Category Archives: Vulnerability

April Linux Patch Wednesday

Leave a reply

April Linux Patch Wednesday

April Linux Patch Wednesday. Total vulnerabilities: 251. 👌 164 in the Linux Kernel. No vulnerabilities show signs of being exploited in the wild. There are 7 vulnerabilities that appear to have publicly available exploits.

For 2 vulnerabilities, exploit code with detailed explanation is available on GitHub. Both were first patched in RedOS packages:

🔸 SQL injection – Exim (CVE-2025-26794)
🔸 Code Injection – MariaDB (CVE-2023-39593)

For the Memory Corruption – Mozilla Firefox (CVE-2025-3028), the NVD states the exploit code is in Mozilla’s bug tracker, but access is restricted. 🤷‍♂️

BDU FSTEC reports public exploits for 4 vulnerabilities:

🔸 Information Disclosure – GLPI (CVE-2025-21626)
🔸 Security Feature Bypass – GLPI (CVE-2025-23024)
🔸 Denial of Service / Remote Code Execution – Perl (CVE-2024-56406)
🔸 Memory Corruption – Libsoup (CVE-2025-32050)

🗒 Full Vulristics report

На русском

About Elevation of Privilege – Windows Process Activation (CVE-2025-21204) vulnerability

Leave a reply

About Elevation of Privilege - Windows Process Activation (CVE-2025-21204) vulnerability

About Elevation of Privilege – Windows Process Activation (CVE-2025-21204) vulnerability. This vulnerability from the April Microsoft Patch Tuesday was not highlighted by VM vendors in their reviews. It affects the Windows Update Stack component and is related to improper link resolution before file access (CWE-59).

🔻 On April 14, researcher Elli Shlomo (CYBERDOM) published a write-up and exploit code to gain SYSTEM privileges. On April 27, after reports that the exploit didn’t work, he removed it and promised to revise it. 🤔 Exploitability remains unclear.

🔻 On April 22, researcher Kevin Beaumont reported that the fix for this vulnerability, involving the creation of the folder, introduces a new denial-of-service vulnerability. It allows non-admin users to block the installation of Windows security updates. Microsoft responded that they don’t plan to fix it promptly. 🤷‍♂️ For now, it’s recommended to monitor for malicious activity.

На русском

April “In the Trend of VM” (#14): vulnerabilities in Microsoft Windows, VMware products, Kubernetes, and Apache Tomcat

Leave a reply

April In the Trend of VM (#14): vulnerabilities in Microsoft Windows, VMware products, Kubernetes, and Apache Tomcat

April “In the Trend of VM” (#14): vulnerabilities in Microsoft Windows, VMware products, Kubernetes, and Apache Tomcat. We decided to pause recording new videos, so for now only text. 🤷‍♂️🙂

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

A total of 11 trending vulnerabilities:

🔻 Elevation of Privilege – Windows Cloud Files Mini Filter Driver (CVE-2024-30085)
🔻 Spoofing – Windows File Explorer (CVE-2025-24071)
🔻 Four Windows vulnerabilities from March Microsoft Patch Tuesday were exploited in the wild (CVE-2025-24985, CVE-2025-24993, CVE-2025-26633, CVE-2025-24983)
🔻 Three VMware “ESXicape” Vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226)
🔻 Remote Code Execution – Apache Tomcat (CVE-2025-24813)
🔻 Remote Code Execution – Kubernetes (CVE-2025-1974)

На русском

March episode “In the Trend of VM” (#13): vulnerabilities of Microsoft, PAN-OS, СommuniGate and who should patch hosts with deployed application

Leave a reply

March episode “In the Trend of VM” (#13): vulnerabilities of Microsoft, PAN-OS, СommuniGate and who should patch hosts with deployed application. I’m posting the translated video with a big delay, but it’s better than never. 😉

📹 Video on YouTube and LinkedIn
🗞 Post on Habr (rus)
🗒 Digest on the PT website

Content:

🔻 00:00 Greetings
🔻 00:31 Elevation of Privilege – Windows Ancillary Function Driver for WinSock (CVE-2025-21418)
🔻 01:12 Elevation of Privilege – Windows Storage (CVE-2025-21391)
🔻 01:53 Authentication Bypass – PAN-OS (CVE-2025-0108)
🔻 03:09 Remote Code Execution – CommuniGate Pro (BDU:2025-01331)
🔻 04:27 The VM riddle: who should patch hosts with a deployed application?
🔻 07:11 About the digest of trending vulnerabilities

На русском

April Microsoft Patch Tuesday

4 Replies

April Microsoft Patch Tuesday

April Microsoft Patch Tuesday. A total of 153 vulnerabilities, 2 times more than in March. Of these, 32 were added between the March and April MSPTs. Three vulnerabilities show signs of exploitation in the wild:

🔻 EoP – Windows Common Log File System Driver (CVE-2025-29824). An attacker can gain SYSTEM privileges. No technical details yet.
🔻 SFB – Microsoft Edge (CVE-2025-2783). Sandbox escape with an existing PoC exploit.
🔻 RCE – Microsoft Edge (CVE-2025-24201). Originally reported as a WebKit vuln on Apple OSes. 🤷‍♂️

Microsoft also patched vulnerabilities in Kubernetes with known exploits (CVE-2025-1974, CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-24513)

Other notable ones:

🔹 RCE – LDAP (CVE-2025-26670, CVE-2025-26663), TCP/IP (CVE-2025-26686), Microsoft Office (CVE-2025-29794, CVE-2025-29793), RDS (CVE-2025-27480, CVE-2025-27482), Hyper-V (CVE-2025-27491)
🔹 SFB – Kerberos (CVE-2025-29809)

🗒 Full Vulristics report

На русском

About Elevation of Privilege – Windows Cloud Files Mini Filter Driver (CVE-2024-30085) vulnerability

2 Replies

About Elevation of Privilege - Windows Cloud Files Mini Filter Driver (CVE-2024-30085) vulnerability

About Elevation of Privilege – Windows Cloud Files Mini Filter Driver (CVE-2024-30085) vulnerability. cldflt.sys is a Windows Cloud Files Mini Filter driver responsible for representing cloud-stored files and folders as if they were located on the local machine. The vulnerability in this driver, fixed as part of the June 2024 Microsoft Patch Tuesday, allows an attacker to gain SYSTEM privileges. The root cause of the vulnerability is a Heap-based Buffer Overflow (CWE-122).

🔻 A private exploit was presented at the TyphoonPWN 2024 competition on May 30, 2024. It was used as part of an exploit chain to achieve a VMware Workstation Guest-to-Host escape.

🔻 On December 19, 2024, a technical write-up and exploit code were published on the SSD Secure Disclosure website.

🔻 On March 3, a blog post by Positive Technologies was published that examines the roots of the vulnerability and exploitation techniques.

На русском

About Remote Code Execution – Apache Tomcat (CVE-2025-24813) vulnerability

1 Reply

About Remote Code Execution - Apache Tomcat (CVE-2025-24813) vulnerability

About Remote Code Execution – Apache Tomcat (CVE-2025-24813) vulnerability. Apache Tomcat is an open-source software that provides a platform for Java web applications. The vulnerability allows a remote attacker to upload and execute arbitrary files on the server due to flaws in the handling of uploaded session files and the deserialization mechanism.

🔻 The vendor’s bulletin was released on March 10. It notes that the two conditions required for exploitation (“writes enabled for the default servlet” and “file based session persistence with the default storage location”) are not met in default installations.

🔻 Vulnerability write-up based on patch analysis and PoC exploit were published on March 11. Fully functional exploits have been available on GitHub since March 13.

🔻 Since March 17, there have been signs of exploitation in the wild. 👾 On April 1, the vulnerability was added to CISA KEV.

The vulnerability was fixed in versions 9.0.99, 10.1.35, and 11.0.3.

На русском