A critical supply chain backdoor vulnerability, CVE-2024-3094, has been detected by NSFOCUS CERT in XZ-Utils, scoring the maximum 10 on the CVSS scale.

The vulnerability enables attackers to circumvent SSH authentication, allowing unauthorized access and the ability to execute system commands.

The compromised component is liblzma in XZ-Utils versions 5.6.0 to 5.6.1, introduced by a trusted developer, affecting multiple Linux distributions.

NSFOCUS advises users to downgrade to a secure version or switch to alternative components to mitigate the risk.

Users should implement a supply chain management system and enhance security monitoring to prevent similar incidents.

NSFOCUS issues a disclaimer of liability for any consequences or losses related to the use of their advisory, while also offering cybersecurity solutions for protection against sophisticated cyber threats.