Category Archives: Vulnerability

June Microsoft Patch Tuesday

June Microsoft Patch Tuesday. A total of 81 vulnerabilities, roughly the same as in May. Among them, 15 vulnerabilities were added between the May and June MSPT. There are 3 vulnerabilities with signs of exploitation in the wild:

RCE – WEBDAV (CVE-2025-33053). The vulnerability is related to Internet Explorer mode in Microsoft Edge and other applications. Exploited via malicious URL click.
SFB – Chromium (CVE-2025-4664)
Memory Corruption – Chromium (CVE-2025-5419)

There’s a PoC for one of the vulnerabilities on GitHub, but I doubt it actually works:

EoP – Microsoft Edge (CVE-2025-47181)

Other notable ones include:

RCE – Microsoft Office (CVE-2025-47162, CVE-2025-47164, CVE-2025-47167, CVE-2025-47953), KPSSVC (CVE-2025-33071), SharePoint (CVE-2025-47172), Outlook (CVE-2025-47171)
EoP – SMB Client (CVE-2025-33073), CLFS (CVE-2025-32713), Netlogon (CVE-2025-33070)

Full Vulristics report

На русском

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706) vulnerabilities

Leave a reply

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706) vulnerabilities. When Microsoft disclosed these vulnerabilities in the May Patch Tuesday, attackers were already exploiting them in the wild. The Common Log File System (CLFS) is a general-purpose logging service that can be used by software clients running in user-mode or kernel-mode.

The impact of exploiting these vulnerabilities is identical: an attacker can gain SYSTEM privileges. Their CVSS vectors are also the same (Base Score: 7.8).

What’s the difference? Bug type: for CVE-2025-32701 it’s CWE-416: Use After Free, while for CVE-2025-32706 it’s CWE-20: Improper Input Validation. CVE-2025-32701 credits MSTIC, while CVE-2025-32706 credits Google TIG and CrowdStrike ART.

No public exploits or exploitation details yet. But these vulns are likely being used in ransomware attacks, just like the EoP in CLFS (CVE-2025-29824) from April MSPT.

На русском

About Elevation of Privilege – Microsoft DWM Core Library (CVE-2025-30400) vulnerability

Leave a reply

About Elevation of Privilege – Microsoft DWM Core Library (CVE-2025-30400) vulnerability. The vulnerability, patched as part of May Microsoft Patch Tuesday, affects the Desktop Window Manager component. This is a compositing window manager that has been part of Windows since Windows Vista. Successful exploitation could grant an attacker SYSTEM-level privileges. At the time the vulnerability was disclosed, there were signs of in-the-wild exploitation. No details about the attacks are available yet.

According to the Acknowledgements, exploitation was discovered by the Microsoft Threat Intelligence Center, which rarely shares details. We’ll have to wait for reports from other researchers or a public exploit. There is currently one GitHub repository with a PoC, but its functionality is highly questionable.

The previous actively exploited EoP vulnerability in the DWM Core Library (CVE-2024-30051) was patched in May last year.

На русском

About Cross Site Scripting – Zimbra Collaboration (CVE-2024-27443) vulnerability

Leave a reply

About Cross Site Scripting – Zimbra Collaboration (CVE-2024-27443) vulnerability. Zimbra Collaboration is a collaboration software suite that includes a mail server and a web client. An attacker can send an email containing a specially crafted calendar header with an embedded payload. If the user opens the email in the classic Zimbra web interface, the malicious JavaScript code will be executed in the context of the web browser window.

The vulnerability was fixed on February 28, 2024. As with the MDaemon vulnerability, exploitation of this vulnerability in the wild was reported by ESET researchers (Operation “RoundPress”). They discovered attacks in 2024, after the patch had already been released. The malicious code allowed attackers to steal credentials, extract contacts and settings, and gain access to email messages.

ESET published information about the attacks and a PoC exploit only on May 15, 2025. The flaw was added to the CISA KEV catalog on May 19.

На русском

About Cross Site Scripting – MDaemon Email Server (CVE-2024-11182)

Leave a reply

About Cross Site Scripting – MDaemon Email Server (CVE-2024-11182). An attacker can send an HTML-formatted email containing malicious JavaScript code embedded in an img tag. If the user opens the email in the MDaemon Email Server’s web interface, the malicious JavaScript code will execute in the context of the web browser window. This allows the attacker to steal credentials, bypass 2FA, and gain access to contacts and email messages.

On November 1, 2024, researchers from ESET discovered that the vulnerability was being exploited in the wild. They linked the exploitation of this and several other vulnerabilities in webmail interfaces (Roundcube: CVE‑2023‑43770, CVE‑2020‑35730; Zimbra: CVE‑2024‑27443; Horde) to a broader operation dubbed “RoundPress”.

MDaemon patched the vulnerability in version 24.5.1 (released Nov 14, 2024), but ESET disclosed attacks and a PoC exploit only on May 15, 2025. The flaw was added to the CISA KEV catalog on May 19.

На русском

Vulnerabilities of Western logistics

Leave a reply

Vulnerabilities of Western logistics. On May 21, Western intelligence agencies released joint advisory AA25-141A about attacks targeting infrastructure of Western logistics and tech companies. Alongside the usual Five Eyes, intelligence services from Germany, Czech Republic, Poland, Denmark, Estonia, France, and the Netherlands also contributed.

The document mentions the exploitation of vulnerabilities:

Remote Code Execution – WinRAR (CVE-2023-38831)
Elevation of Privilege – Microsoft Outlook (CVE-2023-23397)
Remote Code Execution – Roundcube (CVE-2020-12641)
Code Injection – Roundcube (CVE-2021-44026)
Cross Site Scripting – Roundcube (CVE-2020-35730)

Patches, exploits, and signs of in-the-wild exploitation have been available for years for these vulnerabilities.

Vulristics Report

На русском

May

Leave a reply

May Linux Patch Wednesday. This time: 1091 vulnerabilities. Of those, 716 are in the Linux Kernel. 5 vulnerabilities are exploited in the wild:

RCE – PHP CSS Parser (CVE-2020-13756). In AttackerKB, an exploit exists.
DoS – Apache ActiveMQ (CVE-2025-27533). In AttackerKB, an exploit exists.
SFB – Chromium (CVE-2025-4664). In CISA KEV.
PathTrav – buildkit (CVE-2024-23652) and MemCor – buildkit (CVE-2024-23651). In BDU FSTEC.

For 52 () more, there are signs of existing public exploits. Two trending vulnerabilities I’ve mentioned before::

RCE – Kubernetes “IngressNightmare” (CVE-2025-1974 and 4 others)
RCE – Erlang/OTP (CVE-2025-32433)

Exploits for these are also notable:

EoP – Linux Kernel (CVE-2023-53033)
XSS – Horde IMP (CVE-2025-30349)
PathTrav – tar-fs (CVE-2024-12905)
SFB – kitty (CVE-2025-43929)
DoS – libxml2 (CVE-2025-32414)

Full Vulristics report

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Category Archives: Vulnerability

June Microsoft Patch Tuesday

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706) vulnerabilities

About Elevation of Privilege – Microsoft DWM Core Library (CVE-2025-30400) vulnerability

About Cross Site Scripting – Zimbra Collaboration (CVE-2024-27443) vulnerability

About Cross Site Scripting – MDaemon Email Server (CVE-2024-11182)

Vulnerabilities of Western logistics

May