Author Archives: Alexander Leonov

About Alexander Leonov

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven't used Telegram yet, give it a try. It's great. You can discuss my posts or ask questions at @avleonovchat. А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

New episode “In The Trend of VM” (#11): vulnerabilities that became trending in December and the final report on trending vulnerabilities for 2024

Leave a reply

New episode “In The Trend of VM” (#11): vulnerabilities that became trending in December and the final report on trending vulnerabilities for 2024. I made this episode exclusively for the Telegram channel @avleonovcom “Vulnerability Management and More”. 😉

📹 Video on YouTube, LinkedIn
🗞 Post on Habr (rus)
🗒 Digest on the PT website

Content:

🔻 00:00 Greetings
🔻 00:28 Elevation of Privilege – Windows Kernel Streaming WOW Thunk Service Driver (CVE-2024-38144)
🔻 01:30 Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138)
🔻 02:37 Remote Code Execution – Apache Struts (CVE-2024-53677)
🔻 03:31 Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972)
🔻 04:44 Trending vulnerabilities for 2024

👾 08:10 Channel mascot 😅

На русском

February Microsoft Patch Tuesday

Leave a reply

February Microsoft Patch Tuesday

February Microsoft Patch Tuesday. 89 CVEs, 33 added since January. Two with signs of exploitation in the wild:

🔻 EoP – Windows Ancillary Function Driver for WinSock (CVE-2025-21418)
🔻 EoP – Windows Storage (CVE-2025-21391)

There are no vulnerabilities with public exploits, but there are 7 with private ones:

🔸 RCE – Microsoft Edge (CVE-2025-21279, CVE-2025-21283)
🔸 Auth. Bypass – Azure (CVE-2025-21415)
🔸 EoP – Windows Setup Files Cleanup (CVE-2025-21419)
🔸 Spoofing – Windows NTLM (CVE-2025-21377)
🔸 Spoofing – Microsoft Edge (CVE-2025-21267, CVE-2025-21253)

Among the rest, the following can be highlighted:

🔹 RCE – Windows LDAP (CVE-2025-21376), Microsoft Excel (CVE-2025-21381, CVE-2025-21387), Microsoft SharePoint Server (CVE-2025-21400), DHCP Client Service (CVE-2025-21379)
🔹 EoP – Windows Core Messaging (CVE-2025-21184, CVE-2025-21358, CVE-2025-21414), Windows Installer (CVE-2025-21373)

🗒 Full Vulristics report

На русском

About Elevation of Privilege – Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) vulnerability

Leave a reply

About Elevation of Privilege - Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) vulnerability

About Elevation of Privilege – Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) vulnerability. These three vulnerabilities were disclosed as part of Microsoft’s January Patch Tuesday and share the same description. They were found in a component used for communications between the host OS and container-type virtual machines, such as Windows Sandbox and Microsoft Defender Application Guard (MDAG).

If the vulnerabilities are successfully exploited, an attacker can gain System privileges. Microsoft specifically notes that this is a local privilege escalation on the host system, not any type of guest to host escape.

👾 These vulnerabilities are being actively exploited in the wild, though no public exploits are currently available.

The only difference in the vulnerability descriptions is that CVE-2025-21333 is caused by Heap-based Buffer Overflow, while CVE-2025-21334 and CVE-2025-21335 are caused by Use After Free.

На русском

About Remote Code Execution – Microsoft Configuration Manager (CVE-2024-43468) vulnerability

Leave a reply

About Remote Code Execution - Microsoft Configuration Manager (CVE-2024-43468) vulnerability

About Remote Code Execution – Microsoft Configuration Manager (CVE-2024-43468) vulnerability. This vulnerability is from the October 2024 MSPT. Microsoft Configuration Manager (ConfigMgr) is used to manage large groups of computers, providing remote control, patch management, software distribution, operating system deployment, etc.

According to Microsoft, the vulnerability allowed an unauthenticated attacker to execute commands at the server or database level by sending specially crafted requests to the Management Point.

Synacktiv experts revealed the details 100 days after the October MSPT, on January 16. MP_Location service processed client messages insecurely. This flaw enabled attackers to perform SQL injections and execute arbitrary database queries with the highest privileges, including running commands on the server via xp_cmdshell. 🤷‍♂️

Public exploits are available on GitHub. There are no reports of exploitation in the wild yet.

На русском

About Remote Code Execution – 7-Zip (CVE-2025-0411) vulnerability

Leave a reply

About Remote Code Execution - 7-Zip (CVE-2025-0411) vulnerability

About Remote Code Execution – 7-Zip (CVE-2025-0411) vulnerability. 7-Zip is a popular, free, open-source archiver widely used by organizations as a standard tool for managing archives.

The vulnerability is a bypass of the Mark-of-the-Web mechanism.

🔹 If you download and run a suspicious executable file on Windows, Microsoft Defender’s SmartScreen will block it from executing because it comes from an untrusted source.

🔹 However, if you download a 7z archive containing another 7z archive with malware, you can execute the file with just three double-clicks, and SmartScreen won’t trigger. 🤷‍♂️ This happens because 7-Zip versions prior to 24.09, released on November 30, 2024, failed to properly apply the Mark-of-the-Web label to extracted files. An exploit example is available on GitHub.

No signs of exploitation in the wild yet, but they are likely to emerge, as this is an easy way to increase the success rate of phishing attacks. Update 7-Zip!

На русском

About Authentication Bypass – FortiOS (CVE-2024-55591) vulnerability

Leave a reply

About Authentication Bypass - FortiOS (CVE-2024-55591) vulnerability

About Authentication Bypass – FortiOS (CVE-2024-55591) vulnerability. A critical flaw allows remote attackers to gain super-admin privileges via crafted requests to the Node.js websocket module. Affected systems include Fortinet devices running FortiOS (e.g., FortiGate NGFW) and FortiProxy.

🔹 On January 10, Arctic Wolf reported attacks on Fortinet devices that began in November 2024. Attackers create accounts with random names, modify device settings, and gain access to internal systems.

🔹 The vendor advisory was published on January 14. The vulnerability was added to the CISA KEV.

🔹 A public exploit has been available on GitHub since January 21.

🔹 As of January 26, Shadow Server reports around 45,000 vulnerable devices accessible from the Internet.

The vendor recommends updating FortiOS and FortiProxy to secure versions and restricting or disabling administrative HTTP/HTTPS interfaces.

На русском

About Remote Code Execution – Windows OLE (CVE-2025-21298) vulnerability

Leave a reply

About Remote Code Execution - Windows OLE (CVE-2025-21298) vulnerability

About Remote Code Execution – Windows OLE (CVE-2025-21298) vulnerability. The vulnerability is from the January Microsoft Patch Tuesday. OLE (Object Linking and Embedding) is a technology for linking and embedding objects into other documents and objects, developed by Microsoft. A common use of this technology is embedding an Excel table in a Word document.

What is this vulnerability about? The attacker’s code executes when a specially crafted RTF document is opened or when a malicious email is opened or previewed in Microsoft Outlook. In the second case, no action is required from the victim other than clicking on the message. 🤷‍♂️ Microsoft recommends viewing messages in Outlook only in plain text.

On January 20, an exploit PoC appeared on GitHub that demonstrates Memory Corruption when opening an RTF document. Now we are waiting for an RCE exploit for Outlook. 😉

There have been no reports of attacks yet.

Fix this vulnerability ASAP!

На русском