Week in Review: Five Zero-Days, One Pattern — Edge Devices Are the Front Line
This week's SITREP: Cisco IOS XE, Citrix Bleed, the Ivanti Connect Secure chain, PAN-OS GlobalProtect, and Outlook's MonikerLink bug — plus what's still active in the CISA KEV catalog and what to watch next.
- Five vulnerabilities this desk profiled this week share a common shape: perimeter and edge devices (firewalls, VPN gateways, network OS) remain the preferred initial-access vector for both nation-state and ransomware actors
- Citrix Bleed (CVE-2023-4966) and the Ivanti Connect Secure chain (CVE-2023-46805 / CVE-2024-21887) both demonstrate that patching alone is not remediation — stolen sessions and deployed implants can survive a patch
- Cisco IOS XE's CVE-2023-20198 and Palo Alto Networks' CVE-2024-3400 were both exploited as true zero-days, before any patch existed — underscoring that 'patch on release day' is necessary but not sufficient
- Outlook's MonikerLink (CVE-2024-21413) shows the other major attack surface: a single click on a crafted link bypassing Protected View, no macro or attachment required
- CISA's Known Exploited Vulnerabilities catalog remains the single best low-noise signal for prioritization — every CVE in this week's coverage is KEV-listed or has confirmed in-the-wild exploitation
This week’s desk coverage profiled five distinct vulnerabilities, but they share one structural theme worth naming up front: the devices and applications sitting at the network edge or handling the first click of a phishing chain remain the most consistently exploited targets, regardless of vendor.
Top stories this week
Cisco IOS XE Web UI Zero-Day — A maximum-severity privilege-escalation flaw in IOS XE’s web management interface, CVE-2023-20198, was exploited at mass scale before Cisco’s patch shipped. Independent scans found tens of thousands of compromised devices within days. The lesson administrators took away: disable internet-facing web management wherever it isn’t strictly required, and check for implants specifically — patching does not remove a backdoor already installed.
Citrix Bleed Explained — CVE-2023-4966 let attackers pull live session tokens directly from NetScaler ADC and Gateway memory, hijacking authenticated sessions without ever touching a password or MFA prompt. Ransomware-affiliated actors used it against multiple large enterprises. Critically, the patch alone didn’t help organizations that failed to also kill existing sessions — old tokens stayed valid.
The Ivanti Connect Secure Chain — CVE-2023-46805 and CVE-2024-21887, chained together, gave a suspected nation-state actor unauthenticated remote code execution on Ivanti’s VPN gateways for weeks before patches existed — severe enough that CISA issued an emergency directive ordering federal agencies to disconnect affected appliances outright.
PAN-OS GlobalProtect Zero-Day — CVE-2024-3400, a root-level command-injection flaw in Palo Alto Networks’ GlobalProtect feature, was exploited in the wild before disclosure by an actor deploying a custom backdoor dubbed UPSTYLE. When the firewall itself is the compromised device, the entire perimeter-security model is undermined.
Outlook’s MonikerLink Bug — CVE-2024-21413 is the odd one out on this list: not confirmed exploited pre-disclosure, but a near-zero-friction trigger (one click on a crafted link) that bypassed Outlook’s Protected View sandbox entirely. Patched in February 2024’s Patch Tuesday.
Also on the radar
A handful of additional CVEs from earlier in the year remain relevant context for this week’s coverage and are tracked on our KEV tracker:
- CVE-2023-22515 — Atlassian Confluence’s broken-access-control flaw, which handed out admin accounts to unauthenticated attackers before Atlassian’s October 2023 fix.
- CVE-2024-27198 — JetBrains TeamCity’s authentication-bypass bug, a reminder that CI/CD infrastructure compromise threatens the entire downstream software supply chain.
- CVE-2023-28771 — A Zyxel firewall command-injection flaw that Mirai-variant botnets weaponized within weeks of disclosure, the kind of bug that thrives on unmanaged consumer and SMB edge hardware.
- CVE-2023-34362 — The MOVEit Transfer SQL injection flaw behind one of 2023’s largest mass data-theft campaigns, exploited by the Clop ransomware group before a patch existed.
What to watch next week
- Whether any of this week’s five CVEs see new exploitation techniques or expanded KEV catalog deadlines as more telemetry comes in from affected vendors.
- Patch-adoption telemetry for PAN-OS and Ivanti customers — both vendors published mitigation options for organizations that can’t immediately apply the full patch.
- Any new CISA KEV catalog additions; we track new entries within 24 hours of publication.
Tip the desk
Source, document, or context on any vulnerability we’re tracking — or one we should be? Reach us at contact@0daynews.com or, for sensitive coordinated-disclosure matters, takedown@0daynews.com.
— The 0day News desk