CVE-2023-29059

Опубликовано: 30 мар. 2023

Источник: nvd

CVSS3: 7.8

EPSS Низкий

Описание

3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the 3CX DesktopApp Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the 3CX DesktopApp Electron macOS application.

Ссылки

https://cwe.mitre.org/data/definitions/506.html
Technical Description
https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/
Exploit
Technical Description
Third Party Advisory
https://www.3cx.com/blog/news/desktopapp-security-alert/
Vendor Advisory
https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
Exploit
Third Party Advisory
https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised
Exploit
Third Party Advisory
https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats
Exploit
Third Party Advisory
https://cwe.mitre.org/data/definitions/506.html
Technical Description
https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/
Exploit
Technical Description
Third Party Advisory
https://www.3cx.com/blog/news/desktopapp-security-alert/
Vendor Advisory
https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
Exploit
Third Party Advisory
https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised
Exploit
Third Party Advisory
https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:3cx:3cx:18.11.1213:*:*:*:*:macos:*:*

cpe:2.3:a:3cx:3cx:18.12.402:*:*:*:*:macos:*:*

cpe:2.3:a:3cx:3cx:18.12.407:*:*:*:*:macos:*:*

cpe:2.3:a:3cx:3cx:18.12.407:*:*:*:*:windows:*:*

cpe:2.3:a:3cx:3cx:18.12.416:*:*:*:*:macos:*:*

cpe:2.3:a:3cx:3cx:18.12.416:*:*:*:*:windows:*:*

EPSS

Процентиль: 52%

0.00288

Низкий

7.8 High

CVSS3

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

GHSA-m2q7-9c76-qc45

CVSS3: 7.8

github

почти 3 года назад

3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the Electron macOS application.

BDU:2023-02044

CVSS3: 5.5

fstec