{"id":3800,"date":"2025-07-08T18:20:49","date_gmt":"2025-07-08T10:20:49","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=3800"},"modified":"2025-07-08T18:20:49","modified_gmt":"2025-07-08T10:20:49","slug":"%e3%80%90%e8%b3%87%e5%ae%89%e5%bf%ab%e8%a8%8a%e3%80%91cisa-%e6%96%b0%e5%a2%9e%e5%9b%9b%e9%a0%85%e3%80%8c%e5%b7%b2%e9%81%ad%e5%88%a9%e7%94%a8%e3%80%8d%e9%87%8d%e5%a4%a7%e6%bc%8f%e6%b4%9e%ef%bc%8ccitrix","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=3800","title":{"rendered":"\u3010\u8cc7\u5b89\u5feb\u8a0a\u3011CISA \u65b0\u589e\u56db\u9805\u300c\u5df2\u906d\u5229\u7528\u300d\u91cd\u5927\u6f0f\u6d1e\uff0cCitrix Bleed 2 \u6b63\u5728\u906d\u653b\u64ca\u4e2d\uff01"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"865\" height=\"644\" src=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2025\/07\/image-2.png\" alt=\"\" class=\"wp-image-3801\" srcset=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2025\/07\/image-2.png 865w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2025\/07\/image-2-300x223.png 300w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2025\/07\/image-2-768x572.png 768w\" sizes=\"auto, (max-width: 865px) 100vw, 865px\" \/><\/figure>\n\n\n\n<p>\u7f8e\u570b\u8cc7\u5b89\u66a8\u57fa\u790e\u5efa\u8a2d\u5b89\u5168\u5c40\uff08CISA\uff09\u8fd1\u65e5\u518d\u5ea6\u767c\u5e03<a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2025\/07\/07\/cisa-adds-four-known-exploited-vulnerabilities-catalog\">\u8b66\u8a0a<\/a>\uff0c\u5c07\u56db\u9805\u906d<strong>\u5be6\u969b\u653b\u64ca\u7684\u9ad8\u98a8\u96aa\u6f0f\u6d1e<\/strong>\u7d0d\u5165\u5176\u300c\u5df2\u77e5\u906d\u5229\u7528\u6f0f\u6d1e\u6e05\u55ae\uff08KEV Catalog\uff09\u300d\uff0c\u547c\u7c72\u5404\u754c\u7dca\u6025\u4fee\u88dc\u3001\u63d0\u9ad8\u8b66\u89ba\u3002<\/p>\n\n\n\n<p>\u5176\u4e2d\u66f4\u503c\u5f97\u6ce8\u610f\u7684\u662f\uff0cCitrix Bleed 2\uff08CVE-2025-5777\uff09\u6f0f\u6d1e\u76ee\u524d\u6b63\u906d\u5230\u7a4d\u6975\u5229\u7528\uff0c\u653b\u64ca\u8005\u53ef\u85c9\u6b64\u7aca\u53d6\u6191\u8b49\u3001\u5b58\u53d6\u8a18\u61b6\u9ad4\u4e2d\u654f\u611f\u8cc7\u6599\uff0c\u5c0d\u4f01\u696d\u71df\u904b\u69cb\u6210\u56b4\u91cd\u5a01\u8105\uff01<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>\u88ab\u5217\u5165 KEV <\/strong><strong>\u7684\u56db\u9805\u9ad8\u98a8\u96aa\u6f0f\u6d1e<\/strong><\/p>\n\n\n\n<p>CISA \u6b64\u6b21\u516c\u544a\u6307\u51fa\uff0c\u4e0b\u5217\u56db\u500b\u6f0f\u6d1e\u5df2\u88ab\u8b49\u5be6<strong>\u5728\u91ce\u5916\u906d\u5230\u5be6\u969b\u6feb\u7528<\/strong>\uff0c\u53ef\u80fd\u7528\u65bc\u9060\u7aef\u5165\u4fb5\u3001\u57f7\u884c\u60e1\u610f\u7a0b\u5f0f\u6216\u7aca\u53d6\u8cc7\u6599\uff1a<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2014-3931\">CVE-2014-3931<\/a><\/strong>\uff08CVSS\uff1a9.8\uff09<br>\u3000<em>Multi-Router Looking Glass (MRLG)<\/em> \u4e2d\u7684\u7de9\u885d\u5340\u6ea2\u4f4d\u6f0f\u6d1e\uff0c\u653b\u64ca\u8005\u53ef\u9032\u884c\u4efb\u610f\u8a18\u61b6\u9ad4\u5beb\u5165\u8207\u640d\u6bc0\u3002<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2016-10033\">CVE-2016-10033<\/a><\/strong>\uff08CVSS\uff1a9.8\uff09<br>\u3000<em>PHPMailer<\/em> \u7684\u6307\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff0c\u53ef\u80fd\u5c0e\u81f4\u653b\u64ca\u8005\u9060\u7aef\u57f7\u884c\u60e1\u610f\u7a0b\u5f0f\u78bc\uff0c\u751a\u81f3\u9020\u6210\u7cfb\u7d71\u7671\u7613\u3002<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2019-5418\">CVE-2019-5418<\/a><\/strong>\uff08CVSS\uff1a7.5\uff09<br>\u3000 <em>Ruby on Rails Action View<\/em> \u5b58\u5728\u8def\u5f91\u7a7f\u8d8a\u98a8\u96aa\uff0c\u653b\u64ca\u8005\u53ef\u8b80\u53d6\u4f3a\u670d\u5668\u4e0a\u7684\u4efb\u610f\u6a94\u6848\u5167\u5bb9\u3002<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2019-9621\">CVE-2019-9621<\/a><\/strong>\uff08CVSS\uff1a7.5\uff09<br>\u3000 <em>Zimbra Collaboration Suite<\/em> \u7684 SSRF \u5f31\u9ede\uff0c\u53ef\u5c0e\u81f4\u672a\u6388\u6b0a\u5b58\u53d6\u5167\u90e8\u8cc7\u6e90\uff0c\u751a\u81f3\u57f7\u884c\u9060\u7aef\u7a0b\u5f0f\u78bc\u3002<br>\u3000\u8a72\u6f0f\u6d1e\u5df2\u65bc 2023 \u5e74\u88ab Trend Micro \u78ba\u8a8d\u906d\u4e2d\u570b\u99ed\u5ba2\u7d44\u7e54 <strong>Earth Lusca<\/strong> \u5229\u7528\uff0c\u690d\u5165 Web Shell \u4e26\u90e8\u7f72 Cobalt Strike\u3002<\/li>\n<\/ol>\n\n\n\n<p>\u6839\u64da\u7f8e\u570b\u806f\u90a6\u8cc7\u5b89\u898f\u7bc4\uff0c<strong>FCEB<\/strong><strong>\uff08\u806f\u90a6\u884c\u653f\u6a5f\u95dc\uff09\u9700\u5728 2025 <\/strong><strong>\u5e74 7 <\/strong><strong>\u6708 28 <\/strong><strong>\u65e5\u524d\u5b8c\u6210\u4fee\u88dc<\/strong>\uff0c\u4f01\u696d\u4ea6\u61c9\u5373\u523b\u884c\u52d5\u4ee5\u907f\u514d\u6dea\u70ba\u4e0b\u4e00\u500b\u53d7\u5bb3\u8005\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>Citrix Bleed 2 <\/strong><strong>\u6b63\u906d\u99ed\u5ba2\u5229\u7528\uff01\u8a18\u61b6\u9ad4\u6d29\u6f0f\u3001Token <\/strong><strong>\u906d\u7aca\uff0c\u5f71\u97ff\u6050\u64f4\u5927<\/strong><\/p>\n\n\n\n<p>\u8cc7\u5b89\u7814\u7a76\u5718\u968a <strong><a href=\"https:\/\/labs.watchtowr.com\/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777\/\">watchTowr Labs<\/a><\/strong> \u8207 <strong><a href=\"https:\/\/horizon3.ai\/attack-research\/attack-blogs\/cve-2025-5777-citrixbleed-2-write-up-maybe\/\">Horizon3.ai<\/a><\/strong> \u65e5\u524d\u767c\u5e03\u6280\u8853\u5206\u6790\uff0c\u6307\u51fa Citrix NetScaler ADC \u7684\u56b4\u91cd\u6f0f\u6d1e <strong><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-5777\">CVE-2025-5777<\/a><\/strong><strong>\uff08Citrix Bleed 2<\/strong><strong>\uff09<\/strong> \u76ee\u524d\u6b63\u906d\u653b\u64ca\u8005\u9396\u5b9a\uff0c\u4e26\u8207 <strong><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-6543\">CVE-2025-6543<\/a><\/strong> \u4e00\u540c\u906d\u53d7\u6feb\u7528\u3002<\/p>\n\n\n\n<p>\u8a72\u6f0f\u6d1e\u53ef\u900f\u904e\u7cbe\u5fc3\u8a2d\u8a08\u7684 HTTP \u8acb\u6c42\uff0c<strong>\u5f9e\u8a18\u61b6\u9ad4\u4e2d\u8b80\u53d6\u654f\u611f\u8cc7\u8a0a<\/strong>\uff0c\u5982\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u4f7f\u7528\u8005\u767b\u5165\u6191\u8b49<\/li>\n\n\n\n<li>\u6709\u6548\u7684 Citrix Session Token<\/li>\n\n\n\n<li>\u8a18\u61b6\u9ad4\u4e2d\u8655\u7406\u7684 HTTP \u8acb\u6c42\u5167\u5bb9\u7b49<\/li>\n<\/ul>\n\n\n\n<p>\ud83d\udd27 \u6839\u672c\u539f\u56e0\u4f86\u81ea Citrix \u8655\u7406\u767b\u5165\u8acb\u6c42\u7684 \/p\/u\/doAuthentication.do \u7aef\u9ede\u4f7f\u7528\u4e86\u932f\u8aa4\u7684 snprintf \u5beb\u6cd5\uff0c\u7576 login= \u6b04\u4f4d\u88ab\u6545\u610f\u7701\u7565\u7b49\u865f\u6642\uff0c\u7a0b\u5f0f\u6703\u5c07\u8a18\u61b6\u9ad4\u4e2d\u5c1a\u672a\u521d\u59cb\u5316\u7684\u5167\u5bb9\u56de\u50b3\u81f3\u4f7f\u7528\u8005\uff0c\u9032\u800c\u9020\u6210\u8cc7\u8a0a\u6d29\u9732\u3002<\/p>\n\n\n\n<p>Horizon3.ai \u6e2c\u8a66\u986f\u793a\uff0c\u900f\u904e\u9019\u7a2e\u65b9\u5f0f\u4e00\u6b21\u53ef\u5916\u6d29\u7d04 127 bytes \u7684\u8a18\u61b6\u9ad4\u8cc7\u6599\uff0c\u53ea\u8981\u53cd\u8986\u89f8\u767c\uff0c\u653b\u64ca\u8005\u5c31\u53ef\u80fd\u8490\u96c6\u5230\u5b8c\u6574\u7684 Session Token \u6216\u6a5f\u654f\u8cc7\u8a0a\uff01<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>\u3010\u5c08\u5bb6\u5efa\u8b70\u3011\u4f01\u696d\u61c9\u7acb\u5373\u63a1\u53d6\u4ee5\u4e0b\u884c\u52d5\uff1a<\/strong><\/p>\n\n\n\n<p><strong>\u512a\u5148\u4fee\u88dc\u6f0f\u6d1e<\/strong>\uff1a\u7279\u5225\u662f MRLG\u3001PHPMailer\u3001Zimbra\u3001Citrix \u7b49\u7522\u54c1\uff0c\u61c9\u7acb\u5373\u66f4\u65b0\u81f3\u5b89\u5168\u7248\u672c\u3002<\/p>\n\n\n\n<p><strong>\u9032\u884c\u5a01\u8105\u7375\u6355\uff08Threat Hunting<\/strong><strong>\uff09<\/strong>\uff1a\u6aa2\u67e5\u662f\u5426\u6709\u7570\u5e38\u5b58\u53d6 \/doAuthentication.do \u7b49\u7aef\u9ede\u7684\u7d00\u9304\uff0c\u6ce8\u610f\u662f\u5426\u6709\u8cc7\u6599\u5916\u6d29\u8de1\u8c61\u3002<\/p>\n\n\n\n<p><strong>\u8a3b\u92b7\u6240\u6709 Citrix <\/strong><strong>\u6703\u8a71<\/strong>\uff1a\u82e5\u4f01\u696d\u4f7f\u7528 NetScaler\uff0c\u5efa\u8b70\u5728\u4fee\u88dc\u5f8c<strong>\u5f37\u5236\u8a3b\u92b7\u6240\u6709\u4f7f\u7528\u8005\u6703\u8a71<\/strong>\uff0c\u4e26\u66f4\u63db\u767b\u5165\u5bc6\u78bc\u3002<\/p>\n\n\n\n<p><strong>\u90e8\u7f72 Web <\/strong><strong>\u61c9\u7528\u9632\u706b\u7246\uff08WAF<\/strong><strong>\uff09<\/strong>\uff1a\u8a2d\u5b9a\u898f\u5247\uff0c\u963b\u64cb\u672a\u7d93\u6388\u6b0a\u7684 POST\/GET \u8acb\u6c42\uff0c\u964d\u4f4e\u53d7\u5bb3\u98a8\u96aa\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>\u7d50\u8a9e\uff1a\u6f0f\u6d1e\u5229\u7528 \u2260 <\/strong><strong>\u672a\u4f86\u5a01\u8105\uff0c\u800c\u662f\u6b63\u5728\u9032\u884c\u7684\u653b\u64ca<\/strong><\/p>\n\n\n\n<p>\u9019\u6b21 CISA \u7684 KEV \u66f4\u65b0\u63d0\u9192\u6211\u5011\uff0c\u8a31\u591a\u6f0f\u6d1e\u65e9\u5df2\u88ab\u99ed\u5ba2\u638c\u63e1\u4e26\u7a4d\u6975\u5229\u7528\u3002\u4f01\u696d\u9632\u79a6\u91cd\u9ede\u4e0d\u53ea\u662f\u300c\u88dc\u6f0f\u6d1e\u300d\uff0c\u66f4\u61c9\u5f37\u5316\u7e31\u6df1\u9632\u79a6\u3001\u76e3\u63a7\u53ef\u7591\u884c\u70ba\uff0c\u624d\u80fd\u5728\u99ed\u5ba2\u6ef2\u900f\u524d\u963b\u6b62\u653b\u64ca\u3002<\/p>\n\n\n\n<p>Citrix Bleed 2 \u548c Zimbra SSRF \u7684\u6848\u4f8b\u4e5f\u518d\u5ea6\u8b49\u660e\uff1a<strong>\u653b\u64ca\u8005\u6703\u91dd\u5c0d\u9ad8\u53ef\u7528\u3001\u4f4e\u9632\u8b77\u7684\u901a\u8a0a\u5e73\u53f0\u4e0b\u624b<\/strong>\uff0c\u78ba\u4fdd\u653b\u64ca\u6548\u7387\u8207\u96b1\u853d\u6027\u3002\u8acb\u52d9\u5fc5\u512a\u5148\u4fdd\u8b77\u95dc\u9375\u670d\u52d9\u3001\u9060\u7aef\u5b58\u53d6\u6a5f\u5236\u8207\u4fe1\u4efb\u908a\u754c\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u7f8e\u570b\u8cc7\u5b89\u66a8\u57fa\u790e\u5efa\u8a2d\u5b89\u5168\u5c40\uff08CISA\uff09\u8fd1\u65e5\u518d\u5ea6\u767c\u5e03\u8b66\u8a0a\uff0c\u5c07\u56db\u9805\u906d\u5be6\u969b\u653b\u64ca\u7684\u9ad8\u98a8\u96aa\u6f0f\u6d1e\u7d0d\u5165\u5176\u300c\u5df2\u77e5\u906d\u5229\u7528\u6f0f\u6d1e\u6e05\u55ae\uff08 <a class=\"read-more\" href=\"https:\/\/blog.billows.com.tw\/?p=3800\">READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[174],"class_list":["post-3800","post","type-post","status-publish","format-standard","hentry","category-6","tag-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3800","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3800"}],"version-history":[{"count":1,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3800\/revisions"}],"predecessor-version":[{"id":3802,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3800\/revisions\/3802"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3800"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3800"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3800"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}