MT.1087 - Devices should not be publicly exposed with remotely exploitable, highly likely to be exploited, high or critical severity CVE's.
Overviewā
The query behind this test searches for devices that comply with the following criteria:
- Incoming connections from public IP addresses in last 7 days (internet exposed)
- High or Critical severity CVE's
- CVE's must have known exploits
- CVE's are remotely exploitable over the network
- No user interaction is required to exploit the CVE's
- EPSS score of CVE must be above 10% (likelihood of exploitation)
NOTE! If devices are placed behind a proxy, they will not be returned in this query by default
Devices that return from these results are possible high-risk devices that could be exploited successfully any time.
How to fixā
Review the devices in the list and either patch the severities, or make sure to implement mitigative controls to reduce exposure. If you want to have more details on the exposed devices and their related CVE's, you can run the following query manually in Advanced Hunting.
Test Metadataā
| Field | Value |
|---|---|
| Test ID | MT.1087 |
| Severity | High |
| Suite | Maester |
| Category | XSPM |
| PowerShell test | Test-MtXspmPublicRemotelyExploitableHighExposureDevices |
| Tags | Device, LongRunning, MT.1087, XSPM |
Sourceā
- Pester test:
tests/XSPM/Test-XspmDevices.Tests.ps1 - PowerShell source:
powershell/public/xspm/Test-MtXspmPublicRemotelyExploitableHighExposureDevices.ps1