Author Archives: Alexander Leonov

About Alexander Leonov

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven't used Telegram yet, give it a try. It's great. You can discuss my posts or ask questions at @avleonovchat. А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Remote Code Execution – Windows Server Update Services (WSUS) (CVE-2025-59287) vulnerability

1 Reply

About Remote Code Execution - Windows Server Update Services (WSUS) (CVE-2025-59287) vulnerability

About Remote Code Execution – Windows Server Update Services (WSUS) (CVE-2025-59287) vulnerability. WSUS is a legacy Windows Server component that allows IT administrators to manage the download and installation of Microsoft product updates on computers within a local network. Vulnerability summary: An unauthenticated remote attacker can execute code with SYSTEM privileges on a Windows server with the WSUS Server Role enabled (it is disabled by default) by sending specially crafted POST requests. This is possible due to a flaw in deserializing untrusted data.

⚙️ Initial patches were released on October 14 as part of Microsoft’s October Patch Tuesday.

🛠 A public exploit has been available on GitHub since October 18.

⚙️ On October 24, Microsoft released additional patches to fully address the vulnerability (server reboot is required).

👾 On October 24, the vulnerability was added to the CISA KEV, and there are reports of observed exploitation attempts.

На русском

October Linux Patch Wednesday

Leave a reply

October Linux Patch Wednesday

October Linux Patch Wednesday. In October, Linux vendors began addressing 801 vulnerabilities, slightly more than in September. Of these, 546 are in the Linux Kernel. One is being exploited in the wild:

🔻 EoP – VMware Tools (CVE-2025-41244). This vulnerability has been exploited since October 2024, and public exploits are available. According to the description, exploitation requires VMware Aria Operations.

Public or suspected exploits exist for 39 more vulnerabilities, including:

🔸 RCE – Redis (CVE-2025-49844 – RediShell, CVE-2025-46817), OpenSSH (CVE-2025-61984), 7-Zip (CVE-2025-11001, CVE-2025-11002)
🔸 EoP – FreeIPA (CVE-2025-7493), Asterisk (CVE-2025-1131)
🔸 SQLi – MapServer (CVE-2025-59431)
🔸 SFB – authlib (CVE-2025-59420)
🔸 MemCor – Binutils (CVE-2025-11082 and 7 more), Open Babel (CVE-2025-10995 and 6 more)

🗒 Full Vulristics report

На русском

October “In the Trend of VM” (#20): vulnerabilities in Cisco ASA/FTD and sudo

Leave a reply

October In the Trend of VM (#20): vulnerabilities in Cisco ASA/FTD and sudo

October “In the Trend of VM” (#20): vulnerabilities in Cisco ASA/FTD and sudo. A traditional monthly roundup. This time, once again, no Microsoft vulnerabilities. 😲

🗞 Post on Habr (rus)
🗞 Post on SecurityLab (rus)
🗒 Digest on the PT website (rus)

Only three identifiers in total:

🔻 Remote Code Execution – Cisco ASA/FTD (CVE-2025-20333, CVE-2025-20362). This vulnerability chain has been exploited in attacks since May 2025, but there are no public exploits yet.
🔻 Elevation of Privilege – Sudo (CVE-2025-32463). There are signs of in-the-wild exploitation and many public exploits are available.

На русском

October Microsoft Patch Tuesday

2 Replies

October Microsoft Patch Tuesday

October Microsoft Patch Tuesday. A total of 213 vulnerabilities – twice as many as in September. Of these, 41 vulnerabilities were added between the September and October MSPT. There are four vulnerabilities with evidence of exploitation in the wild:

🔻 SFB – IGEL OS (CVE-2025-47827) – public exploit available
🔻 EoP – Windows Agere Modem Driver (CVE-2025-24990)
🔻 EoP – Windows Remote Access Connection Manager (CVE-2025-59230)
🔻 MemCor – Chromium (CVE-2025-10585)

Another vulnerability with a public PoC exploit:

🔸 RCE – Unity Runtime (CVE-2025-59489)

Among the remaining vulnerabilities with no public exploits or signs of exploitation in the wild, the following stand out:

🔹 RCE – WSUS (CVE-2025-59287), Microsoft Office (CVE-2025-59227, CVE-2025-59234)
🔹 EoP – Windows Agere Modem Driver (CVE-2025-24052), Windows Cloud Files Mini Filter Driver (CVE-2025-55680)

🗒 Full Vulristics Report

На русском

About Elevation of Privilege – Sudo (CVE-2025-32463) vulnerability

Leave a reply

About Elevation of Privilege - Sudo (CVE-2025-32463) vulnerability

About Elevation of Privilege – Sudo (CVE-2025-32463) vulnerability. Sudo is a utility in Unix-like operating systems that allows a user to run a program with the privileges of another user, by default the superuser (root).

🔻 The vulnerability allows a local attacker to escalate privileges by forcing sudo to load an arbitrary dynamic library when using a root directory specified via the -R (–chroot) option. An attacker can execute arbitrary commands as root on systems that support (Name Service Switch configuration file).

⚙️ The vulnerability was fixed in sudo 1.9.17p1, released on June 30, 2025.

🛠 On the same day, a write-up by researcher Rich Mirch was published with a PoC exploit.

🐧 I noted Linux vendors’ remediation of this vulnerability in July Linux Patch Wednesday. Multiple public exploits for the vulnerability were available.

👾 On September 29, the vulnerability was added to CISA KEV.

На русском

About Remote Code Execution – Cisco ASA/FTD (CVE-2025-20333, CVE-2025-20362) vulnerability

Leave a reply

About Remote Code Execution - Cisco ASA/FTD (CVE-2025-20333, CVE-2025-20362) vulnerability

About Remote Code Execution – Cisco ASA/FTD (CVE-2025-20333, CVE-2025-20362) vulnerability. Cisco ASA and FTD are among the most widely used solutions for perimeter protection and for providing remote access to corporate infrastructure. 🔗 On September 25, Cisco released updates addressing a chain of vulnerabilities that could allow attackers take full control of affected devices:

🔻 Vulnerability CVE-2025-20362 allows an unauthenticated attacker to access a restricted URL.

🔻 Vulnerability CVE-2025-20333 allows an authenticated attacker to execute arbitrary code as root.

👾 Cisco reports that the vulnerability chain has been exploited in attacks since May 2025. The attacks are linked to the ArcaneDoor campaign and use the LINE VIPER and RayInitiator malware.

🛠 There are no public exploits yet.

🌐 Shadowserver shows over 45,000 vulnerable hosts, with more than 2,000 of them in Russia.

На русском

Vulners has added information on exploits

Leave a reply

Vulners has added information on exploits

Vulners has added information on exploits. But wasn’t that already available before? After all, Vulristics takes most of its exploit-related data from Vulners! 🤔

That’s true. ✅ But previously an exploit in Vulners was always a Vulners object from a specific collection. For example, an exploit page from ExploitDB. The centralized, collection-based approach works great for sources like vulnerability databases, security bulletins, and exploit packs.

However, quite often an exploit PoC is found in random places – for example, in a researcher’s blog post or on a vendor’s page. For such cases, Vulners now also stores exploits as sets of links in the vulnerability metadata. 🔗🧩 These links are collected from various sources, including NVD, GitHub, and Gitee.

The number of sources will expand, exploit information in Vulners will become more complete, and tools like Vulristics will be able to prioritize vulnerabilities even better based on that. 🧰📈

На русском