// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of January 22, 2024
Signal Brief · Archived

Week of January 22, 2024

2024-01-22 — 2024-01-28 · 5 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of January 22, 2024, ColdRecon logged 5 public endpoint-security events from open-source reporting — 3 vuln disclosures, 2 research pocs. Vendors in the record this week: Broadcom (Symantec), Trend Micro, Splunk.

The Week's Public Record

Events

2024-01-26
vuln disclosure
CVE-2024-23617: Symantec Data Loss Prevention Stack Buffer Overflow Remote Code ExecutionCVE-2024-23617
A stack-based buffer overflow vulnerability in Symantec Data Loss Prevention for Windows allows unauthenticated remote code execution. Exploitation requires a user to open a crafted document, leading to high impact on confidentiality, integrity, and availability. The vulnerability affects versions up to 14.0.2 and has a CVSS v3.1 base score of 9.6.
Broadcom (Symantec) ↗ cve.armis.com (2024-01-26)
2024-01-25
research poc
Indirect Syscall Proof-of-Concept Published to Bypass EDR Userland HooksIndirect Syscall
A researcher published a C++ proof-of-concept demonstrating the indirect syscall technique to execute shellcode (calc.exe) while evading EDR userland hooks. The code is open-source under MIT license and serves as an educational resource for understanding syscall-based evasion.
2024-01-23
vuln disclosure
Trend Micro Apex One Security Agent Updater Link Following Local Privilege Escalation VulnerabilityCVE-2023-52094
A local privilege escalation vulnerability exists in the Trend Micro Apex One Security Agent updater due to improper link resolution. An attacker with low-privileged code execution can create a junction to abuse the updater and delete an arbitrary folder, leading to SYSTEM-level code execution. Trend Micro has released a patch to address this issue.
2024-01-22
research poc
Proof-of-Concept Tool 'etwunhook' Disables ETW by Overwriting NtTraceEvent Opcodeetwunhook
A proof-of-concept tool named 'etwunhook' was published on GitHub, demonstrating a method to disable Event Tracing for Windows (ETW) by overwriting the NtTraceEvent function in ntdll.dll with a return instruction. The technique uses indirect syscalls to bypass user-mode hooks and patch the function, effectively blinding security products that rely on ETW for telemetry. This PoC highlights a known evasion method and may aid red teams and attackers in avoiding detection.
2024-01-22
vuln disclosure
CVE-2024-23678: Splunk Enterprise for Windows Path Traversal and Unsafe DeserializationCVE-2024-23678
CVE-2024-23678 is a path traversal vulnerability in Splunk Enterprise for Windows that leads to unsafe deserialization of untrusted data. A local attacker can exploit improper path sanitization to trigger code execution with the privileges of the Splunk service. The vulnerability affects versions below 9.0.8 and 9.1.3.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →