About Remote Code Execution - PAN-OS (CVE-2026-0300) vulnerability

Leave a reply

About Remote Code Execution - PAN-OS (CVE-2026-0300) vulnerability

About Remote Code Execution - PAN-OS (CVE-2026-0300) vulnerability. PAN-OS is an operating system for Palo Alto Networks firewalls and security platforms. User-ID™ Authentication Portal (also known as Captive Portal) is a non-default PAN-OS feature used to map IP addresses to usernames. By exploiting a buffer overflow vulnerability (CWE-787), an unauthenticated remote attacker can send specially crafted packets to a device with the Authentication Portal enabled, achieving arbitrary code execution with root privileges on the affected device. No authentication or user interaction is required. If the vulnerability is successfully exploited, the attacker gains full control over network traffic: they can intercept, modify, or block connections, access sensitive data, bypass security policies, hide traces of compromise, install backdoors, and use the device as a foothold for attacks on internal infrastructure.

⚙️ The vendor security advisory was published on May 6. PA-Series and VM-Series firewalls are affected. Prisma Access, Cloud NGFW, and Panorama appliances are not impacted by this vulnerability. Security updates for affected devices became available on May 13. As a workaround, the vendor recommended restricting User-ID™ Authentication Portal access to only trusted internal zones or disabling the User-ID™ Authentication Portal entirely if it is not required.

👾 On the same day, May 6, researchers from Palo Alto Networks Unit 42 published a report on active exploitation of the vulnerability in the wild. Post-exploitation activity includes deployment of publicly available tunneling tools (EarthWorm, ReverseSocks5), Active Directory enumeration using credentials likely obtained from the firewall, and systematic destruction of logs and other evidence of compromise. On the same day, the vulnerability was added to the CISA KEV catalog.

🛠 A public exploit was also published on GitHub on May 6.

🌐 PAN-OS is among the most widely deployed enterprise firewall operating systems in the world. As of June 5, Shodan identifies approximately 135,755 internet-facing PAN-OS instances, representing a significant attack surface.

May Linux Patch Wednesday

Leave a reply

May Linux Patch Wednesday

May Linux Patch Wednesday. A total of 1,638 vulnerabilities (474 in the Linux kernel). For comparison, in April there were 1,035 vulnerabilities (a record!). And this time it turns out to be a record again, more than one and a half times higher! The acceleration is both impressive and alarming. But we will see what happens next. At some point it should stabilize. Although the number of critical vulnerabilities is already so high that reviewing all of them becomes quite problematic. For 7 vulnerabilities there are signs of exploitation in the wild. And for another 264 there are public exploits. Let’s start, as usual, with vulnerabilities being actively exploited according to CISA KEV and VulnCheck KEV data. Here, at the top, as expected, are two high-profile ways to get a root shell:

🔻 EoP - Linux Kernel "Copy Fail" (CVE-2026-31431)
🔻 EoP - Linux Kernel "Dirty Frag" (CVE-2026-43500)

Other vulnerabilities being exploited in the wild:

🔻 RCE - Apache ActiveMQ (CVE-2026-40466). Based on the description, this appears to be a bypass of the fix for CVE-2026-34197, which I already wrote about earlier.

🔻 AuthBypass - Rclone (CVE-2026-41176). Rclone ("rsync for cloud storage") is a command-line utility for synchronizing files and directories between various cloud storage services and local systems. Exploitation of the vulnerability can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods.

🔻 RCE - NGINX (CVE-2026-42945). The bug enables unauthenticated remote code execution against servers using rewrite and set directives.

🔻 DoS - PgBouncer (CVE-2026-6664). PgBouncer is a lightweight, open-source connection pooler for PostgreSQL databases. It reduces connection overhead by managing a pool of connections to one or more PostgreSQL servers, improving performance and resource efficiency for applications with frequent short-lived database connections. An integer overflow in the network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash.

🔻 XSS - Postorius (CVE-2026-44742). The Postorius Django app provides a web user interface to access GNU Mailman. Mailman is free software for managing electronic mail discussion and e-newsletter lists. The vulnerability is being exploited according to VulnCheck KEV; however, no public exploits has been observed yet.

From the remaining vulnerabilities with public exploits, but without any signs of exploitation in the wild so far, the following can be highlighted:

🔸 RCE - Apache HTTP Server (CVE-2026-23918). Double-free error in Apache httpd mod_http2 stream cleanup, leading to pre-auth RCE.

🔸 RCE - Apache Tomcat (CVE-2026-34486). Apache Tomcat Tribes cluster communication module fails to discard messages when EncryptInterceptor decryption fails, allowing unauthenticated attackers to trigger Remote Code Execution via Java deserialization on port 4000.

🔸 RCE - ProFTPD (CVE-2026-42167). The flaw exists in how mod_sql handles certain logging variables (like %U), allowing an unauthenticated attacker to inject SQL commands via the USER command.

🔸 EoP - Linux Kernel "DirtyDecrypt" (CVE-2026-31635). Linux local privilege escalation in the RxRPC/GSSAPI decryption path. A missing skb_cow_data() check in rxgk_decrypt_skb() allows an unprivileged local attacker to corrupt cache pages and overwrite in-memory contents of read-only files.

🔸 EoP - Linux Kernel "Fragnesia" (CVE-2026-46300). I also analyzed this vulnerability earlier. A bug in skb_try_coalesce() allowing page-cache write via fragmented ESP packets.

🔸 EoP - Linux Kernel (CVE-2026-46333). Local root privilege escalation and credential disclosure in the Linux kernel ptrace path, discovered by researchers at Qualys.

🔸 EoP - PackageKit "Pack2TheRoot" (CVE-2026-41651). PackageKit is a free and open-source suite of software applications designed to provide a consistent and high-level abstraction layer for a number of different package management systems. The vulnerability allows an attacker to escalate privileges, potentially gaining root access or compromising the system.

🔸 ComInj - Composer (CVE-2026-40261, CVE-2026-40176). Composer is a dependency manager for PHP. The vulnerability exists in the Perforce::generateP4Command() method. Due to insufficient sanitization of repository configuration parameters (such as url, p4user, or client) when constructing shell commands, an attacker who controls a composer.json file can execute arbitrary commands on the victim's system when composer install or composer update is executed.

🗒 Full Vulristics report

About Elevation of Privilege - Linux Kernel "Fragnesia" (CVE-2026-46300) vulnerability

Leave a reply

About Elevation of Privilege - Linux Kernel Fragnesia (CVE-2026-46300) vulnerability

About Elevation of Privilege - Linux Kernel "Fragnesia" (CVE-2026-46300) vulnerability. The vulnerability was discovered by researcher William Bowling together with the V12 team. Fragnesia belongs to the class of Dirty Frag vulnerabilities. It is an error in the ESP/XFRM subsystem, distinct from Dirty Frag, which was addressed with a separate patch. It allows achieving arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition.

🛠 Technical details and exploit code were published on May 15. The public exploit modifies the contents of /usr/bin/su in the kernel page cache, and then executes /usr/bin/su, resulting in the user obtaining a root shell. The on-disk binary is never modified. A reboot or cache flush restores normal system behavior.

⚙️ Fragnesia affects the same kernel versions as Dirty Frag. Any distribution shipping a kernel without the May 13 patch is vulnerable. The vulnerability was confirmed on Ubuntu 6.8.0-111-generic (April 11, 2026 build). Monitor kernel package updates for your Linux distribution(s).

For systems where a kernel update is not possible, the same workaround as for Dirty Frag is effective (blacklisting modules). Systems where the Dirty Frag workaround has already been applied are already protected against Fragnesia. Systems that only received Dirty Frag updates without applying the workaround remain vulnerable and require new updates addressing Fragnesia.

May "In the Trend of VM" (#27): high-profile vulnerabilities in Linux, ActiveMQ, SharePoint, and Adobe Acrobat Reader

Leave a reply

May In the Trend of VM (#27): high-profile vulnerabilities in Linux, ActiveMQ, SharePoint, and Adobe Acrobat Reader

May "In the Trend of VM" (#27): high-profile vulnerabilities in Linux, ActiveMQ, SharePoint, and Adobe Acrobat Reader. Presenting the traditional monthly roundup of trending vulnerabilities according to Positive Technologies. While the previous April edition featured only one vulnerability, this one includes four, covering different technologies and attack scenarios.

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

🔻 EoP - Linux Kernel "Copy Fail" (CVE-2026-31431). The vulnerability allows an attacker to gain root privileges.

🔻 RCE - Apache ActiveMQ (CVE-2026-34197). A vulnerability in a solution widely used in enterprise systems and integration platforms.

🔻 Spoofing - Microsoft SharePoint Server (CVE-2026-32201). A vulnerability in a Microsoft solution widely used in enterprise systems for collaboration, document management, and internal portal development.

🔻 RCE - Adobe Reader (CVE-2026-34621). A vulnerability in a widely used PDF document viewer; actively exploited in phishing attacks.

🟥 The full list of trending vulnerabilities is available on the portal

May Microsoft Patch Tuesday

Leave a reply

May Microsoft Patch Tuesday

May Microsoft Patch Tuesday. A total of 119 vulnerabilities, approximately 1.5 times fewer than in April. There are currently no vulnerabilities marked as actively exploited in the wild. However, there is one vulnerability with a public exploit:

🔸 EoP - Windows Kernel (CVE-2026-40369). A detailed write-up and exploit for this vulnerability were published on May 14, two days after the May MSPT. The researcher describes exploitation of the vulnerability as follows: "A single syscall from any unprivileged process — including inside Chrome's renderer sandbox — can increment arbitrary kernel memory addresses. No race conditions. No heap spray. No special tokens. 100% deterministic privilege escalation to SYSTEM."

Among the remaining ones, the following stand out:

🔹 RCE - Windows DNS Client (CVE-2026-41096). A ZDI analyst commented on this vulnerability as follows: "This patch fixes a heap-based buffer overflow in the DNS Client triggered by a malicious DNS response. No authentication or user interaction needed, and since the DNS Client runs on virtually every Windows machine, the attack surface is enormous. An attacker with a position to influence DNS responses (MitM, rogue server) could achieve unauthenticated RCE across your enterprise."

🔹 RCE - Windows Netlogon (CVE-2026-41089). The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on a domain controller by sending a specially crafted network request. Exploitation does not require credentials or user interaction, which classifies this vulnerability as wormable. Compromise of a domain controller means full compromise of the organization's entire domain. A Rapid7 analyst added in their commentary: "No privileges or user interaction are required, and attack complexity is low, which suggests that creation of a reliable exploit might not be especially difficult for anyone with knowledge of the specific mechanism. Microsoft assesses exploitation as less likely, but since those exploitability assessments are provided without an accompanying explanation, it's not clear how much reassurance defenders should take. Anyone who remembers the much-discussed CVE-2020-1472 (aka ZeroLogon) back in 2020 will note that CVE-2026-41089 offers an attacker more immediate control of a domain controller. Patches are available for all versions of Windows Server from 2012 onwards."

🔹 RCE - Windows TCP/IP (CVE-2026-40415). Commentary from a ZDI analyst: "This bug in the TCP/IP stack results from a use-after-free (UAF) and could allow a remote, unauthenticated threat actor to execute code without user interaction. That makes this another wormable bug. However, this one is much less likely to be exploited. The target needs to be under sustained low-memory (memory pressure) conditions, which is pretty rare."

🔹 RCE - Microsoft Word (CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367). An attacker can exploit these vulnerabilities through social engineering by sending a malicious file to a targeted victim. Successful exploitation would grant the attacker arbitrary code execution. Microsoft researchers note that the Preview Pane is an attack vector for each of these vulnerabilities.

🔹 RCE - Microsoft Office (CVE-2026-40363, CVE-2026-42831). A heap-based buffer overflow vulnerability in Microsoft Office may allow an unauthorized attacker to remotely execute arbitrary code.

🔹 RCE - Windows GDI (CVE-2026-35421). A heap-based buffer overflow vulnerability in the Windows GDI component may allow an unauthorized attacker to remotely execute arbitrary code.

🔹 RCE - Microsoft Dynamics 365 On-Premises (CVE-2026-42898). Commentary from a ZDI analyst: "It allows any authenticated user to execute code with a scope change, meaning exploitation can break out and affect resources beyond the vulnerable component itself. Scope changes are pretty rare, so if you're running Dynamics 365 On-Prem, definitely test and deploy this patch quickly."

🔹 EoP - Windows Kernel (CVE-2026-33841, CVE-2026-35420, CVE-2026-40369). CVE-2026-33841 and CVE-2026-40369 are rated "Exploitation More Likely". A local attacker can use these vulnerabilities to elevate privileges to SYSTEM level. In the case of CVE-2026-33841, the attacker can elevate privileges to Medium/High integrity level.

🗒 Full Vulristics report

About Remote Code Execution - Apache ActiveMQ (CVE-2026-34197) vulnerability

Leave a reply

About Remote Code Execution - Apache ActiveMQ (CVE-2026-34197) vulnerability

About Remote Code Execution - Apache ActiveMQ (CVE-2026-34197) vulnerability. Apache ActiveMQ is a popular open-source message broker written in Java. Its main purpose is to send messages between different services, systems, and microservices without a direct connection between them.

This vulnerability is from the April Linux Patch Wednesday. Details about this vulnerability were published on April 7 in the HORIZON3.ai company blog. They claim that the Apache ActiveMQ Classic vulnerability has been hiding in plain sight for 13 years. An attacker can invoke a management operation through ActiveMQ's Jolokia API to trick the broker into fetching a remote configuration file and running arbitrary OS commands. As a result, the attacker can gain access to sensitive information, including messages, credentials, and configuration files, deploy malware, or use the compromised server to conduct further attacks within the internal infrastructure.

The vulnerability requires credentials, but default credentials (admin:admin) are common in many environments. On some versions (6.0.0–6.1.1), no credentials are required at all due to another vulnerability, CVE-2024-32114, which inadvertently exposes the Jolokia API without authentication. In those versions, CVE-2026-34197 is effectively an unauthenticated RCE.

🛠 Public exploits have been available on GitHub since April 8.

👾 Indicators of exploitation in the wild were observed by FortiGuard experts on April 13. The vulnerability was added to the CISA KEV catalog on April 16.

🌐 According to data from The Shadowserver Foundation, as of May 14, approximately 7,000 vulnerable Apache ActiveMQ servers remain exposed on the internet.

⚙️ According to the vendor bulletin, the vulnerability has been fixed in ActiveMQ versions 5.19.4 and 6.2.3. However, according to HORIZON3.ai, it was fixed in 5.19.6 and 6.2.5. It is better to install newer versions. 😉

Про уязвимость Spoofing - Microsoft SharePoint Server (CVE-2026-32201)

Leave a reply

Про уязвимость Spoofing - Microsoft SharePoint Server (CVE-2026-32201)

About Spoofing - Microsoft SharePoint Server (CVE-2026-32201) vulnerability. A vulnerability from the April Microsoft Patch Tuesday. The description provided by Microsoft experts is extremely vague: "Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability)." Spoofing is an attack in which a threat actor forges data, an address, an identifier, or a trusted source in order to impersonate a legitimate user, service, or system.

What is actually hidden behind this description? In the April review on MSPT, a ZDI expert noted that vulnerabilities of this kind in SharePoint are often associated with XSS attacks.

🛠 On April 23, an exploit was published on GitHub, whose author claims that the vulnerability can be summarized as follows: "An unauthenticated attacker can send a specially crafted HTTP request to inject malicious JavaScript (reflected XSS), which executes in the security context of the SharePoint site."

In other words, the attacker sends a specially crafted request to the SharePoint server, causing SharePoint to generate a malicious link on behalf of a trusted source. The attacker then passes this link to the user. When the user opens such a link, the injected malicious JavaScript executes in the context of SharePoint, which can be used to steal data from the current session, intercept authentication tokens, as well as perform actions on behalf of the user through the user's active session.

👾 Microsoft experts noted the vulnerability as being exploited in the wild on the day of publication of the April Microsoft Patch Tuesday, April 14. The vulnerability was added to the CISA KEV. On the same day, researchers from Defused reported coordinated reconnaissance activity targeting vulnerable SharePoint servers, which was carried out from four IP addresses between April 1 and April 11.

⚙️ Updates are available for Microsoft SharePoint Server 2016, 2019, and Subscription Edition.