Category Archives: Topics

About Elevation of Privilege – Windows Update Service (CVE-2025-48799) vulnerability

1 Reply

About Elevation of Privilege - Windows Update Service (CVE-2025-48799) vulnerability

About Elevation of Privilege – Windows Update Service (CVE-2025-48799) vulnerability. This vulnerability is from the July Microsoft Patch Tuesday. Improper link resolution before file access (‘link following’) in the Windows Update Service allows an authorized attacker to elevate privileges to “NT AUTHORITY\SYSTEM”.

🛠 An exploit for this vulnerability was published by researcher Filip Dragović (Wh04m1001) on July 8, the day of MSPT. In the exploit description, he states that the vulnerability affects Windows 10/11 systems with at least two hard drives. If the installation location for new apps is changed to the secondary drive (using Storage Sense), then during the installation of a new app, the wuauserv service will arbitrarily delete folders without checking for symbolic links, leading to to LPE.

🎞 In the demonstration video, Filip Dragović runs the EXE file and gets an administrator console.

👾 No signs of exploitation in the wild yet.

На русском

Qualys has introduced Agentic AI, a solution for autonomous cyber risk management

Leave a reply

Qualys has introduced Agentic AI, a solution for autonomous cyber risk management

Qualys has introduced Agentic AI, a solution for autonomous cyber risk management. As part of this solution, Qualys provides ready-to-use Cyber Risk Agents that operate autonomously and act as an additional skilled digital workforce. Agentic AI not only detects issues and provides analytics but also autonomously identifies critical risks, prioritizes them, and launches targeted remediation workflows.

Available agents on the marketplace:

🔹 Identification and prioritization of risks related to external attacks
🔹 Adaptive cloud risk assessment
🔹 Audit readiness evaluation and reporting
🔹 Threat-based risk prioritization
🔹 Autonomous “Microsoft Patch Tuesday” cycle
🔹 Self-Healing agent for vulnerability management

They also introduced the Cyber Risk Assistant – a guided interface that transforms risk data into context-aware actions with autonomous execution.

На русском

July Linux Patch Wednesday

1 Reply

July Linux Patch Wednesday

July Linux Patch Wednesday. This time, there are 470 vulnerabilities, slightly fewer than in June. Of these, 291 are in the Linux Kernel. One vulnerability shows signs of being exploited in the wild (CISA KEV):

🔻 SFB – Chromium (CVE-2025-6554)

There are also 36 (❗️) vulnerabilities for which public exploits are available or suspected to exist. Notable among them:

🔸 RCE – Redis (CVE-2025-32023), pgAdmin (CVE-2024-3116), Git (CVE-2025-48384)
🔸 EoP – Sudo (CVE-2025-32462, CVE-2025-32463)
🔸 PathTrav – Tar (CVE-2025-45582)
🔸 XSS – jQuery (CVE-2012-6708)
🔸 SFB – PHP (CVE-2025-1220)
🔸 DoS – LuaJIT (CVE-2024-25177), Linux Kernel (CVE-2025-38089)
🔸 MemCor – DjVuLibre (CVE-2025-53367)

🗒 Full Vulristics report

На русском

About Remote Code Execution – Microsoft SharePoint Server “ToolShell” (CVE-2025-53770) vulnerability

1 Reply

About Remote Code Execution - Microsoft SharePoint Server ToolShell (CVE-2025-53770) vulnerability

About Remote Code Execution – Microsoft SharePoint Server “ToolShell” (CVE-2025-53770) vulnerability. SharePoint is a web application developed by Microsoft for corporate intranet portals, document management, and collaborative work. A flaw in the deserialization mechanism of an on-premises SharePoint Server instance allows remote unauthenticated attackers to execute arbitrary code.

👾 On July 18, Eye Security researchers reported mass exploitation of this vulnerability in conjunction with the spoofing vulnerability CVE-2025-53771. CVE-2025-53770 and CVE-2025-53771 are evolutions of the vulnerabilities CVE-2025-49704 and CVE-2025-49706 from the July MSPT.

🔻 On July 19, Microsoft released updates for SharePoint Server 2016, 2019, and Subscription Edition. They also recommended integrating with the Antimalware Scan Interface.

🔨 Public exploits have been available on GitHub since July 21.

На русском

July “In the Trend of VM” (#17): vulnerabilities in Microsoft Windows and Roundcube

Leave a reply

July In the Trend of VM (#17): vulnerabilities in Microsoft Windows and Roundcube

July “In the Trend of VM” (#17): vulnerabilities in Microsoft Windows and Roundcube. A traditional monthly roundup. This time, it’s a very short one. 🙂

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

Only three trending vulnerabilities:

🔻 Remote Code Execution – Internet Shortcut Files (CVE-2025-33053)
🔻 Elevation of Privilege – Windows SMB Client (CVE-2025-33073)
🔻 Remote Code Execution – Roundcube (CVE-2025-49113)

На русском

About Remote Code Execution – Internet Shortcut Files (CVE-2025-33053) vulnerability

1 Reply

About Remote Code Execution - Internet Shortcut Files (CVE-2025-33053) vulnerability

About Remote Code Execution – Internet Shortcut Files (CVE-2025-33053) vulnerability. A vulnerability from the June Microsoft Patch Tuesday. This vulnerability immediately showed signs of exploitation in the wild. This flaw allows a remote attacker to execute arbitrary code when a victim opens a specially crafted .url file, delivered, for example, through a phishing attack.

🔹 The vulnerability was reported by Check Point researchers. On June 10, the day of Microsoft’s June Patch Tuesday, they published technical details on their website. The vulnerability had been exploited by the APT group Stealth Falcon since at least March 2025. The exploitation led to the download and execution of malware (Horus Agent) from the attacker’s WebDAV server.

🔹 Exploits for this vulnerability have been available on GitHub since June 12.

На русском

About Remote Code Execution – Roundcube (CVE-2025-49113) vulnerability

1 Reply

About Remote Code Execution - Roundcube (CVE-2025-49113) vulnerability

About Remote Code Execution – Roundcube (CVE-2025-49113) vulnerability. Roundcube is a popular open-source webmail client (IMAP). An authenticated attacker can exploit this vulnerability to execute arbitrary code on the Roundcube Webmail server. The issue is caused by the Deserialization of Untrusted Data (CWE-502).

🔹 On June 1, the vendor released patched versions 1.6.11 and 1.5.10. Within 48 hours, attackers had analyzed the patch, and exploit sale offers began appearing on the dark web.

🔹 On June 3, PT SWARM experts successfully reproduced the vulnerability.

🔹 Since June 5, public exploits have been available on GitHub.

🔹 On June 6, Kirill Firsov, the researcher who reported the vulnerability, published a detailed write-up. He claims the vulnerability existed in the code for 10 years and that it shows signs of exploitation in the wild.

🔹 On June 16, reports emerged of a successful attack on a German email hosting provider using this vulnerability.

На русском