Category Archives: Vulnerability

About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability

About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability. The vulnerability is from the March Microsoft Patch Tuesday. The VM vendors didn’t highlight it in their reviews. A week later, on March 18, researcher 0x6rss published a write-up and a PoC exploit. According to him, the vulnerability is exploited in the wild, and the exploit has likely been available for purchase since November 2024.

The point is this. When Windows File Explorer detects a .library-ms file in a folder, it automatically starts parsing it. If the file contains a link to a remote SMB share, an NTLM authentication handshake begins. An attacker controlling the SMB share can intercept the NTLMv2 hash, crack it, or use it in pass-the-hash attacks.

But how does an attacker deliver such a file to the victim? It turns out that just extracting a ZIP/RAR archive with the file is enough to trigger the exploit. No need to open the file.

This is super effective for phishing.

На русском

March Microsoft Patch Tuesday

Leave a reply

March Microsoft Patch Tuesday. 77 CVEs, 20 of which were added during the month. 7 vulnerabilities with signs of exploitation in the wild:

RCE – Windows Fast FAT File System Driver (CVE-2025-24985)
RCE – Windows NTFS (CVE-2025-24993)
SFB – Microsoft Management Console (CVE-2025-26633)
EoP – Windows Win32 Kernel Subsystem (CVE-2025-24983)
InfDisc – Windows NTFS (CVE-2025-24991, CVE-2025-24984)
AuthBypass – Power Pages (CVE-2025-24989) – in Microsoft web service, can be ignored

There are no vulnerabilities with public exploits, there are 2 more with private ones:

RCE – Bing (CVE-2025-21355) – in Microsoft web service, can be ignored
SFB – Windows Kernel (CVE-2025-21247)

Among the others:

RCE – Windows Remote Desktop Client (CVE-2025-26645) and Services (CVE-2025-24035, CVE-2025-24045), MS Office (CVE-2025-26630), WSL2 (CVE-2025-24084)
EoP – Windows Win32 Kernel Subsystem (CVE-2025-24044)

Full Vulristics report

На русском

New episode “In the Trend of VM” (#12): 8 February CVEs & Why the Darknet Matters for VM Specialists

Leave a reply

New episode “In the Trend of VM” (#12): 8 February CVEs & Why the Darknet Matters for VM Specialists. Now with a new design and new video editing.

Video on YouTube and LinkedIn
Post on Habr (rus)
Digest on the PT website

Content:

00:00 Greetings
00:23 Remote Code Execution – Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49112)
01:35 Remote Code Execution – Microsoft Configuration Manager (CVE-2024-43468)
02:38 Remote Code Execution – Windows OLE (CVE-2025-21298)
03:55 Elevation of Privilege – Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335)
05:02 Authentication Bypass – FortiOS/FortiProxy (CVE-2024-55591)
06:16 Remote Code Execution – 7-Zip (CVE-2025-0411)
07:27 Should a VM specialist be aware of what is happening in the Darknet?
08:48 About the digest of trending vulnerabilities

На русском

Should a VM specialist be aware of what is happening in the Darknet?

Leave a reply

Should a VM specialist be aware of what is happening in the Darknet? Of course. At least roughly. Otherwise, he’ll fall for the “nobody’s attacking us” myth.

The reality is that every organization is under attack all the time. It’s like commercial fishing with trawlers. Anything that gets caught in the nets will be classified, priced, and put up for sale. In today’s world of cybercrime, access to an organization’s infrastructure is a commodity. The same is true for vulnerabilities, exploits, and ready-made malware.

Attacker groups have specialized:

some research vulnerabilities and write exploits
others embed them in malware
still others implement bypass of the InfoSec systems
the fourth get primary access
fifth people monetize this access
sixth support the operation of trading platforms

And whether these guys can break your organization depends on you, VM specialist!

PT has published a large study on this topic.

На русском

About Authentication Bypass – PAN-OS (CVE-2025-0108) vulnerability

Leave a reply

About Authentication Bypass – PAN-OS (CVE-2025-0108) vulnerability. PAN-OS is the operating system used in all Palo Alto Network NGFWs. This vulnerability allows an unauthenticated attacker to gain access to the PAN-OS management web interface. The attacker can then “invoke certain PHP scripts”, compromising the integrity and confidentiality of PAN-OS.

The vendor bulletin was released on February 12. On the same day, Assetnote posted a write-up on the vulnerability. The next day, a PoC exploit appeared on GitHub.

On February 18, GreyNoise reported that they had detected active exploitation attempts. According to Palo Alto, the vulnerability is being exploited alongside EoP CVE-2024-9474 and Authenticated File Read CVE-2025-0111 vulnerabilities. As a result, the attacker gains the ability to execute Linux commands on the device as root.

Install updates and restrict access to administrative web interfaces!

На русском

February Linux Patch Wednesday

Leave a reply

February Linux Patch Wednesday. There are 561 vulnerabilities in total. 338 in Linux Kernel. Formally, there is one vulnerability with a sign of exploitation in the wild: RCE – 7-Zip (CVE-2025-0411). But it is about Windows MoTW and, naturally, is not exploitable on Linux.

There are public exploits for 21 vulnerabilities.

Among them there are 5 Cacti vulnerabilities:

RCE – Cacti (CVE-2025-24367)
Command Injection – Cacti (CVE-2025-22604)
SQLi – Cacti (CVE-2024-54145, CVE-2025-24368)
Path Traversal – Cacti (CVE-2024-45598)

2 OpenSSH vulnerabilities discovered by Qualys:

DoS – OpenSSH (CVE-2025-26466)
Spoofing/MiTM – OpenSSH (CVE-2025-26465)

Of the rest, the most interesting are:

RCE – Langchain (CVE-2023-39631), Snapcast (CVE-2023-36177), Checkmk (CVE-2024-13723),
EoP – Linux Kernel (CVE-2024-50066)
SQLi – PostgreSQL (CVE-2025-1094)
XSS – Checkmk (CVE-2024-13722), Thunderbird (CVE-2025-1015)

Full Vulristics report

На русском

New episode “In The Trend of VM” (#11): vulnerabilities that became trending in December and the final report on trending vulnerabilities for 2024

Leave a reply

New episode “In The Trend of VM” (#11): vulnerabilities that became trending in December and the final report on trending vulnerabilities for 2024. I made this episode exclusively for the Telegram channel @avleonovcom “Vulnerability Management and More”.

Video on YouTube, LinkedIn
Post on Habr (rus)
Digest on the PT website

Content:

00:00 Greetings
00:28 Elevation of Privilege – Windows Kernel Streaming WOW Thunk Service Driver (CVE-2024-38144)
01:30 Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138)
02:37 Remote Code Execution – Apache Struts (CVE-2024-53677)
03:31 Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972)
04:44 Trending vulnerabilities for 2024

08:10 Channel mascot

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Category Archives: Vulnerability

About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability

March Microsoft Patch Tuesday

New episode “In the Trend of VM” (#12): 8 February CVEs & Why the Darknet Matters for VM Specialists

Should a VM specialist be aware of what is happening in the Darknet?

About Authentication Bypass – PAN-OS (CVE-2025-0108) vulnerability

February Linux Patch Wednesday

New episode “In The Trend of VM” (#11): vulnerabilities that became trending in December and the final report on trending vulnerabilities for 2024