Hurricane Volt exploiting unpatched vulnerability in operation aimed at Internet Service Providers and Managed Service Providers.
Breaking News: Zero-Day Vulnerability Targeting Versa Director Servers Actively Exploited
A critical zero-day vulnerability, identified as CVE-2024-39717, has been discovered in the Versa Director virtualization product. This vulnerability, classified as a "Dangerous File Type Upload Vulnerability," is currently being exploited by threat actors, including the high-profile Volt Typhoon group.
The vulnerability allows attackers to upload potentially malicious files, enabling further malicious activity. After exploitation, Volt Typhoon is known to install MEGAsync, a cloud synchronization utility, on victim systems to steal and exfiltrate documents.
According to recent reports, MEGAsync was run on compromised systems as early as January 24, 2025. The Volt Typhoon group is believed to be state-linked and their potential goal is to launch a diversionary attack in the event of a military escalation in the Asia-Pacific region.
The Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its known exploited vulnerabilities catalog and has urged organizations to apply all necessary updates. They have also asked organizations to check for any malicious activity and report back any confirmed results.
As of July 31, 2025, no detailed public CVE disclosure or patch release notes have been found. Therefore, defensive measures may rely on vendor mitigations, network monitoring, and threat intelligence about indicators of compromise related to MEGAsync usage and file upload patterns.
Volt Typhoon has been targeting a variety of organizations, with many of the exposed management ports being associated with telecom or Internet Service Providers (ISPs), the types of companies the campaign is focusing on. Four of these targets are in the U.S. and are either internet service providers, managed service providers, or IT companies.
Versa Networks has released a patch for the CVE-2024-39717 vulnerability and is working with customers to apply the update and implement system hardening guidelines. Black Lotus Labs researchers have also identified a custom webshell called VersaMem, designed to intercept and harvest credentials.
In January, the FBI and other federal authorities warned about Volt Typhoon's attempts to infiltrate critical infrastructure providers. The latest updates on this ongoing situation will be closely monitored and reported as more information becomes available.
- The current exploitation of the recently discovered zero-day vulnerability in the Versa Director virtualization product, identified as CVE-2024-39717, involves the upload of potentially malicious files, posing a significant threat to cybersecurity.
- In the aftermath of a successful exploitation, threat actors, such as the Volt Typhoon group, install MEGAsync on victim systems, raising concerns about potential data theft and exfiltration, accentuating the importance of effective cybersecurity measures in technology.
