Author Archives: Alexander Leonov

About Alexander Leonov

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven't used Telegram yet, give it a try. It's great. You can discuss my posts or ask questions at @avleonovchat. А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Information Disclosure – Desktop Window Manager (CVE-2026-20805) vulnerability

Leave a reply

About Information Disclosure - Desktop Window Manager (CVE-2026-20805) vulnerability

About Information Disclosure – Desktop Window Manager (CVE-2026-20805) vulnerability. Desktop Window Manager is a compositing window manager that has been part of Windows since Windows Vista. Exploitation of the vulnerability, which was addressed in the January Microsoft Patch Tuesday, allows a local attacker to disclose the “section address from a remote ALPC port which is user-mode memory”.

👾 Microsoft noted that this vulnerability is being exploited in attacks. The vulnerability was added to CISA’s KEV catalog on January 13. There are no public details about the attacks yet, but Rapid7 experts suggest that the disclosed memory address can be used to bypass ASLR, “increasing the chance of developing a stable elevation of privilege exploit for DWM”.

🛠 Public exploit PoCs have been available on GitHub since January 14.

На русском

About Authentication Bypass – GNU Inetutils (CVE-2026-24061) vulnerability

Leave a reply

About Authentication Bypass - GNU Inetutils (CVE-2026-24061) vulnerability

About Authentication Bypass – GNU Inetutils (CVE-2026-24061) vulnerability. GNU Inetutils is a collection of common network programs, including, among other things, a Telnet server (telnetd). A vulnerability in GNU Inetutils telnetd allows a remote attacker to obtain a root shell on the host without any credentials by sending a crafted USER environment variable containing the value “-f root”.

⚙️ A patch fixing the vulnerability was released on January 20. Versions 1.9.3–2.7 are vulnerable; the issue went undisclosed for 10+ years. 🤷‍♂️

🛠 A detailed write-up and exploit were published by SafeBreach on January 22.

👾 Exploitation in the wild has been observed by GreyNoise since January 21.

🌐 Shodan estimates ~212,396 Telnet servers online in total. How many of them use GNU Inetutils and are vulnerable is still unclear. CyberOK discovered around 500 potentially vulnerable Telnet servers in the Russian Internet segment.

На русском

About Information Disclosure – MongoDB “MongoBleed” (CVE-2025-14847) vulnerability

Leave a reply

About Information Disclosure - MongoDB MongoBleed (CVE-2025-14847) vulnerability

About Information Disclosure – MongoDB “MongoBleed” (CVE-2025-14847) vulnerability. MongoDB is a popular NoSQL database that stores data as JSON-like documents with an optional schema. The project is licensed under the SSPL. A flaw in MongoDB’s handling of the data length parameter during zlib compression allows a remote, unauthenticated attacker to access uninitialized memory and, consequently, sensitive data (credentials, keys, customer data, etc.).

⚙️ “Critical fix” was released on December 19. The vulnerability is fixed in versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.

🛠👾 A public exploit appeared on GitHub on December 26. Exploiting it only requires specifying a host, port, and memory read offsets. Immediately after the exploit was published, mass exploitation began, according to Wiz. The vulnerability was added to the CISA KEV on December 29.

🌐 Censys reports ~86k vulnerable servers online, including ~2k in Russia.

На русском

About Elevation of Privilege – Windows Cloud Files Mini Filter Driver (CVE-2025-62221) vulnerability

Leave a reply

About Elevation of Privilege - Windows Cloud Files Mini Filter Driver (CVE-2025-62221) vulnerability

About Elevation of Privilege – Windows Cloud Files Mini Filter Driver (CVE-2025-62221) vulnerability. cldflt.sys is the Windows Cloud Files Mini Filter driver whose purpose is to present files and folders stored in the cloud as if they were located on the local computer. A vulnerability in this driver, fixed as part of Microsoft’s December Patch Tuesday, allows a local attacker to obtain SYSTEM privileges. The root cause of the vulnerability is a Use After Free issue (CWE-416).

⚙️ The vulnerability was discovered by Microsoft researchers (from MSTIC and MSRC). Updates are available for Windows 10/11 and Windows Server 2019/2022/2025.

👾 The vulnerability has been exploited in the wild and added to the CISA KEV catalog. No attack details are available yet.

🛠 Since December 10, alleged exploit repositories briefly appeared on GitHub and were later removed; exploit sale offers have also been observed (possibly fraudulent).

На русском

January Microsoft Patch Tuesday

Leave a reply

January Microsoft Patch Tuesday

January Microsoft Patch Tuesday. A total of 114 vulnerabilities, twice as many as in December. There is one vulnerability with evidence of in-the-wild exploitation:

🔻 InfDisc – Desktop Window Manager (CVE-2026-20805)

There are also two vulnerabilities with public exploits:

🔸 RCE – Windows Deployment Services (CVE-2026-0386)
🔸 EoP – Windows Agere Soft Modem Driver (CVE-2023-31096)

Other notable vulnerabilities include:

🔹 RCE – Microsoft Office (CVE-2026-20952, CVE-2026-20953), Windows NTFS (CVE-2026-20840, CVE-2026-20922)
🔹 EoP – Desktop Windows Manager (CVE-2026-20871), Windows Virtualization-Based Security (VBS) Enclave (CVE-2026-20876)
🔹 SFB – Secure Boot Certificate Expiration (CVE-2026-21265)

Also noteworthy, reported by Positive Technologies:

🟥 EoP – Windows Telephony Service (CVE-2026-20931)

🗒 Full Vulristics report

На русском

About Remote Code Execution – React Server Components “React2Shell” (CVE-2025-55182) vulnerability

Leave a reply

About Remote Code Execution - React Server Components React2Shell (CVE-2025-55182) vulnerability

About Remote Code Execution – React Server Components “React2Shell” (CVE-2025-55182) vulnerability. React is a popular open-source JavaScript framework; to improve application performance, it allows part of the logic to be executed on the server via React Server Components (RSC). By exploiting insecure deserialization in RSC, an unauthenticated attacker can achieve server-side code execution via a crafted HTTP request.

⚙️ React fixes were released on December 3. Other frameworks that embed React are also vulnerable, including Next.js, React Router, Expo, Redwood SDK, Waku, and others.

🛠 Public exploits have been available since December 3; by December 19, GitHub hosted 250+ exploit and scanner projects. 😮

👾 Attacks are widespread and have been observed since December 5; listed in CISA KEV Dec 9.

🌐 Shadowserver reports 100k+ vulnerable hosts; RuNet estimates range from 10k to 40k+. 🤔

На русском

December Linux Patch Wednesday

Leave a reply

December Linux Patch Wednesday

December Linux Patch Wednesday. In December, Linux vendors began fixing 650 vulnerabilities, roughly the same as in November. Of these, 399 are in the Linux Kernel. No vulnerabilities with signs of in-the-wild exploitation were detected.

For 29 vulnerabilities, public exploits are available or there are indications of their existence. The following can be highlighted:

🔸 RCE – JupyterLab Extension Template (CVE-2024-39700), fontTools (CVE-2025-66034), Cacti (CVE-2025-66399), CUPS (CVE-2025-64524)
🔸 XXE – Apache Tika (CVE-2025-66516)
🔸 SQLi – phpPgAdmin (CVE-2025-60797, CVE-2025-60798)
🔸 AuthBypass – cpp-httplib (CVE-2025-66570)
🔸 OpenRedirect – Chromium (CVE-2024-13983)

🗒 Full Vulristics report

На русском