CISA has added a critical ScienceLogic vulnerability to its Known Exploited Vulnerabilities Catalog - even though the exact nature of the bug remains undisclosed.
At the end of September, it emerged that a zero-day remote code execution bug with a CVSS score of 9.3 was lurking in a third-party component packaged with ScienceLogic SL1 (formerly EM7).
Now tracked as CVE-2024-9537, the bug was linked to a Rackspace outage in September, which brought down the cloud-hosting firm's monitoring dashboard.
Neither ScienceLogic nor CISA has named the third-party component in which the vulnerability has nested - meaning that somewhere upstream, a mysterious bug is lurking that's already been exploited and could potentially be used in further attacks.
CISA wrote: "ScienceLogic SL1 (formerly EM7) is affected by an unspecified vulnerability involving an unspecified third-party component."
The vulnerability has been addressed in SL1 versions 12.1.3+, 12.2.3+, and 12.3+ and fixes are available for all SL1 versions back to version lines 10.1.x, 10.2.x, 11.1.x, 11.2.x, and 11.3.x.
A Sciencelogic spokesperson told The Stack: "Last month, we identified a zero-day remote code execution vulnerability within the SL1 package. As part of standard procedures, the Cybersecurity and Infrastructure Security Agency (CISA) has published CVE-2024-9537.
"ScienceLogic has been in contact with all our customers to provide remediation and remains available to provide support as customers request."
On September 24, 2024, Rackspace first reported an issue with its Rackspace Monitoring product in the ScienceLogic EM7 (ScienceLogic SL1) Portal.
It was then revealed that a threat actor had exploited an undocumented zero-day vulnerability in a utility bundled with the ScienceLogic application.
Andres Ramos, a threat intelligence researcher with Arctic Wolf, said the decision to avoid naming the third-party component was taken to "avoid giving potential threat actors any insights" because "the utility may be used in other products as well."
"The threat actor has not yet been linked to any known groups at this time," Arctic Wolf wrote.
The attackers reportedly exploited the zero-day to crack into web servers and access customer monitoring data, including usernames, account names, and numbers, as well as device IDs, name and information, IP addresses, and AES256 encrypted Rackspace internal device agent credentials.
Rackspace has now rotated internal device agent credentials and claimed there was no customer disruption during the incident, which has not impacted other "products, platforms, solutions, or businesses."
