hi, what are you looking for?



Vulnerabilities in CUSG CMS Exposed Credit Unions to Attacks

Three vulnerabilities in CU Solutions Group CMS exposed 275 credit unions to credential theft, account takeover.

Three vulnerabilities in the CU Solutions Group (CUSG) content management system (CMS) could have been exploited by hackers in attacks aimed at credit unions, cybersecurity consulting firm LMG Security reports.

CUSG provides technology and services tailored to credit unions, including a CMS solution that automates content management and usage traffic without technical expertise.

According to LMG Security, CUSG CMS iterations prior to version 7.75 are impacted by three critical vulnerabilities that could allow an attacker to obtain ‘ultra admin’ privileges, thus gaining access to any credit union account that is not protected by multi-factor authentication (MFA).

The first issue, tracked as CVE-2023-48985, is described as a reflected cross-site scripting (XSS) bug in the admin portal login page that could allow an unauthenticated attacker to intercept login credentials.  

The second flaw, also a reflected XSS defect, is tracked as CVE-2023-48986 and could allow an attacker with access to a low-privileged account to elevate their privileges and “perform unintended actions within the admin portal”.

The third vulnerability, tracked as CVE-2023-48987, is a blind SQL injection bug in the admin portal that could be exploited by an authenticated attacker to “gain full read/write access to the backend database”.

An attacker with low privileges could exploit the flaw to dump a table containing the usernames and hashed passwords for CUSG’s administrative accounts, including the password for the ‘ultra admin’ account, a vendor backdoor account that provides access to all CMS installations globally.

For each CMS customer, the table is populated upon installation and an attacker only needs to hack one CUSG customer’s CMS environment to access all other environments, LMG Security notes, adding that “the password hashes in this table are exceptionally easy to crack”.

Advertisement. Scroll to continue reading.

According to LMG Security, an unauthenticated attacker could chain CVE-2023-48985 and CVE-2023-48987 to obtain login credentials to the CMS and then gain ‘ultra admin’ privileges, allowing them to compromise any organization not using MFA.

“Impacted organizations should immediately upgrade to the latest software version and enable multi-factor authentication to prevent malicious actors who possess the ‘ultra admin’ password from logging into their CUSG CMS application portal,” LMG Security consultant Emily Gosney notes.

LMG Security says it reported the vulnerabilities to CUSG in October 2023, and that fixes might have been included in CUSG CMS version 7.75.

CUSG says the vulnerabilities were resolved on October 28, two days after receiving LMG Security’s report, “without client impact or exposure”. The company is notifying 275 credit unions that rely on its CMS of these vulnerabilities.

Related: ESET Patches High-Severity Privilege Escalation Vulnerability

Related: Zoom Patches Critical Vulnerability in Windows Applications

Related: Ivanti Vulnerability Exploited to Deliver New ‘DSLog’ Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Cody Barrow has been appointed the new CEO of threat intelligence company EclecticIQ.

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.