Breaking the Chain: Wiz Uncovers a Signature Verification Bypass in Nuclei, the Popular Vulnerability Scanner (CVE-2024-43405)

Wiz researchers identified a critical vulnerability (CVE-2024-43405) within Nuclei, a widely used open-source vulnerability scanner. The flaw involves a signature verification bypass that could enable attackers to achieve arbitrary code execution on systems utilizing the tool. This represents a significant supply chain risk, as compromised templates or updates could propagate malicious code across security infrastructures. The severity is rated high due to the potential for remote code execution. Organizations relying on Nuclei for security assessments are urged to update to the patched version immediately to mitigate the risk. While no active exploitation by specific threat actors is confirmed in this report, the nature of the vulnerability warrants urgent attention to prevent potential compromise of security scanning environments and downstream assets.

Wiz’s engineering team discovered a high-severity signature verification bypass in Nuclei, one of the most popular open-source security tools, which could potentially lead to arbitrary code execution.

Wiz researchers identified a critical vulnerability (CVE-2024-43405) within Nuclei, a widely used open-source vulnerability scanner. The flaw involves a signature verification bypass that could enable attackers to achieve arbitrary code execution on systems utilizing the tool. This represents a significant supply chain risk, as compromised templates or updates could propagate malicious code across security infrastructures. The severity is rated high due to the potential for remote code execution. Organizations relying on Nuclei for security assessments are urged to update to the patched version immediately to mitigate the risk. While no active exploitation by specific threat actors is confirmed in this report, the nature of the vulnerability warrants urgent attention to prevent potential compromise of security scanning environments and downstream assets. Wiz’s engineering team discovered a high-severity signature verification bypass in Nuclei, one of the most popular open-source security tools, which could potentially lead to arbitrary code execution. Wiz’s engineering team discovered a high-severity signature verification bypass in Nuclei, one of the most popular open-source security tools, which could potentially lead to arbitrary code execution.