CVE-2024-12902
📋 TL;DR
This vulnerability allows attackers to remotely log into ANCHOR virtual machines using default credentials on high-privilege service accounts. Organizations using ANCHOR from Global Wisdom Software on Windows virtual machines with unchanged default passwords are affected. The vulnerability stems from the underlying Windows OS configuration.
💻 Affected Systems
- ANCHOR from Global Wisdom Software
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the virtual machine, allowing attackers to execute arbitrary code, steal sensitive data, pivot to other systems, and maintain persistent access.
Likely Case
Unauthorized remote access to the virtual machine, enabling credential harvesting, data exfiltration, and installation of malware or backdoors.
If Mitigated
Limited impact due to proper password management and network segmentation, though the vulnerability remains present.
🎯 Exploit Status
Exploitation requires knowledge of default credentials, which may be publicly available or guessable. No specialized tools needed beyond standard remote access protocols.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://www.twcert.org.tw/en/cp-139-8315-e6069-2.html
Restart Required: No
Instructions:
1. Identify all ANCHOR virtual machines. 2. Change passwords for all high-privilege Windows service accounts to strong, unique passwords. 3. Implement regular password rotation policies. 4. Monitor for unauthorized access attempts.
🔧 Temporary Workarounds
Change Service Account Passwords
windowsChange default passwords on all Windows service accounts used by ANCHOR virtual machines.
net user <username> <newpassword>
wmic useraccount where name='<username>' set password='<newpassword>'
Network Segmentation
windowsRestrict network access to ANCHOR virtual machines using firewalls or network security groups.
New-NetFirewallRule -DisplayName 'Block ANCHOR VM Access' -Direction Inbound -RemoteAddress <trusted_ips> -Action Allow
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to trusted IPs only.
- Enable detailed logging and monitoring for authentication attempts on service accounts.
🔍 How to Verify
Check if Vulnerable:
Check if Windows service accounts on ANCHOR VMs are using default or weak passwords via password audit tools or manual review.Check Version:
No version-specific command; vulnerability is configuration-based. Check ANCHOR documentation or vendor for version details.Verify Fix Applied:
Attempt to authenticate with old default credentials (in a controlled test) and verify failure. Confirm new strong passwords are in place.📡 Detection & Monitoring
Log Indicators:
- Failed or successful logon events (Event ID 4625, 4624) for service accounts from unexpected sources
- Multiple authentication attempts from single IPs
Network Indicators:
- RDP, SMB, or other remote access protocol connections to ANCHOR VMs from unauthorized IPs
- Unusual outbound traffic from ANCHOR VMs
SIEM Query:
source="windows_security" EventID=4625 OR EventID=4624 TargetUserName="*service*" | stats count by src_ip, TargetUserName