From bleepingcomputer.com
Nearly 52,000 internet-exposed Tinyproxy instances are vulnerable to CVE-2023-49606, a recently disclosed critical remote code execution (RCE) flaw.
Tinyproxy is an open-source HTTP and HTTPS proxy server designed to be fast, small, and lightweight. It is specifically tailored for UNIX-like operating systems and is commonly used by small businesses, public WiFi providers, and home users.
At the start of the month, Cisco Talos disclosed CVE-2023-49606, a critical (CVSS v3: 9.8) use-after-free flaw the researchers discovered in December 2023, impacting versions 1.11.1 (latest) and 1.10.0, after claiming to not receiving a response from the developers.
Cisco’s report shared detailed information about the vulnerability, including proof-of-concept exploits that crashed the server and could potentially lead to remote code execution.