The U.S. CISA added a deserialization of untrusted data vulnerability in Microsoft COM for Windows, tracked as CVE-2018-0824 with a CVSS score of 7.5, to its Known Exploited Vulnerabilities (KEV) catalog.
A deserialization of untrusted data vulnerability arises when an application deserializes data from an untrusted source without proper validation. An attacker can trigger the issue by tricking the victim into visiting a website by clicking a link and then convincing the user to open the specially crafted file.
Researchers from Cisco Talos reported that the China-linked group compromised a Taiwanese government-affiliated research institute.
The experts attributed the attack with medium confidence to the APT41 group in which they delivered the ShadowPad malware, Cobalt Strike, and other post-exploitation tools.
Researchers also discovered that APT41 created a custom loader to inject a proof-of-concept for CVE-2018-0824 directly into memory. The threat actors used a remote code execution vulnerability to achieve local privilege escalation.
CISA orders federal agencies to fix this vulnerability by August 26, 2024.
