Category Archives: Vulnerability

February Linux Patch Wednesday

Leave a reply

February Linux Patch Wednesday

February Linux Patch Wednesday. There are 561 vulnerabilities in total. 338 in Linux Kernel. Formally, there is one vulnerability with a sign of exploitation in the wild: RCE – 7-Zip (CVE-2025-0411). But it is about Windows MoTW and, naturally, is not exploitable on Linux.

There are public exploits for 21 vulnerabilities.

Among them there are 5 Cacti vulnerabilities:

🔸 RCE – Cacti (CVE-2025-24367)
🔸 Command Injection – Cacti (CVE-2025-22604)
🔸 SQLi – Cacti (CVE-2024-54145, CVE-2025-24368)
🔸 Path Traversal – Cacti (CVE-2024-45598)

2 OpenSSH vulnerabilities discovered by Qualys:

🔸 DoS – OpenSSH (CVE-2025-26466)
🔸 Spoofing/MiTM – OpenSSH (CVE-2025-26465)

Of the rest, the most interesting are:

🔸 RCE – Langchain (CVE-2023-39631), Snapcast (CVE-2023-36177), Checkmk (CVE-2024-13723),
🔸 EoP – Linux Kernel (CVE-2024-50066)
🔸 SQLi – PostgreSQL (CVE-2025-1094)
🔸 XSS – Checkmk (CVE-2024-13722), Thunderbird (CVE-2025-1015)

🗒 Full Vulristics report

На русском

New episode “In The Trend of VM” (#11): vulnerabilities that became trending in December and the final report on trending vulnerabilities for 2024

Leave a reply

New episode “In The Trend of VM” (#11): vulnerabilities that became trending in December and the final report on trending vulnerabilities for 2024. I made this episode exclusively for the Telegram channel @avleonovcom “Vulnerability Management and More”. 😉

📹 Video on YouTube, LinkedIn
🗞 Post on Habr (rus)
🗒 Digest on the PT website

Content:

🔻 00:00 Greetings
🔻 00:28 Elevation of Privilege – Windows Kernel Streaming WOW Thunk Service Driver (CVE-2024-38144)
🔻 01:30 Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138)
🔻 02:37 Remote Code Execution – Apache Struts (CVE-2024-53677)
🔻 03:31 Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972)
🔻 04:44 Trending vulnerabilities for 2024

👾 08:10 Channel mascot 😅

На русском

February Microsoft Patch Tuesday

1 Reply

February Microsoft Patch Tuesday

February Microsoft Patch Tuesday. 89 CVEs, 33 added since January. Two with signs of exploitation in the wild:

🔻 EoP – Windows Ancillary Function Driver for WinSock (CVE-2025-21418)
🔻 EoP – Windows Storage (CVE-2025-21391)

There are no vulnerabilities with public exploits, but there are 7 with private ones:

🔸 RCE – Microsoft Edge (CVE-2025-21279, CVE-2025-21283)
🔸 Auth. Bypass – Azure (CVE-2025-21415)
🔸 EoP – Windows Setup Files Cleanup (CVE-2025-21419)
🔸 Spoofing – Windows NTLM (CVE-2025-21377)
🔸 Spoofing – Microsoft Edge (CVE-2025-21267, CVE-2025-21253)

Among the rest, the following can be highlighted:

🔹 RCE – Windows LDAP (CVE-2025-21376), Microsoft Excel (CVE-2025-21381, CVE-2025-21387), Microsoft SharePoint Server (CVE-2025-21400), DHCP Client Service (CVE-2025-21379)
🔹 EoP – Windows Core Messaging (CVE-2025-21184, CVE-2025-21358, CVE-2025-21414), Windows Installer (CVE-2025-21373)

🗒 Full Vulristics report

На русском

About Elevation of Privilege – Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) vulnerability

1 Reply

About Elevation of Privilege - Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) vulnerability

About Elevation of Privilege – Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) vulnerability. These three vulnerabilities were disclosed as part of Microsoft’s January Patch Tuesday and share the same description. They were found in a component used for communications between the host OS and container-type virtual machines, such as Windows Sandbox and Microsoft Defender Application Guard (MDAG).

If the vulnerabilities are successfully exploited, an attacker can gain System privileges. Microsoft specifically notes that this is a local privilege escalation on the host system, not any type of guest to host escape.

👾 These vulnerabilities are being actively exploited in the wild, though no public exploits are currently available.

The only difference in the vulnerability descriptions is that CVE-2025-21333 is caused by Heap-based Buffer Overflow, while CVE-2025-21334 and CVE-2025-21335 are caused by Use After Free.

На русском

About Remote Code Execution – Microsoft Configuration Manager (CVE-2024-43468) vulnerability

1 Reply

About Remote Code Execution - Microsoft Configuration Manager (CVE-2024-43468) vulnerability

About Remote Code Execution – Microsoft Configuration Manager (CVE-2024-43468) vulnerability. This vulnerability is from the October 2024 MSPT. Microsoft Configuration Manager (ConfigMgr) is used to manage large groups of computers, providing remote control, patch management, software distribution, operating system deployment, etc.

According to Microsoft, the vulnerability allowed an unauthenticated attacker to execute commands at the server or database level by sending specially crafted requests to the Management Point.

Synacktiv experts revealed the details 100 days after the October MSPT, on January 16. MP_Location service processed client messages insecurely. This flaw enabled attackers to perform SQL injections and execute arbitrary database queries with the highest privileges, including running commands on the server via xp_cmdshell. 🤷‍♂️

Public exploits are available on GitHub. There are no reports of exploitation in the wild yet.

На русском

About Remote Code Execution – 7-Zip (CVE-2025-0411) vulnerability

3 Replies

About Remote Code Execution - 7-Zip (CVE-2025-0411) vulnerability

About Remote Code Execution – 7-Zip (CVE-2025-0411) vulnerability. 7-Zip is a popular, free, open-source archiver widely used by organizations as a standard tool for managing archives.

The vulnerability is a bypass of the Mark-of-the-Web mechanism.

🔹 If you download and run a suspicious executable file on Windows, Microsoft Defender’s SmartScreen will block it from executing because it comes from an untrusted source.

🔹 However, if you download a 7z archive containing another 7z archive with malware, you can execute the file with just three double-clicks, and SmartScreen won’t trigger. 🤷‍♂️ This happens because 7-Zip versions prior to 24.09, released on November 30, 2024, failed to properly apply the Mark-of-the-Web label to extracted files. An exploit example is available on GitHub.

No signs of exploitation in the wild yet, but they are likely to emerge, as this is an easy way to increase the success rate of phishing attacks. Update 7-Zip!

На русском

About Authentication Bypass – FortiOS (CVE-2024-55591) vulnerability

1 Reply

About Authentication Bypass - FortiOS (CVE-2024-55591) vulnerability

About Authentication Bypass – FortiOS (CVE-2024-55591) vulnerability. A critical flaw allows remote attackers to gain super-admin privileges via crafted requests to the Node.js websocket module. Affected systems include Fortinet devices running FortiOS (e.g., FortiGate NGFW) and FortiProxy.

🔹 On January 10, Arctic Wolf reported attacks on Fortinet devices that began in November 2024. Attackers create accounts with random names, modify device settings, and gain access to internal systems.

🔹 The vendor advisory was published on January 14. The vulnerability was added to the CISA KEV.

🔹 A public exploit has been available on GitHub since January 21.

🔹 As of January 26, Shadow Server reports around 45,000 vulnerable devices accessible from the Internet.

The vendor recommends updating FortiOS and FortiProxy to secure versions and restricting or disabling administrative HTTP/HTTPS interfaces.

На русском