About Remote Code Execution – Kubernetes (CVE-2025-1974) vulnerability

About Remote Code Execution – Kubernetes (CVE-2025-1974) vulnerability. An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. In the default installation, the controller can access all Secrets cluster-wide.

On March 24, Wiz published a write-up on this vulnerability, naming it IngressNightmare (alongside CVE-2025-1097, CVE-2025-1098, and CVE-2025-24514). Wiz researchers identified 6,500 vulnerable controllers exposed to the Internet. The Kubernetes blog reports that in many common scenarios, the Pod network is accessible to all workloads in the cloud VPC, or even anyone connected to the corporate network. Ingress-nginx is used in 40% of Kubernetes clusters.

Public exploits are available on GitHub since March 25th.

Update ingress-nginx to versions v1.12.1, v1.11.5, or higher!

На русском

About Remote Code Execution – Veeam Backup & Replication (CVE-2025-23120) vulnerability

Leave a reply

About Remote Code Execution – Veeam Backup & Replication (CVE-2025-23120) vulnerability. Veeam B&R is a client-server software solution for centralized backup of virtual machines in VMware vSphere and Microsoft Hyper-V environments.

A deserialization flaw (CWE-502) lets an attacker run arbitrary code on a Veeam server. The necessary conditions: the Veeam server must be part of an Active Directory domain, and the attacker must be authenticated in this domain.

The vendor’s security advisory was released on March 19. The next day, on March 20, WatchTowr Labs published an analysis of the vulnerability. A PoC exploit is expected to appear soon.

Veeam products were widely deployed in Russia until 2022, and many active installations likely remain.

Compromising the backup system could severely delay infrastructure recovery following a ransomware attack.

Upgrade to version 12.3.1 and, if possible, disconnect the B&R server from the domain.

На русском

March Linux Patch Wednesday

Leave a reply

March Linux Patch Wednesday. Total vulnerabilities: 1083. 879 in the Linux Kernel. Two vulnerabilities show signs of exploitation in the wild:

Code Injection – GLPI (CVE-2022-35914). An old vulnerability from CISA KEV, but first patched on March 3 in RedOS Linux.
Memory Corruption – Safari (CVE-2025-24201). Fixed in WebKitGTK packages in Linux repositories.

There are 19 vulnerabilities with publicly available exploits. Notable ones:

Remote Code Execution – Apache Tomcat (CVE-2025-24813)
Command Injection – SPIP (CVE-2024-8517)
Memory Corruption – Assimp (CVE-2025-2152)
Memory Corruption – libxml2 (CVE-2025-27113)

The Elevation of Privilege vulnerability in the Linux Kernel (CVE-2022-49264) has no public exploit yet. However, it resembles well-known PwnKit (CVE-2021-4034).

Full Vulristics report

На русском

About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability

Leave a reply

About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability. The vulnerability is from the March Microsoft Patch Tuesday. The VM vendors didn’t highlight it in their reviews. A week later, on March 18, researcher 0x6rss published a write-up and a PoC exploit. According to him, the vulnerability is exploited in the wild, and the exploit has likely been available for purchase since November 2024.

The point is this. When Windows File Explorer detects a .library-ms file in a folder, it automatically starts parsing it. If the file contains a link to a remote SMB share, an NTLM authentication handshake begins. An attacker controlling the SMB share can intercept the NTLMv2 hash, crack it, or use it in pass-the-hash attacks.

But how does an attacker deliver such a file to the victim? It turns out that just extracting a ZIP/RAR archive with the file is enough to trigger the exploit. No need to open the file.

This is super effective for phishing.

На русском

March Microsoft Patch Tuesday

Leave a reply

March Microsoft Patch Tuesday. 77 CVEs, 20 of which were added during the month. 7 vulnerabilities with signs of exploitation in the wild:

RCE – Windows Fast FAT File System Driver (CVE-2025-24985)
RCE – Windows NTFS (CVE-2025-24993)
SFB – Microsoft Management Console (CVE-2025-26633)
EoP – Windows Win32 Kernel Subsystem (CVE-2025-24983)
InfDisc – Windows NTFS (CVE-2025-24991, CVE-2025-24984)
AuthBypass – Power Pages (CVE-2025-24989) – in Microsoft web service, can be ignored

There are no vulnerabilities with public exploits, there are 2 more with private ones:

RCE – Bing (CVE-2025-21355) – in Microsoft web service, can be ignored
SFB – Windows Kernel (CVE-2025-21247)

Among the others:

RCE – Windows Remote Desktop Client (CVE-2025-26645) and Services (CVE-2025-24035, CVE-2025-24045), MS Office (CVE-2025-26630), WSL2 (CVE-2025-24084)
EoP – Windows Win32 Kernel Subsystem (CVE-2025-24044)

Full Vulristics report

На русском

New episode “In the Trend of VM” (#12): 8 February CVEs & Why the Darknet Matters for VM Specialists

Leave a reply

New episode “In the Trend of VM” (#12): 8 February CVEs & Why the Darknet Matters for VM Specialists. Now with a new design and new video editing.

Video on YouTube and LinkedIn
Post on Habr (rus)
Digest on the PT website

Content:

00:00 Greetings
00:23 Remote Code Execution – Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49112)
01:35 Remote Code Execution – Microsoft Configuration Manager (CVE-2024-43468)
02:38 Remote Code Execution – Windows OLE (CVE-2025-21298)
03:55 Elevation of Privilege – Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335)
05:02 Authentication Bypass – FortiOS/FortiProxy (CVE-2024-55591)
06:16 Remote Code Execution – 7-Zip (CVE-2025-0411)
07:27 Should a VM specialist be aware of what is happening in the Darknet?
08:48 About the digest of trending vulnerabilities

На русском

Should a VM specialist be aware of what is happening in the Darknet?

Leave a reply

Should a VM specialist be aware of what is happening in the Darknet? Of course. At least roughly. Otherwise, he’ll fall for the “nobody’s attacking us” myth.

The reality is that every organization is under attack all the time. It’s like commercial fishing with trawlers. Anything that gets caught in the nets will be classified, priced, and put up for sale. In today’s world of cybercrime, access to an organization’s infrastructure is a commodity. The same is true for vulnerabilities, exploits, and ready-made malware.

Attacker groups have specialized:

some research vulnerabilities and write exploits
others embed them in malware
still others implement bypass of the InfoSec systems
the fourth get primary access
fifth people monetize this access
sixth support the operation of trading platforms

And whether these guys can break your organization depends on you, VM specialist!

PT has published a large study on this topic.

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

About Remote Code Execution – Kubernetes (CVE-2025-1974) vulnerability

About Remote Code Execution – Veeam Backup & Replication (CVE-2025-23120) vulnerability

March Linux Patch Wednesday

About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability

March Microsoft Patch Tuesday

New episode “In the Trend of VM” (#12): 8 February CVEs & Why the Darknet Matters for VM Specialists

Should a VM specialist be aware of what is happening in the Darknet?