Targeted 2024 intrusions against high-profile TeamT5 customers, later surfaced via CISA KEV listing.
1. Executive Summary
CVE-2024-7694 is a high-severity arbitrary file upload vulnerability in TeamT5’s ThreatSonar Anti-Ransomware that can result in arbitrary command execution on the server when abused by an attacker with administrative privileges (TeamT5 advisory for CVE-2024-7694, NVD). (teamt5.org)
In February 2026, the vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) programme, signalling evidence of exploitation in the wild and driving a US federal remediation deadline of 10 March 2026 (CISA KEV entry for CVE-2024-7694, NVD). (NVD)
TeamT5 told SecurityWeek the exploitation occurred in 2024, targeted only a small number of customers, and was assessed as a highly coordinated campaign aimed at compromising high-profile downstream environments (SecurityWeek reporting, 24 Feb 2026). (SecurityWeek)
TeamT5 further assessed the activity as likely conducted by China-nexus APT clusters it tracks as “Slime57” and “Slime62”, using large-scale proxying via compromised Taiwanese devices to obscure origin (SecurityWeek reporting, 24 Feb 2026). (SecurityWeek)
2. Contextual Background
2.1 Nature of the threat
CVE-2024-7694 stems from insufficient validation of uploaded content in ThreatSonar Anti-Ransomware. Taiwan’s TWCERT/CC describes an attack path where an attacker with administrative privileges can upload a malicious file and execute arbitrary system commands on the server (TWCERT/CC advisory TVN-202408002, NVD). (twcert.org.tw)
Affected versions are ThreatSonar Anti-Ransomware 3.4.5 and earlier; TWCERT/CC recommends upgrading to 3.5.0 or later, or applying Hotfix-20240715 (TWCERT/CC advisory TVN-202408002). (twcert.org.tw)
TeamT5 published patch guidance in July 2024 and stated its cloud service was updated on 12 July 2024 (TeamT5 advisory for CVE-2024-7694). (teamt5.org)
2.2 Threat-actor attribution
Assessment: Likely (vendor-attributed). TeamT5 told SecurityWeek that, based on its investigation, exploitation was part of a supply-chain-targeting operation likely conducted by Chinese APT clusters it tracks as Slime57 and Slime62 (SecurityWeek reporting, 24 Feb 2026). (SecurityWeek)
This attribution is not independently corroborated in public government reporting at the time of writing; it should therefore be treated as vendor-assessed rather than confirmed.
2.3 Sector and geographic targeting
SecurityWeek reports TeamT5 assessed the 2024 exploitation targeted “a few” customers and was focused on compromising high-profile downstream environments (SecurityWeek reporting, 24 Feb 2026). (SecurityWeek)
Separately, SecurityWeek noted TeamT5 markets solutions used in the United States, Japan, and Taiwan, including by government agencies, which may explain CISA’s attention (SecurityWeek reporting, 18 Feb 2026). (SecurityWeek)
3. Technical Analysis
3.1 Vulnerability and TTP overview (mapped to MITRE ATT&CK)
CVE-2024-7694 mechanics. The publicly described behaviour is an admin-authenticated arbitrary file upload leading to server-side command execution (TWCERT/CC advisory TVN-202408002, NVD). (twcert.org.tw)
Admin access prerequisite. TWCERT/CC and NVD both state exploitation requires administrator privileges (TWCERT/CC advisory TVN-202408002, NVD). (twcert.org.tw)
SecurityWeek assessed this likely implies chaining with another vulnerability or credential compromise to reach administrative access, but no public chaining details have been released (SecurityWeek reporting, 18 Feb 2026). (SecurityWeek)
Likely ATT&CK techniques involved (based on described behaviours):
- Initial foothold via exposed application and subsequent abuse: T1190
- Uploading a malicious file to enable execution: T1105 (conceptual fit for tool transfer)
- Server-side command execution: T1059
- Obfuscation via large proxy infrastructure: T1090.003
Where your investigation validates additional post-exploitation steps (web shells, persistence, credential access), expand mapping accordingly.
3.2 Exploitation status and public exploitability signals
Confirmed exploited in the wild (programme signal): CVE-2024-7694 was added to the KEV programme on 17 February 2026 with a due date of 10 March 2026 shown in NVD’s KEV metadata (NVD). (NVD)
Operational timing (vendor statement via media): TeamT5 told SecurityWeek exploitation occurred during 2024 and impacted only a limited set of customers (SecurityWeek reporting, 24 Feb 2026). (SecurityWeek)
EPSS (probabilistic): GitHub’s advisory record for CVE-2024-7694 displays an EPSS of 1.513% (81st percentile) at the time of writing (GitHub Advisory for CVE-2024-7694). (GitHub)
PoC availability: Public advisories describe the issue at a high level; no official proof-of-concept has been published by TWCERT/CC or TeamT5 in the referenced materials (TWCERT/CC advisory TVN-202408002, TeamT5 advisory). (twcert.org.tw)
4. Impact Assessment
4.1 Severity and scope
CVE-2024-7694 has a CVSS v3.1 base score of 7.2 (High) per the CNA (TWCERT/CC), with network attack vector, low complexity, and high privileges required (NVD). (NVD)
Despite the “PR:H” prerequisite, the potential impact is severe: arbitrary system command execution on a security control-plane server can enable full compromise of monitoring and response functionality, credential access, and downstream pivoting if the server is trusted within the estate (TWCERT/CC advisory TVN-202408002). (twcert.org.tw)
4.2 Victim profile
Public reporting indicates limited 2024 victim count but higher-value targeting, consistent with a supply-chain-style objective of reaching strategically significant customers through a niche security product (SecurityWeek reporting, 24 Feb 2026). (SecurityWeek)
TeamT5 indicates its customer base includes organisations in the US, Japan, and Taiwan, including government agencies, increasing the likelihood of national-security-relevant targeting (SecurityWeek reporting, 18 Feb 2026). (SecurityWeek)
5. Indicators of Compromise (IOCs)
5.1 Public IOCs
| Type | Value | Context/Notes | Source |
|---|---|---|---|
| IP addresses | Not publicly enumerated | TeamT5 stated the actor used “hundreds of IP addresses”, mostly compromised devices in Taiwan, to obscure origin, but no list was published | SecurityWeek reporting, 24 Feb 2026 (SecurityWeek) |
| File hashes | None published | No hashes provided in vendor or CERT advisories | TWCERT/CC advisory TVN-202408002 (twcert.org.tw) |
| Domains | None published | No C2 domains published in available public reporting | TeamT5 statement on KEV context (teamt5.org) |
5.2 Detection guidance (practical)
Because the vulnerability is an admin-authenticated upload-to-exec pattern, focus detections on (a) suspicious admin activity, (b) anomalous file uploads, and (c) unusual process execution chains on the ThreatSonar server:
- Admin authentication and account lifecycle: alert on unexpected admin logons, new admin account creation, and password changes. TeamT5’s July 2024 notice explicitly references risks around unauthorised account creation and password modification and should be treated as a high-signal precursor in log review (TeamT5 advisory for CVE-2024-7694). (teamt5.org)
- Upload endpoint monitoring: log and alert on uploads of executable or script-like content types, double extensions, or archive formats followed by immediate server-side execution (process spawn within seconds to minutes).
- Parent-child process relationships: alert when the ThreatSonar service, web server, or application runtime spawns shell interpreters (for example
cmd,powershell,bash,sh) or when newly uploaded files are executed. - Web server telemetry: correlate HTTP POST/PUT upload requests with subsequent 5xx anomalies, new file creation in application directories, and outbound network connections.
- Geo and proxy anomalies: given TeamT5’s report of large-scale proxying from compromised Taiwanese devices, treat bursts of admin activity from “new” residential or small-business IP space as suspicious. This behaviour is consistent with broader China-nexus use of operational relay box (ORB) networks composed of compromised devices to proxy traffic, as documented by CrowdStrike.
6. Incident Response Guidance
6.1 Containment, eradication, recovery
- Patch validation first: confirm ThreatSonar version is 3.5.0+ or Hotfix-20240715 is installed (TWCERT/CC advisory TVN-202408002). (twcert.org.tw)
- Isolate the ThreatSonar server: temporarily restrict inbound access to trusted admin subnets/VPN only; remove direct internet exposure of any management interface.
- Credential response: rotate ThreatSonar administrative credentials, API keys, and any service accounts used by the platform; invalidate active sessions where possible.
- Hunt for post-exploitation: search for unexpected executables/scripts uploaded to the server, suspicious cron/scheduled tasks, and unauthorised configuration changes.
- Recovery: restore from known-good backups only after confirming no persistence or tampering (particularly important when the compromised host is a security control-plane component).
6.2 Forensic artefacts to collect
- ThreatSonar application logs covering admin authentication, account changes, and file uploads (especially for 2024 per TeamT5’s timeline). (SecurityWeek)
- Host-based telemetry: process creation logs, command-line auditing, file creation events, and outbound connection logs.
- Web server logs (reverse proxy, WAF, load balancer) for upload endpoints and admin console access.
- Full disk artefact capture of newly uploaded files and any interpreted scripts.
6.3 Lessons learned
- Treat security tooling as Tier 0 infrastructure: compromise of monitoring and response platforms can blind detection and accelerate downstream compromise.
- Build “admin-plane minimisation”: management interfaces should be private by default, monitored intensively, and strongly authenticated.
7. Threat Intelligence Contextualisation
7.1 Comparisons to similar incidents
Thiurring pattern where attackers target upstream technology or security products to reach downstream high-value networks. TeamT5 explicitly characterised the activity as supply-chain-targeting against high-profile customers (SecurityWeek reporting, 24 Feb 2026). (SecurityWeek)
The reported use of large-scale proxying via compromised devices also aligns with wider China-nexus operational security tradecraft. CrowdStrike reports China-nexus actors use ORB networks made of compromised devices to obfuscate intrusion traffic.
7.2 ATT&CK mapping table
| Tactic | Technique ID | Technique Name | Observed Behaviour |
|---|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application | Exploitation of a server-side application vulnerability to achieve code execution (deployment-dependent) |
| Command and Control / Defence Evasion | T1090.003 | Proxy: Multi-hop Proxy | TeamT5 reported use of hundreds of proxy IPs, mostly compromised Taiwanese devices |
| Execution | T1059 | Command and Scripting Interpreter | Arbitrary system command execution on the ThreatSonar server after malicious upload |
| Command and Control / Collection (enabler) | T1105 | Ingress Tool Transfer | Upload of malicious file content to the platform as the execution vehicle |
8. Mitigation Recommendations
8.1 Hardening actions
- Enforce administrative MFA and network restriction: ensure admin console access is only possible via VPN or dedicated admin network segments.
- Least privilege and role separation: reduce the number of ThreatSonar administrators and ensure accounts are not reused across other platforms.
- Upload controls and monitoring: where configuration allows, restrict file types, enforce content scanning, and retain upload audit trails.
- Outbound controls: apply egress filtering from the ThreatSonar server to reduce the chance of C2 and data exfiltration.
8.2 Patch management prioritisation
- Priority: treat as urgent due to KEV exploitation status, even though the CVSS vector requires admin privileges (NVD). (NVD)
- Action: update to ThreatSonar Anti-Ransomware 3.5.0+ or apply Hotfix-20240715 (TWCERT/CC advisory TVN-202408002). (twcert.org.tw)
- Verification: TeamT5 states all impacted customers were assisted to migrate off vulnerable versions; nonetheless, organisations should validate rather than assume compliance (TeamT5 statement on KEV context). (teamt5.org)
9. Historical Context & Related Vulnerabilities
9.1 Prior vulnerabilities in the same product family
- TeamT5 disclosed a vulnerability in July 2024 that could allow unauthorised user account creation and modification of existing account passwords, addressed via Hotfix-240715 (TeamT5 advisory). (teamt5.org)
- GitHub’s advisory database also lists a separate ThreatSonar Anti-Ransomware privilege escalation vulnerability, CVE-2025-4477, enabling elevation to highest administrator level via a specific API (GitHub Advisory for CVE-2025-4477). (GitHub)
9.2 Prior coverage and related reporting
- SecurityWeek’s initial KEV-focused coverage (18 Feb 2026) and follow-up with TeamT5’s attribution (24 Feb 2026) provide the most detailed public narrative to date (SecurityWeek, 18 Feb 2026, SecurityWeek, 24 Feb 2026). (SecurityWeek)
10. Future Outlook
10.1 Emerging trends
Expect continued interest in “defender tooling” and security management planes as intrusion accelerants: compromising EDR and response infrastructure can suppress detection while creating privileged internal trust relationships.
10.2 Likely shifts
If TeamT5’s assessment is accurate, similar campaigns will likely continue to pair targeted vulnerability research with large proxy infrastructure (compromised devices and relay networks) to reduce attribution confidence while sustaining access to high-value regional targets. (SecurityWeek)
11. Further Reading
Vendor and CERT advisories
- TeamT5 advisory for CVE-2024-7694 (teamt5.org)
- TWCERT/CC advisory TVN-202408002 for CVE-2024-7694 (twcert.org.tw)
- TeamT5 statement regarding CISA KEV context (teamt5.org)
Vulnerability records
Media reporting
- SecurityWeek coverage (18 Feb 2026) (SecurityWeek)
- SecurityWeek follow-up (24 Feb 2026) (SecurityWeek)
- Computer Weekly summary of the KEV additions (18 Feb 2026) (computerweekly.com)