Category Archives: Topics

July Microsoft Patch Tuesday

July Microsoft Patch Tuesday. A total of 152 vulnerabilities – twice as many as in June. Of these, 15 vulnerabilities were added between the June and July MSPT. One vulnerability is exploited in the wild:

🔻 Memory Corruption – Chromium (CVE-2025-6554)

One vulnerability has an exploit available on GitHub:

🔸 EoP – Windows Update Service (CVE-2025-48799). This vulnerability may be exploited on Windows 11/10 hosts with two or more hard drives.

Notable among the rest:

🔹 RCE – CDPService (CVE-2025-49724), KDC Proxy Service (CVE-2025-49735), SharePoint (CVE-2025-49704, CVE-2025-49701), Hyper-V DDA (CVE-2025-48822), MS Office (CVE-2025-49695), NEGOEX (CVE-2025-47981), MS SQL Server (CVE-2025-49717)
🔹 InfDisc – MS SQL Server (CVE-2025-49719)
🔹 EoP – MS VHD (CVE-2025-49689), TCP/IP Driver (CVE-2025-49686), Win32k (CVE-2025-49727, CVE-2025-49733, CVE-2025-49667), Graphics Component (CVE-2025-49732, CVE-2025-49744)

🗒 Full Vulristics report

На русском

About Elevation of Privilege – Windows SMB Client (CVE-2025-33073) vulnerability

Leave a reply

About Elevation of Privilege – Windows SMB Client (CVE-2025-33073) vulnerability. A vulnerability from the June Microsoft Patch Tuesday allows an attacker to execute a malicious script, forcing the victim’s host to connect to the attacker’s SMB server and authenticate, resulting in gaining SYSTEM privileges.

🔹 Details on how to exploit the vulnerability were published on June 11 (the day after MSPT) on the websites of RedTeam Pentesting and Synacktiv companies.

🔹 Exploits for the vulnerability have been available on GitHub since June 15.

🔹 The PT ESC research team confirmed the exploitability of the vulnerability and, on June 24, published an explainer, exploitation methods, and information on detection techniques.

Install the update and enforce SMB signing on domain controllers and workstations.

No in-the-wild exploitation has been reported yet.

На русском

June Linux Patch Wednesday

Leave a reply

June Linux Patch Wednesday. This time, there are 598 vulnerabilities, almost half as many as in May. Of these, 355 are in the Linux Kernel. There are signs of exploitation in the wild for 3 vulnerabilities (CISA KEV).

🔻 SFB – Chromium (CVE-2025-2783)
🔻 MemCor – Chromium (CVE-2025-5419)
🔻 CodeInj – Hibernate Validator (CVE-2025-35036). This vulnerability is exploited in attacks on Ivanti EPMM (CVE-2025-4428).

Additionally, for 40 (❗️) vulnerabilities public exploits are available or there are signs of their existence. Notable among them are:

🔸 RCE – Roundcube (CVE-2025-49113)
🔸 EoP – libblockdev (CVE-2025-6019)
🔸 DoS – Apache Tomcat (CVE-2025-48988), Apache Commons FileUpload (CVE-2025-48976)
🔸 InfDisc – HotelDruid (CVE-2025-44203)
🔸 DoS – ModSecurity (CVE-2025-47947)

🗒 Full Vulristics report

На русском

I added support for ALT Linux OVAL content in Linux Patch Wednesday

Leave a reply

I added support for ALT Linux OVAL content in Linux Patch Wednesday. Now I track when specific CVEs were fixed in ALT Linux packages and take that into account when generating the monthly bulletins. The more data sources on patched vulnerabilities in Linux distributions are used, the more accurate the bulletins become. 👍 Especially when those Linux distributions are independent, not derivatives. 😇

Currently, the LPW generator uses 7 OVAL sources:

🔹 Debian
🔹 Ubuntu
🔹 Oracle Linux
🔹 RedOS
🔹 AlmaLinux
🔹 Red Hat
🔹 ALT Linux

Plus one more source from Debian’s mailing list.

I’m a bit late with the June Linux Patch Wednesday review (due to these improvements and my vacation), but I plan to release it soon. Especially since there aren’t that many vulnerabilities this time – only 598. 🙂

На русском

June “In the Trend of VM” (#16): vulnerabilities in Microsoft Windows, Apache HTTP Server, the web interfaces of MDaemon and Zimbra, and the 7-Zip archiver

Leave a reply

June “In the Trend of VM” (#16): vulnerabilities in Microsoft Windows, Apache HTTP Server, the web interfaces of MDaemon and Zimbra, and the 7-Zip archiver. A traditional monthly vulnerability roundup. 🙂

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

A total of 7 trending vulnerabilities:

🔻 Elevation of Privilege – Microsoft DWM Core Library (CVE-2025-30400)
🔻 Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706)
🔻 Remote Code Execution & Arbitrary File Reading – Apache HTTP Server (CVE-2024-38475)
🔻 Cross Site Scripting – MDaemon Email Server (CVE-2024-11182)
🔻 Cross Site Scripting – Zimbra Collaboration (CVE-2024-27443)
🔻 Remote Code Execution – 7-Zip (BDU:2025-01793)

На русском

June Microsoft Patch Tuesday

Leave a reply

June Microsoft Patch Tuesday. A total of 81 vulnerabilities, roughly the same as in May. Among them, 15 vulnerabilities were added between the May and June MSPT. There are 3 vulnerabilities with signs of exploitation in the wild:

🔻 RCE – WEBDAV/Internet Shortcut Files (CVE-2025-33053). For successful exploitation, the victim must click on a malicious .url file.
🔻 SFB – Chromium (CVE-2025-4664)
🔻 Memory Corruption – Chromium (CVE-2025-5419)

There’s a PoC for one of the vulnerabilities on GitHub, but I doubt it actually works:

🔸 EoP – Microsoft Edge (CVE-2025-47181)

Other notable ones include:

🔹 RCE – Microsoft Office (CVE-2025-47162, CVE-2025-47164, CVE-2025-47167, CVE-2025-47953), KPSSVC (CVE-2025-33071), SharePoint (CVE-2025-47172), Outlook (CVE-2025-47171)
🔹 EoP – SMB Client (CVE-2025-33073), CLFS (CVE-2025-32713), Netlogon (CVE-2025-33070)

🗒 Full Vulristics report

На русском

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706) vulnerabilities

Leave a reply

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706) vulnerabilities. When Microsoft disclosed these vulnerabilities in the May Patch Tuesday, attackers were already exploiting them in the wild. The Common Log File System (CLFS) is a general-purpose logging service that can be used by software clients running in user-mode or kernel-mode.

The impact of exploiting these vulnerabilities is identical: an attacker can gain SYSTEM privileges. Their CVSS vectors are also the same (Base Score: 7.8).

What’s the difference? Bug type: for CVE-2025-32701 it’s CWE-416: Use After Free, while for CVE-2025-32706 it’s CWE-20: Improper Input Validation. CVE-2025-32701 credits MSTIC, while CVE-2025-32706 credits Google TIG and CrowdStrike ART.

No public exploits or exploitation details yet. 🤷‍♂️ But these vulns are likely being used in ransomware attacks, just like the EoP in CLFS (CVE-2025-29824) from April MSPT. 😉

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Category Archives: Topics

July Microsoft Patch Tuesday

About Elevation of Privilege – Windows SMB Client (CVE-2025-33073) vulnerability

June Linux Patch Wednesday

I added support for ALT Linux OVAL content in Linux Patch Wednesday

June “In the Trend of VM” (#16): vulnerabilities in Microsoft Windows, Apache HTTP Server, the web interfaces of MDaemon and Zimbra, and the 7-Zip archiver

June Microsoft Patch Tuesday

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706) vulnerabilities