Topics | Alexander V. Leonov

About Remote Code Execution – Microsoft Configuration Manager (CVE-2024-43468) vulnerability. This vulnerability is from the October 2024 MSPT. Microsoft Configuration Manager (ConfigMgr) is used to manage large groups of computers, providing remote control, patch management, software distribution, operating system deployment, etc.

According to Microsoft, the vulnerability allowed an unauthenticated attacker to execute commands at the server or database level by sending specially crafted requests to the Management Point.

Synacktiv experts revealed the details 100 days after the October MSPT, on January 16. MP_Location service processed client messages insecurely. This flaw enabled attackers to perform SQL injections and execute arbitrary database queries with the highest privileges, including running commands on the server via xp_cmdshell.

Public exploits are available on GitHub. There are no reports of exploitation in the wild yet.

На русском

About Remote Code Execution – 7-Zip (CVE-2025-0411) vulnerability. 7-Zip is a popular, free, open-source archiver widely used by organizations as a standard tool for managing archives.

The vulnerability is a bypass of the Mark-of-the-Web mechanism.

If you download and run a suspicious executable file on Windows, Microsoft Defender’s SmartScreen will block it from executing because it comes from an untrusted source.

However, if you download a 7z archive containing another 7z archive with malware, you can execute the file with just three double-clicks, and SmartScreen won’t trigger. This happens because 7-Zip versions prior to 24.09, released on November 30, 2024, failed to properly apply the Mark-of-the-Web label to extracted files. An exploit example is available on GitHub.

No signs of exploitation in the wild yet, but they are likely to emerge, as this is an easy way to increase the success rate of phishing attacks. Update 7-Zip!

На русском

About Authentication Bypass – FortiOS (CVE-2024-55591) vulnerability. A critical flaw allows remote attackers to gain super-admin privileges via crafted requests to the Node.js websocket module. Affected systems include Fortinet devices running FortiOS (e.g., FortiGate NGFW) and FortiProxy.

On January 10, Arctic Wolf reported attacks on Fortinet devices that began in November 2024. Attackers create accounts with random names, modify device settings, and gain access to internal systems.

The vendor advisory was published on January 14. The vulnerability was added to the CISA KEV.

A public exploit has been available on GitHub since January 21.

As of January 26, Shadow Server reports around 45,000 vulnerable devices accessible from the Internet.

The vendor recommends updating FortiOS and FortiProxy to secure versions and restricting or disabling administrative HTTP/HTTPS interfaces.

На русском

About Remote Code Execution – Windows OLE (CVE-2025-21298) vulnerability. The vulnerability is from the January Microsoft Patch Tuesday. OLE (Object Linking and Embedding) is a technology for linking and embedding objects into other documents and objects, developed by Microsoft. A common use of this technology is embedding an Excel table in a Word document.

What is this vulnerability about? The attacker’s code executes when a specially crafted RTF document is opened or when a malicious email is opened or previewed in Microsoft Outlook. In the second case, no action is required from the victim other than clicking on the message. Microsoft recommends viewing messages in Outlook only in plain text.

On January 20, an exploit PoC appeared on GitHub that demonstrates Memory Corruption when opening an RTF document. Now we are waiting for an RCE exploit for Outlook.

There have been no reports of attacks yet.

Fix this vulnerability ASAP!

На русском

I have finalized the list of trending vulnerabilities for 2024 according to Positive Technologies. Last year, 74 vulnerabilities were classified as trending (to compare the scale, just over 40,000 were added to NVD in 2024).

All trending vulnerabilities are found in Western commercial products and open source projects. This year, the vulnerabilities of domestic Russian products did not reach the level of criticality required to classify them as trending.

For 55 of all trending vulnerabilities there are currently signs of exploitation in attacks, for 17 there are public exploits (but no signs of exploitation) and for the remaining 2 there is only a possibility of future exploitation.

Vulnerabilities were often added to trending ones before signs of exploitation in the wild appeared. For example, the remote code execution vulnerability in VMware vCenter (CVE-2024-38812) was added to the list of trending vulnerabilities on September 20, 3 days after the vendor’s security bulletin appeared. There were no signs of exploitation in the wild or public exploit for this vulnerability. Signs of exploitation appeared only 2 months later, on November 18.

Most of the vulnerabilities in the trending list are of the following types: Remote Code or Command Execution (24) and Elevation of Privilege (21).

4 vulnerabilities in Barracuda Email Security Gateway (CVE-2023-2868), MOVEit Transfer (CVE-2023-34362), papercut (CVE-2023-27350) and SugarCRM (CVE-2023-22952) were added in early January 2024. These vulnerabilities were massively exploited in the West in 2023, and attacks using these vulnerabilities could also tangentially affect those domestic Russian organizations where these products had not yet been taken out of service. The rest of the vulnerabilities became trending in 2024.

34 trending vulnerabilities affect Microsoft products (45%).

17 of them are Elevation of Privilege vulnerabilities in the Windows kernel and standard components.

1 Remote Code Execution vulnerability in Windows Remote Desktop Licensing Service (CVE-2024-38077).

2 trending Elevation of Privilege vulnerabilities affect Linux systems: one in nftables (CVE-2024-1086), and the second in needrestart (CVE-2024-48990).

Other groups of vulnerabilities

Phishing attacks: 19 (Windows components, Outlook, Exchange, Ghostscript, Roundcube)
Network security and entry points: 13 (Palo Alto, Fortinet, Juniper, Ivanti, Check Point, Zyxel)
Virtual infrastructure and backups: 7 (VMware, Veeam, Acronis)
Software development: 6 (GitLab, TeamCity, Jenkins, PHP, Fluent Bit, Apache Struts)
Collaboration tools: 3 (Atlassian Confluence, XWiki)
CMS WordPress plugins: 3 (LiteSpeed Cache, The Events Calendar, Hunk Companion)

Full Vulristics report

Article on the official website “Vulnerable software and hardware vs. security researchers” (rus)

На русском

January Linux Patch Wednesday. Out of 424 total vulnerabilities, 271 are in the Linux Kernel. None show signs of exploitation in the wild, but 9 have public exploits.

RCE – Apache Tomcat (CVE-2024-56337). Based on the description, the vulnerability affects “case-insensitive file systems” like Windows or MacOS. However, Debian lists it as affecting tomcat9 and tomcat10. Either this is about rare case-insensitive Linux installations or there is an error in the description.
RCE – Chromium (CVE-2025-0291). According to the FSTEC BDU, a public exploit exists.
RCE – 7-Zip (CVE-2024-11477). What’s in the public is not an exploit, but a write-up.
Memory Corruption – Theora (CVE-2024-56431). It’s not clear yet how to exploit this.
Memory Corruption – Telegram (CVE-2021-31320, CVE-2021-31319, CVE-2021-31315, CVE-2021-31318, CVE-2021-31322). Ubuntu fixed these vulnerabilities in the rlottie library package.

Full Vulristics report

На русском

The Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138) has become more critical. Just as I wrote that nothing had been heard about this vulnerability for a month since it was first published in Microsoft’s December Patch Tuesday, a public exploit for it appeared on January 15th. It was developed by Alessandro Iandoli from HN Security. The source code and video demonstrating the exploit are available on GitHub: a local attacker runs an exe file in PowerShell and, after a second, becomes “nt authority/system”. The researcher tested the exploit on Windows 11 23h2. He also promises to publish a blog post with a detailed analysis of the vulnerability.

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Category Archives: Topics

About Remote Code Execution – Microsoft Configuration Manager (CVE-2024-43468) vulnerability

About Remote Code Execution – 7-Zip (CVE-2025-0411) vulnerability

About Authentication Bypass – FortiOS (CVE-2024-55591) vulnerability

About Remote Code Execution – Windows OLE (CVE-2025-21298) vulnerability

I have finalized the list of trending vulnerabilities for 2024 according to Positive Technologies

January Linux Patch Wednesday

The Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138) has become more critical