Category Archives: Topics

About Elevation of Privilege – Windows Cloud Files Mini Filter Driver (CVE-2024-30085) vulnerability

Leave a reply

About Elevation of Privilege - Windows Cloud Files Mini Filter Driver (CVE-2024-30085) vulnerability

About Elevation of Privilege – Windows Cloud Files Mini Filter Driver (CVE-2024-30085) vulnerability. cldflt.sys is a Windows Cloud Files Mini Filter driver responsible for representing cloud-stored files and folders as if they were located on the local machine. The vulnerability in this driver, fixed as part of the June 2024 Microsoft Patch Tuesday, allows an attacker to gain SYSTEM privileges. The root cause of the vulnerability is a Heap-based Buffer Overflow (CWE-122).

🔻 A private exploit was presented at the TyphoonPWN 2024 competition on May 30, 2024. It was used as part of an exploit chain to achieve a VMware Workstation Guest-to-Host escape.

🔻 On December 19, 2024, a technical write-up and exploit code were published on the SSD Secure Disclosure website.

🔻 On March 3, a blog post by Positive Technologies was published that examines the roots of the vulnerability and exploitation techniques.

На русском

About Remote Code Execution – Apache Tomcat (CVE-2025-24813) vulnerability

Leave a reply

About Remote Code Execution - Apache Tomcat (CVE-2025-24813) vulnerability

About Remote Code Execution – Apache Tomcat (CVE-2025-24813) vulnerability. Apache Tomcat is an open-source software that provides a platform for Java web applications. The vulnerability allows a remote attacker to upload and execute arbitrary files on the server due to flaws in the handling of uploaded session files and the deserialization mechanism.

🔻 The vendor’s bulletin was released on March 10. It notes that the two conditions required for exploitation (“writes enabled for the default servlet” and “file based session persistence with the default storage location”) are not met in default installations.

🔻 Vulnerability write-up based on patch analysis and PoC exploit were published on March 11. Fully functional exploits have been available on GitHub since March 13.

🔻 Since March 17, there have been signs of exploitation in the wild. 👾 On April 1, the vulnerability was added to CISA KEV.

The vulnerability was fixed in versions 9.0.99, 10.1.35, and 11.0.3.

На русском

About Remote Code Execution – Kubernetes (CVE-2025-1974) vulnerability

Leave a reply

About Remote Code Execution - Kubernetes (CVE-2025-1974) vulnerability

About Remote Code Execution – Kubernetes (CVE-2025-1974) vulnerability. An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. In the default installation, the controller can access all Secrets cluster-wide.

🔹 On March 24, Wiz published a write-up on this vulnerability, naming it IngressNightmare (alongside CVE-2025-1097, CVE-2025-1098, and CVE-2025-24514). Wiz researchers identified 6,500 vulnerable controllers exposed to the Internet. 😱 The Kubernetes blog reports that in many common scenarios, the Pod network is accessible to all workloads in the cloud VPC, or even anyone connected to the corporate network. Ingress-nginx is used in 40% of Kubernetes clusters.

🔹 Public exploits are available on GitHub since March 25th. 😈

Update ingress-nginx to versions v1.12.1, v1.11.5, or higher!

На русском

About Remote Code Execution – Veeam Backup & Replication (CVE-2025-23120) vulnerability

Leave a reply

About Remote Code Execution - Veeam Backup & Replication (CVE-2025-23120) vulnerability

About Remote Code Execution – Veeam Backup & Replication (CVE-2025-23120) vulnerability. Veeam B&R is a client-server software solution for centralized backup of virtual machines in VMware vSphere and Microsoft Hyper-V environments.

A deserialization flaw (CWE-502) lets an attacker run arbitrary code on a Veeam server. The necessary conditions: the Veeam server must be part of an Active Directory domain, and the attacker must be authenticated in this domain.

The vendor’s security advisory was released on March 19. The next day, on March 20, WatchTowr Labs published an analysis of the vulnerability. A PoC exploit is expected to appear soon.

Veeam products were widely deployed in Russia until 2022, and many active installations likely remain.

❗️ Compromising the backup system could severely delay infrastructure recovery following a ransomware attack. 😉

Upgrade to version 12.3.1 and, if possible, disconnect the B&R server from the domain.

На русском

March Linux Patch Wednesday

Leave a reply

March Linux Patch Wednesday

March Linux Patch Wednesday. Total vulnerabilities: 1083. 😱 879 in the Linux Kernel. 🤦‍♂️ Two vulnerabilities show signs of exploitation in the wild:

🔻 Code Injection – GLPI (CVE-2022-35914). An old vulnerability from CISA KEV, but first patched on March 3 in RedOS Linux.
🔻 Memory Corruption – Safari (CVE-2025-24201). Fixed in WebKitGTK packages in Linux repositories.

There are 19 vulnerabilities with publicly available exploits. Notable ones:

🔸 Remote Code Execution – Apache Tomcat (CVE-2025-24813)
🔸 Command InjectionSPIP (CVE-2024-8517)
🔸 Memory CorruptionAssimp (CVE-2025-2152)
🔸 Memory Corruption – libxml2 (CVE-2025-27113)

The Elevation of Privilege vulnerability in the Linux Kernel (CVE-2022-49264) has no public exploit yet. However, it resembles well-known PwnKit (CVE-2021-4034).

🗒 Full Vulristics report

На русском

About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability

Leave a reply

About Spoofing - Windows File Explorer (CVE-2025-24071) vulnerability

About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability. The vulnerability is from the March Microsoft Patch Tuesday. The VM vendors didn’t highlight it in their reviews. A week later, on March 18, researcher 0x6rss published a write-up and a PoC exploit. According to him, the vulnerability is exploited in the wild, and the exploit has likely been available for purchase since November 2024.

The point is this. When Windows File Explorer detects a .library-ms file in a folder, it automatically starts parsing it. If the file contains a link to a remote SMB share, an NTLM authentication handshake begins. An attacker controlling the SMB share can intercept the NTLMv2 hash, crack it, or use it in pass-the-hash attacks.

But how does an attacker deliver such a file to the victim? It turns out that just extracting a ZIP/RAR archive with the file is enough to trigger the exploit. No need to open the file.

This is super effective for phishing. 😱

На русском

March Microsoft Patch Tuesday

Leave a reply

March Microsoft Patch Tuesday

March Microsoft Patch Tuesday. 77 CVEs, 20 of which were added during the month. 7 vulnerabilities with signs of exploitation in the wild:

🔻 RCE – Windows Fast FAT File System Driver (CVE-2025-24985)
🔻 RCE – Windows NTFS (CVE-2025-24993)
🔻 SFB – Microsoft Management Console (CVE-2025-26633)
🔻 EoP – Windows Win32 Kernel Subsystem (CVE-2025-24983)
🔻 InfDisc – Windows NTFS (CVE-2025-24991, CVE-2025-24984)
🔻 AuthBypass – Power Pages (CVE-2025-24989) – in Microsoft web service, can be ignored

There are no vulnerabilities with public exploits, there are 2 more with private ones:

🔸 RCE – Bing (CVE-2025-21355) – in Microsoft web service, can be ignored
🔸 SFB – Windows Kernel (CVE-2025-21247)

Among the others:

🔹 RCE – Windows Remote Desktop Client (CVE-2025-26645) and Services (CVE-2025-24035, CVE-2025-24045), MS Office (CVE-2025-26630), WSL2 (CVE-2025-24084)
🔹 EoP – Windows Win32 Kernel Subsystem (CVE-2025-24044)

🗒 Full Vulristics report

На русском