Author Archives: Alexander Leonov

About Alexander Leonov

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven't used Telegram yet, give it a try. It's great. You can discuss my posts or ask questions at @avleonovchat. А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Remote Code Execution – Microsoft Office (CVE-2026-21509) vulnerability

Leave a reply

About Remote Code Execution - Microsoft Office (CVE-2026-21509) vulnerability

About Remote Code Execution – Microsoft Office (CVE-2026-21509) vulnerability. The vulnerability was urgently fixed on January 26, outside the regular Microsoft Patch Tuesday. Microsoft classified it as a Security Feature Bypass, but in fact, it is more of a Remote Code Execution. The vulnerability involves bypassing OLE (Object Linking and Embedding) security features in Microsoft 365 and Microsoft Office. It is exploited when opening malicious Office files (Preview Pane is safe).

⚙️ In Office 2021+, protection is enabled automatically via server-side changes after restarting the applications. For Office 2016/2019, updates must be installed or registry changes applied.

👾 Microsoft reports that the vulnerability is being exploited in the wild.

🛠 No public exploits are available yet.

На русском

January “In the Trend of VM” (#23): vulnerabilities in Windows, React and MongoDB

Leave a reply

January In the Trend of VM (#23): vulnerabilities in Windows, React and MongoDB

January “In the Trend of VM” (#23): vulnerabilities in Windows, React and MongoDB. Traditional monthly roundup of trending vulnerabilities. Launching the 2026 season. 🙂

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

In total, three vulnerabilities:

🔻 EoP – Windows Cloud Files Mini Filter Driver (CVE-2025-62221)
🔻 RCE – React Server Components “React2Shell” (CVE-2025-55182)
🔻 InfDisc – MongoDB “MongoBleed” (CVE-2025-14847)

🟥 Trending Vulnerabilities Portal

На русском

January Linux Patch Wednesday

Leave a reply

January Linux Patch Wednesday

January Linux Patch Wednesday. In January, Linux vendors started fixing 918 vulnerabilities, one and a half times more than in December. Of these, 616 are in the Linux Kernel. Three show signs of exploitation in the wild:

🔻 AuthBypass – GNU Inetutils (telnetd) (CVE-2026-24061)
🔻 RCE – Safari (CVE-2025-43529); fixed in Linux distributions in webkit packages
🔻 MemCor – Chromium (CVE-2025-14174)

Another 97 vulnerabilities have public exploits or signs of their existence. Key examples:

🔸 MemCor – libpng (CVE-2026-22695)
🔸 XSS – Roundcube (CVE-2025-68461)
🔸 RCE – expr-eval (CVE-2025-13204)
🔸 ComInj – cpp-httplib (CVE-2026-21428), httparty (CVE-2025-68696), Miniflux (CVE-2026-21885)
🔸 SQLi – parsl (CVE-2026-21892)
🔸 SFB – OWASP CRS (CVE-2026-21876), Authlib (CVE-2025-68158)
🔸 AFW – node-tar (CVE-2026-23745)
🔸 PathTrav – GNU Wget2 (CVE-2025-69194), Tar (CVE-2025-45582)

🗒 Full Vulristics Report

На русском

Our PR team awarded me the “The Best Positive Speaker 2025” metal pin for public speaking, articles, and media commentary

Leave a reply

Our PR team awarded me the “The Best Positive Speaker 2025” metal pin for public speaking, articles, and media commentary

Our PR team awarded me the “The Best Positive Speaker 2025” metal pin for public speaking, articles, and media commentary. Huge thanks to my colleagues for this! I’m very pleased. 😇 The collection is growing. 😉

This time, the pin is styled like the Friends sitcom logo. It’s made of metal, coated with colored enamel, quite hefty, measures 5×2 cm, and fastens with two butterfly clasps. Very nice. 👍

PS: I hope there wasn’t any hidden hint in the pin’s style. 😉

So no one told you life was going to be this way. 👏👏
Your job’s a joke, you’re broke, your love life’s DOA. 😅

На русском

About Information Disclosure – Desktop Window Manager (CVE-2026-20805) vulnerability

Leave a reply

About Information Disclosure - Desktop Window Manager (CVE-2026-20805) vulnerability

About Information Disclosure – Desktop Window Manager (CVE-2026-20805) vulnerability. Desktop Window Manager is a compositing window manager that has been part of Windows since Windows Vista. Exploitation of the vulnerability, which was addressed in the January Microsoft Patch Tuesday, allows a local attacker to disclose the “section address from a remote ALPC port which is user-mode memory”.

👾 Microsoft noted that this vulnerability is being exploited in attacks. The vulnerability was added to CISA’s KEV catalog on January 13. There are no public details about the attacks yet, but Rapid7 experts suggest that the disclosed memory address can be used to bypass ASLR, “increasing the chance of developing a stable elevation of privilege exploit for DWM”.

🛠 Public exploit PoCs have been available on GitHub since January 14.

На русском

About Authentication Bypass – GNU Inetutils (CVE-2026-24061) vulnerability

Leave a reply

About Authentication Bypass - GNU Inetutils (CVE-2026-24061) vulnerability

About Authentication Bypass – GNU Inetutils (CVE-2026-24061) vulnerability. GNU Inetutils is a collection of common network programs, including, among other things, a Telnet server (telnetd). A vulnerability in GNU Inetutils telnetd allows a remote attacker to obtain a root shell on the host without any credentials by sending a crafted USER environment variable containing the value “-f root”.

⚙️ A patch fixing the vulnerability was released on January 20. Versions 1.9.3–2.7 are vulnerable; the issue went undisclosed for 10+ years. 🤷‍♂️

🛠 A detailed write-up and exploit were published by SafeBreach on January 22.

👾 Exploitation in the wild has been observed by GreyNoise since January 21.

🌐 Shodan estimates ~212,396 Telnet servers online in total. How many of them use GNU Inetutils and are vulnerable is still unclear. CyberOK discovered around 500 potentially vulnerable Telnet servers in the Russian Internet segment.

На русском

About Information Disclosure – MongoDB “MongoBleed” (CVE-2025-14847) vulnerability

Leave a reply

About Information Disclosure - MongoDB MongoBleed (CVE-2025-14847) vulnerability

About Information Disclosure – MongoDB “MongoBleed” (CVE-2025-14847) vulnerability. MongoDB is a popular NoSQL database that stores data as JSON-like documents with an optional schema. The project is licensed under the SSPL. A flaw in MongoDB’s handling of the data length parameter during zlib compression allows a remote, unauthenticated attacker to access uninitialized memory and, consequently, sensitive data (credentials, keys, customer data, etc.).

⚙️ “Critical fix” was released on December 19. The vulnerability is fixed in versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.

🛠👾 A public exploit appeared on GitHub on December 26. Exploiting it only requires specifying a host, port, and memory read offsets. Immediately after the exploit was published, mass exploitation began, according to Wiz. The vulnerability was added to the CISA KEV on December 29.

🌐 Censys reports ~86k vulnerable servers online, including ~2k in Russia.

На русском