China’s Volt Typhoon Hackers Caught Exploiting Zero-Day in Servers Used by ISPs, MSPs

Security researchers at Lumen Technologies have identified Chinese APT group Volt Typhoon leveraging a newly discovered zero-day vulnerability in Versa Director servers to compromise credentials and infiltrate downstream customer networks.
The critical vulnerability, CVE-2024-39717, was recently added to the Cybersecurity and Infrastructure Security Agency’s (CISA) list of mandatory patches. Versa Networks confirmed the active exploitation of the zero-day and issued a warning that attackers could exploit the Versa Director graphical user interface (GUI) to deploy malware on vulnerable systems.
Versa Director servers are pivotal for managing network configurations in environments using SD-WAN software and are widely utilized by ISPs and MSPs. This makes them an attractive target for adversaries aiming to infiltrate enterprise network management systems.
Versa Networks acknowledged a confirmed case of exploitation, citing a customer’s failure to implement firewall guidelines issued in 2015 and 2017. This oversight enabled attackers to exploit the vulnerability without requiring access to the GUI. Versa’s statement indirectly attributed the breach to configuration errors by affected organizations.