Author Archives: Alexander Leonov

About Alexander Leonov

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven't used Telegram yet, give it a try. It's great. You can discuss my posts or ask questions at @avleonovchat. А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Elevation of Privilege – Windows Cloud Files Mini Filter Driver (CVE-2025-62221) vulnerability

Leave a reply

About Elevation of Privilege - Windows Cloud Files Mini Filter Driver (CVE-2025-62221) vulnerability

About Elevation of Privilege – Windows Cloud Files Mini Filter Driver (CVE-2025-62221) vulnerability. cldflt.sys is the Windows Cloud Files Mini Filter driver whose purpose is to present files and folders stored in the cloud as if they were located on the local computer. A vulnerability in this driver, fixed as part of Microsoft’s December Patch Tuesday, allows a local attacker to obtain SYSTEM privileges. The root cause of the vulnerability is a Use After Free issue (CWE-416).

⚙️ The vulnerability was discovered by Microsoft researchers (from MSTIC and MSRC). Updates are available for Windows 10/11 and Windows Server 2019/2022/2025.

👾 The vulnerability has been exploited in the wild and added to the CISA KEV catalog. No attack details are available yet.

🛠 Since December 10, alleged exploit repositories briefly appeared on GitHub and were later removed; exploit sale offers have also been observed (possibly fraudulent).

На русском

January Microsoft Patch Tuesday

Leave a reply

January Microsoft Patch Tuesday

January Microsoft Patch Tuesday. A total of 114 vulnerabilities, twice as many as in December. There is one vulnerability with evidence of in-the-wild exploitation:

🔻 InfDisc – Desktop Window Manager (CVE-2026-20805)

There are also two vulnerabilities with public exploits:

🔸 RCE – Windows Deployment Services (CVE-2026-0386)
🔸 EoP – Windows Agere Soft Modem Driver (CVE-2023-31096)

Other notable vulnerabilities include:

🔹 RCE – Microsoft Office (CVE-2026-20952, CVE-2026-20953), Windows NTFS (CVE-2026-20840, CVE-2026-20922)
🔹 EoP – Desktop Windows Manager (CVE-2026-20871), Windows Virtualization-Based Security (VBS) Enclave (CVE-2026-20876)
🔹 SFB – Secure Boot Certificate Expiration (CVE-2026-21265)

Also noteworthy, reported by Positive Technologies:

🟥 EoP – Windows Telephony Service (CVE-2026-20931)

🗒 Full Vulristics report

На русском

About Remote Code Execution – React Server Components “React2Shell” (CVE-2025-55182) vulnerability

Leave a reply

About Remote Code Execution - React Server Components React2Shell (CVE-2025-55182) vulnerability

About Remote Code Execution – React Server Components “React2Shell” (CVE-2025-55182) vulnerability. React is a popular open-source JavaScript framework; to improve application performance, it allows part of the logic to be executed on the server via React Server Components (RSC). By exploiting insecure deserialization in RSC, an unauthenticated attacker can achieve server-side code execution via a crafted HTTP request.

⚙️ React fixes were released on December 3. Other frameworks that embed React are also vulnerable, including Next.js, React Router, Expo, Redwood SDK, Waku, and others.

🛠 Public exploits have been available since December 3; by December 19, GitHub hosted 250+ exploit and scanner projects. 😮

👾 Attacks are widespread and have been observed since December 5; listed in CISA KEV Dec 9.

🌐 Shadowserver reports 100k+ vulnerable hosts; RuNet estimates range from 10k to 40k+. 🤔

На русском

December Linux Patch Wednesday

Leave a reply

December Linux Patch Wednesday

December Linux Patch Wednesday. In December, Linux vendors began fixing 650 vulnerabilities, roughly the same as in November. Of these, 399 are in the Linux Kernel. No vulnerabilities with signs of in-the-wild exploitation were detected.

For 29 vulnerabilities, public exploits are available or there are indications of their existence. The following can be highlighted:

🔸 RCE – JupyterLab Extension Template (CVE-2024-39700), fontTools (CVE-2025-66034), Cacti (CVE-2025-66399), CUPS (CVE-2025-64524)
🔸 XXE – Apache Tika (CVE-2025-66516)
🔸 SQLi – phpPgAdmin (CVE-2025-60797, CVE-2025-60798)
🔸 AuthBypass – cpp-httplib (CVE-2025-66570)
🔸 OpenRedirect – Chromium (CVE-2024-13983)

🗒 Full Vulristics report

На русском

December “In the Trend of VM” (#22): vulnerabilities in Windows, the expr-eval library, Control Web Panel, and Django

Leave a reply

December In the Trend of VM (#22): vulnerabilities in Windows, the expr-eval library, Control Web Panel, and Django

December “In the Trend of VM” (#22): vulnerabilities in Windows, the expr-eval library, Control Web Panel, and Django. A traditional monthly roundup of trending vulnerabilities – this time, a fairly compact one. 💽

🗞 Post on Habr (rus)
🗞 Post on SecurityLab (rus)
🗒 Digest on the PT website (rus)

Four vulnerabilities in total:

🔻 EoP – Windows Kernel (CVE-2025-62215)
🔻 RCE – expr-eval (CVE-2025-12735)
🔻 RCE – Control Web Panel (CVE-2025-48703)
🔻 SQLi – Django (CVE-2025-64459)

🟥 Trending Vulnerabilities Portal

На русском

About Remote Code Execution – Control Web Panel (CVE-2025-48703) vulnerability

Leave a reply

About Remote Code Execution - Control Web Panel (CVE-2025-48703) vulnerability

About Remote Code Execution – Control Web Panel (CVE-2025-48703) vulnerability. Control Web Panel (CWP) is a free web-hosting control panel for RPM-based distributions. This web application provides a convenient interface for configuring and managing web servers (Apache, NGINX), databases (MySQL, MariaDB), mail systems (Postfix, Dovecot, Roundcube), DNS (BIND), and security tools (CSF, ModSecurity).

💡 Essence of the vulnerability: in the changePerm request of the filemanager module, there is a parameter called t_total, and its value is used as an argument to the system command chmod without sufficient validation. 🤷‍♂️ This allows an unauthenticated attacker to execute arbitrary shell commands on the CWP server. 😏

⚙️ Fixed in version 0.9.8.1205 on June 18, 2025.

🛠 On June 22, a detailed write-up appeared, followed soon by GitHub exploits.

👾 On November 4, the vulnerability was added to CISA KEV.

🌐 Shodan detects about 220,000 CWP installations online.

На русском

About Remote Code Execution – expr-eval (CVE-2025-12735) vulnerability

Leave a reply

About Remote Code Execution - expr-eval (CVE-2025-12735) vulnerability

About Remote Code Execution – expr-eval (CVE-2025-12735) vulnerability. expr-eval is a JavaScript library for parsing and evaluating mathematical expressions, providing safe handling of user-supplied variables. It is used in online calculators, educational programs, modeling tools, financial applications, AI systems, and natural language processing (NLP). Insufficient input validation may allow arbitrary JavaScript code execution in the application’s context.

🛠 The vulnerability was discovered on November 5. A PoC has been on GitHub since November 11.

⚙️ The vulnerability is still in the process of being fixed in the main (effectively abandoned 🤷‍♂️) expr-eval project and is not fully fixed in its fork, expr-eval-fork. Secure versions are expected to appear in the corresponding GHSA.

🌐 The library is popular: expr-eval has 800k weekly downloads on npm, and expr-eval-fork has 88k.

👾 No in-the-wild exploitation has been observed so far.

На русском