Multiple new vulnerabilities are being exploited by hackers in recent days, prompting alarm from experts worried about how they will be used by cybercriminals and nation states.

Over the last week, vulnerabilities affecting tech giants including Apple, VMware, Atlassian, Fortra, Apache and others have been highlighted both by cybersecurity experts and government agencies like the Cybersecurity and Infrastructure Security Agency (CISA).

On Tuesday, CISA echoed warnings from Apple that CVE-2024-23222 — a vulnerability affecting several versions of iPhones and iPads — is being exploited by cybercriminals.

The vulnerability is the first zero-day announced by Apple in 2024 — the company patched 20 zero-days last year. The bug allows hackers to execute code on a victim’s device.

“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited,” Apple said on Tuesday.

CISA ordered all federal civilian agencies to patch the bug by February 13.

That order came on the same day that cybersecurity researchers raised alarms about the latest vulnerability affecting Fortra’s GoAnywhere file transfer software, which was at the center of controversy last year when a Russian ransomware gang used a different issue with the tool to attack dozens of companies and governments.

In an advisory published on Monday, Fortra said CVE-2024-0204 was discovered in December and allows an attacker to create an admin user account through the administration portal — giving them widespread access to a victim’s system.

The company urged customers to patch the vulnerability and noted that it carries a 9.8 CVSS severity score, indicating that it is a critical vulnerability.

In a statement to Recorded Future News, the company said they “have no reports of active exploitation in the wild regarding this CVE.”

They also shared a letter that was sent to customers in December warning about the vulnerability and providing detailed guidance about how customers can resolve the issue.

Atlassian and Apache attacks

Hackers were recently revealed to be actively attacking two vulnerabilities affecting products from Atlassian and Apache.

Researchers at Greynoise observed steep spikes in attempts to exploit CVE-2023-22527 — a vulnerability Atlassian announced last week that affects Confluence Data Center and Confluence Servers.

Atlassian said the vulnerability carries the highest possible severity score of 10 and urged customers to patch it as soon as possible.

Experts at Shadowserver said they have seen over 600 different IP addresses attempting to exploit the more than 11,000 instances that are exposed to the internet.

Cyber defenders raised similar concerns with a relatively old vulnerability affecting Apache products that cybercriminals began exploiting this weekend.

According to findings from cybersecurity firm Trustwave, a surge in attacks exploiting CVE-2023-46604 in Apache ActiveMQ hosts. Apache ActiveMQ is widely-used software that helps applications communicate with each other and share data.

“Since a proof of concept of the exploit was made publicly available in October 2023, threat actors have been using it to deploy crypto-miners, rootkits, ransomware, and remote access trojans,” the company said in a blog post.

CISA said the vulnerability was exploited as far back as November and forced all federal civilian agencies to address the issue by November 23. Incident responders at the time reported that hackers using the HelloKitty ransomware were behind a campaign to exploit CVE-2023-46604.

In the latest campaign outlined by Trustwave, hackers are using the bug to infiltrate systems and deploy tools that allow them to fully control a system.

Mandiant and CISA warn of VMware attacks

Another popular tool is facing attacks this week, according to CISA and incident responders at Google-owned cybersecurity firm Mandiant.

Mandiant warned last week that an espionage group tied to the Chinese government has been exploiting CVE-2023-34048 — an issue affecting VMware vCenter Servers. The vulnerability was disclosed in October but VMware updated the advisory last Wednesday to confirm that it was seeing exploitation attempts.

Mandiant said that in its investigation of the issue, it discovered Chinese espionage hackers have been exploiting it as far back as 2021. The company said the hackers had a window of about a year and a half to exploit the issue before VMware became aware of it.

Researchers at Censys said they have seen hundreds of systems that may be vulnerable to the issue.

CISA added the bug to its Known Exploited Vulnerabilities catalog on Monday, giving federal civilian agencies until February 12 to patch it.