Fifty-seven percent of more than 90,000 internet-exposed hosts continue to run TinyProxy instances unpatched against the critical use-after-free vulnerability, tracked as CVE-2023-49606, which could be leveraged to facilitate remote code execution attacks via an unauthenticated HTTP request, reports The Hacker News.
The U.S. accounted for the most number of vulnerable internet-exposed hosts, followed by South Korea, China, France, and Germany, according to a report from Cisco Talos, which also unveiled a proof-of-concept for the security issue that tackled the possible weaponization of HTTP Connection parsing for code execution.
Meanwhile, such an issue was noted by TinyProxy maintainers to have persisted as Cisco Talos may have sent communications to an outdated email address.
"No GitHub issue was filed, and nobody mentioned a vulnerability on the mentioned IRC chat. If the issue had been reported on Github or IRC, the bug would have been fixed within a day," said TinyProxy maintainer rofl0r.
