 **As organizations scramble to respond to zero-day exploitation of Versa Director servers by Chinese APT Volt Typhoon, new data from Censys shows more than 160 exposed devices online still presenting a ripe attack surface for attackers.**Censys shared [live search queries](https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=INCLUDE&q=services.software%3A+%28vendor%3A+Versa+and+product%3A+Director%29) Wednesday showing hundreds of exposed Versa Director servers pinging from the US, Philippines, Shanghai and India and urged organizations to isolate these devices from the internet immediately.It is not quite clear how many of those exposed devices are unpatched or failed to implement system hardening guidelines ([Versa says firewall misconfigurations are to blame](https://versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability/)) but because these servers are typically used by ISPs and MSPs, the scale of the exposure is considered enormous.Even more worrisome, more than 24 hours after [disclosure of the zero-day](https://www.securityweek.com/chinese-apt-volt-typhoon-caught-exploiting-versa-networks-sd-wan-zero-day/), anti-malware products are very slow to provide detections for *VersaTest.png*, the custom VersaMem web shell being used in the Volt Typhoon attacks.Although the vulnerability is considered difficult to exploit, Versa Networks said it slapped a ‘high-severity’ rating on the bug that affects all Versa SD-WAN customers using Versa Director that have not implemented system hardening and firewall guidelines.The zero-day was caught by malware hunters at Black Lotus Labs, the research arm of Lumen Technologies. The flaw, tracked as [CVE-2024-39717](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39717), was added to the [CISA known exploited vulnerabilities catalog](https://www.cisa.gov/news-events/alerts/2024/08/23/cisa-adds-one-known-exploited-vulnerability-catalog-versa-networks-director) over the weekend.Versa Director servers are used to manage network configurations for clients running SD-WAN software and heavily used by ISPs and MSPs, making them a critical and attractive target for threat actors seeking to extend their reach within enterprise network management.Versa Networks has released patches (available only on password-protected support portal) for versions 21.2.3, 22.1.2, and 22.1.3. Advertisement. Scroll to continue reading. Black Lotus Labs has [published details](https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/) of the observed intrusions and IOCs and [YARA rules](https://github.com/blacklotuslabs/IOCs/blob/main/VersaMem_IOCs.txt) for threat hunting.Volt Typhoon, active since mid-2021, has compromised a wide variety of organizations spanning communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and the education sectors.The US government believes the Chinese government-backed threat actor is pre-positioning for malicious attacks against critical infrastructure targets.**Related:** [Volt Typhoon APT Exploiting Zero-Day in Servers Used by ISPs, MSPs](https://www.securityweek.com/chinese-apt-volt-typhoon-caught-exploiting-versa-networks-sd-wan-zero-day/)**Related:** [Five Eyes Agencies Issue New Alert on Chinese APT Volt Typhoon](https://www.securityweek.com/five-eyes-agencies-issue-new-alert-on-chinese-apt-volt-typhoon/)**Related:** [Volt Typhoon Hackers ‘Pre-Positioning’ for Critical Infrastructure Attacks](https://www.securityweek.com/cisa-chinas-volt-typhoon-hackers-planning-critical-infrastructure-disruption/)**Related:** [US Gov Disrupts SOHO Router Botnet Used by Chinese APT Volt Typhoon](https://www.securityweek.com/us-gov-disrupts-soho-router-botnet-used-by-chinese-apt-volt-typhoon/)**Related:** [Censys Banks $75M for Attack Surface Management Technology](https://www.securityweek.com/censys-banks-75m-for-attack-surface-management-technology/)  Written By [Ryan Naraine](https://www.securityweek.com/contributors/ryan-naraine/ ‘Posts by Ryan Naraine’) Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. [](https://www.twitter.com/ryanaraine/)[](https://www.linkedin.com/in/ryanaraine/) More from [Ryan Naraine](https://www.securityweek.com/contributors/ryan-naraine/ ‘Posts by Ryan Naraine’)———————————————————————————————————* [China’s Volt Typhoon Hackers Caught Exploiting Zero-Day in Servers Used by ISPs, MSPs](https://www.securityweek.com/chinese-apt-volt-typhoon-caught-exploiting-versa-networks-sd-wan-zero-day/)* [Two Years On, Log4Shell Vulnerability Still Being Exploited to Deploy Malware](https://www.securityweek.com/two-years-on-log4shell-vulnerability-still-being-exploited-to-deploy-malware/)* [Critical Authentication Flaw Haunts GitHub Enterprise Server](https://www.securityweek.com/critical-authentication-flaw-haunts-github-enterprise-server/)* [Major Backdoor in Millions of RFID Cards Allows Instant Cloning](https://www.securityweek.com/major-backdoor-in-millions-of-rfid-cards-allows-instant-cloning/)* [Windows Zero-Day Attack Linked to North Korea’s Lazarus APT](https://www.securityweek.com/windows-zero-day-attack-linked-to-north-koreas-lazarus-apt/)* [Zero-Click Exploit Concerns Drive Urgent Patching of Windows TCP/IP Flaw](https://www.securityweek.com/zero-click-exploit-concerns-drive-urgent-patching-of-windows-tcp-ip-flaw/)* [Microsoft Warns of Six Windows Zero-Days Being Actively Exploited](https://www.securityweek.com/microsoft-warns-of-six-windows-zero-days-being-actively-exploited/)* [Adobe Calls Attention to Massive Batch of Code Execution Flaws](https://www.securityweek.com/adobe-calls-attention-to-massive-batch-of-code-execution-flaws/)Latest News———–* [Google Now Offering Up to $250,000 for Chrome Vulnerabilities](https://www.securityweek.com/google-now-offering-up-to-250000-for-chrome-vulnerabilities/)* [LinkedIn Hires Former Twitter Security Chief Lea Kissner as New CISO](https://www.securityweek.com/linkedin-hires-former-twitter-security-chief-lea-kissner-as-new-ciso/)* [WPS Office Zero-Day Exploited by South Korea-Linked Cyberspies](https://www.securityweek.com/wps-office-zero-day-exploited-by-south-korea-linked-cyberspies/)* [Malware Delivered via Malicious Pidgin Plugin, Signal Fork](https://www.securityweek.com/malware-delivered-via-malicious-pidgin-plugin-signal-fork/)* [Check Point to Acquire External Cyber Risk Management Firm Cyberint](https://www.securityweek.com/check-point-to-acquire-external-cyber-risk-management-firm-cyberint/)* [Rising Tides: Runa Sandvik on Creating Work that Makes a Difference](https://www.securityweek.com/rising-tides-runa-sandvik-on-creating-work-that-makes-a-difference/)* [US Offering $2.5 Million Reward for Belarusian Malware Distributor](https://www.securityweek.com/us-offering-2-5-million-reward-for-belarusian-malware-distributor/)* [How Lessons Learned From the 2016 Campaign Led US Officials to Be More Open About Iran Hack](https://www.securityweek.com/how-lessons-learned-from-the-2016-campaign-led-us-officials-to-be-more-open-about-iran-hack/)  #### TrendingDaily Briefing Newsletter————————-Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. [Virtual Event Attack Surface Management Summit———————————————-](https://www.securitysummits.com/event/attack-surface-management-summit/) September 18, 2024Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.[Register](https://www.securitysummits.com/event/attack-surface-management-summit/) [Event: ICS Cybersecurity Conference———————————–](https://www.icscybersecurityconference.com) Oct. 21-24, 2024 -| AtlantaThe leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.[Register](https://www.icscybersecurityconference.com) #### People on the MoveLinkedIn has appointed former Twitter security chief Lea Kissner as its new Chief Information Security Officer (CISO). The GSA has appointed Pete Waterman as Director of the Federal Risk and Authorization Management Program (FedRAMP). Susan Chiang has become CISO at mental healthcare firm Headway.[More People On The Move](/industry-moves) #### Expert Insights[Rising Tides: Runa Sandvik on Creating Work that Makes a Difference——————————————————————-](https://www.securityweek.com/rising-tides-runa-sandvik-on-creating-work-that-makes-a-difference/)  Runa Sandvik is an inaugural member of CISA’s Technical Advisory Council and the Aspen Institute’s Global Cybersecurity Group, and a board member of the Signals Network. But she is so much more. [(Jennifer Leggio)](https://www.securityweek.com/contributors/jennifer-leggio/)[Unlocking the Power of AI in Cybersecurity——————————————](https://www.securityweek.com/unlocking-the-power-of-ai-in-cybersecurity/)  As adversaries increasingly exploit AI, security practitioners must not fall behind. What does it take to unlock the full potential of AI in cybersecurity? [(Torsten George)](https://www.securityweek.com/contributors/torsten-george/)[How Exceptional CISOs Are Igniting the Security Fire in Their Development Team——————————————————————————](https://www.securityweek.com/how-exceptional-cisos-are-igniting-the-security-fire-in-their-development-team/)  For years, many CISOs have struggled to influence their development cohort on the importance of putting security first. [(Matias Madou)](https://www.securityweek.com/contributors/matias-madou/)[Consolidation vs. Optimization: Which Is More Cost-Effective for Improved Security?———————————————————————————–](https://www.securityweek.com/consolidation-vs-optimization-which-is-more-cost-effective-for-improved-security/)  Security leaders are facing big decisions about how they use their monetary and people resources to better secure their environments. [(Jennifer Leggio)](https://www.securityweek.com/contributors/jennifer-leggio/)[Reframing the ZTNA vs. SASE Debate———————————-](https://www.securityweek.com/reframing-the-ztna-vs-sase-debate/)  While ZTNA can be deployed independently, it is an integral component of the SASE architecture as well. [(Etay Maor)](https://www.securityweek.com/contributors/etay-maor/)
Related Tags:
NAICS: 237 – Heavy And Civil Engineering Construction
NAICS: 484 – Truck Transportation
NAICS: 23 – Construction
NAICS: 48 – Transportation
NAICS: 921 – Executive
Legislative
Other General Government Support
NAICS: 61 – Educational Services
NAICS: 56 – Administrative And Support And Waste Management And Remediation Services
NAICS: 611 – Educational Services
NAICS: 54 – Professional
Scientific
Technical Services
Associated Indicators: