1. Home
  2. Mapping Frameworks
  3. Known Exploited Vulnerabilities Home
  4. Command Execution Capability Group

Known Exploited Vulnerabilities Command Execution Capability Group

All Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2021-42237 Sitecore XP Remote Command Execution Vulnerability primary_impact T1059 Command and Scripting Interpreter
Comments
CVE 2021-42237related to a remote code execution vulnerability through insecure deserialization.
References
  1. https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3181261/nsa-cisa-fbi-reveal-top-cves-exploited-by-chinese-state-sponsored-actors/
  2. https://www.cyber.gov.au/acsc/view-all-content/alerts/active-exploitation-vulnerable-sitecore-experience-platform-content-management-systems
  3. https://www.bleepingcomputer.com/news/security/sitecore-xp-rce-flaw-patched-last-month-now-actively-exploited/
CVE-2023-33246 Apache RocketMQ Command Execution Vulnerability secondary_impact T1608.001 Upload Malware
Comments
This vulnerability is exploited by a remote attacker who leverages a command injection flaw in Apache RocketMQ versions 5.1 and lower. By using the update configuration function, the adversary can execute commands as the system user under which RocketMQ is running. This lack of permission verification in components like NameServer, Broker, and Controller, which are exposed on the extranet, allows for remote command execution. Additionally, attackers can forge RocketMQ protocol content to achieve the same effect. Since at least June 2023, threat actors have actively exploited this vulnerability to gain initial access and deploy the DreamBus botnet, a Linux-based malware.
References
  1. https://www.fortiguard.com/outbreak-alert/apache-rocketmq-rce
  2. https://www.fortiguard.com/threat-signal-report/5203/active-exploitation-of-apache-rocketmq-updateconfig-command-execution-vulnerability-cve-2023-33246
  3. https://arcticwolf.com/resources/blog/cve-2023-33246/
CVE-2023-33246 Apache RocketMQ Command Execution Vulnerability primary_impact T1059 Command and Scripting Interpreter
Comments
This vulnerability is exploited by a remote attacker who leverages a command injection flaw in Apache RocketMQ versions 5.1 and lower. By using the update configuration function, the adversary can execute commands as the system user under which RocketMQ is running. This lack of permission verification in components like NameServer, Broker, and Controller, which are exposed on the extranet, allows for remote command execution. Additionally, attackers can forge RocketMQ protocol content to achieve the same effect. Since at least June 2023, threat actors have actively exploited this vulnerability to gain initial access and deploy the DreamBus botnet, a Linux-based malware.
References
  1. https://www.fortiguard.com/outbreak-alert/apache-rocketmq-rce
  2. https://www.fortiguard.com/threat-signal-report/5203/active-exploitation-of-apache-rocketmq-updateconfig-command-execution-vulnerability-cve-2023-33246
  3. https://arcticwolf.com/resources/blog/cve-2023-33246/
CVE-2023-33246 Apache RocketMQ Command Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
This vulnerability is exploited by a remote attacker who leverages a command injection flaw in Apache RocketMQ versions 5.1 and lower. By using the update configuration function, the adversary can execute commands as the system user under which RocketMQ is running. This lack of permission verification in components like NameServer, Broker, and Controller, which are exposed on the extranet, allows for remote command execution. Additionally, attackers can forge RocketMQ protocol content to achieve the same effect. Since at least June 2023, threat actors have actively exploited this vulnerability to gain initial access and deploy the DreamBus botnet, a Linux-based malware.
References
  1. https://www.fortiguard.com/outbreak-alert/apache-rocketmq-rce
  2. https://www.fortiguard.com/threat-signal-report/5203/active-exploitation-of-apache-rocketmq-updateconfig-command-execution-vulnerability-cve-2023-33246
  3. https://arcticwolf.com/resources/blog/cve-2023-33246/

Capabilities

Capability ID Capability Name Number of Mappings
CVE-2021-42237 Sitecore XP Remote Command Execution Vulnerability 1
CVE-2023-33246 Apache RocketMQ Command Execution Vulnerability 3