March episode “In the Trend of VM” (#13): vulnerabilities of Microsoft, PAN-OS, СommuniGate and who should patch hosts with deployed application. I’m posting the translated video with a big delay, but it’s better than never. 😉
🔻 00:00 Greetings 🔻 00:31Elevation of Privilege – Windows Ancillary Function Driver for WinSock (CVE-2025-21418) 🔻 01:12Elevation of Privilege – Windows Storage (CVE-2025-21391) 🔻 01:53Authentication Bypass – PAN-OS (CVE-2025-0108) 🔻 03:09Remote Code Execution – CommuniGate Pro (BDU:2025-01331) 🔻 04:27 The VM riddle: who should patch hosts with a deployed application? 🔻 07:11 About the digest of trending vulnerabilities
New episode “In The Trend of VM” (#11): vulnerabilities that became trending in December and the final report on trending vulnerabilities for 2024. I made this episode exclusively for the Telegram channel @avleonovcom “Vulnerability Management and More”. 😉
New episode “In The Trend of VM” (#10): 8 trending vulnerabilities of November, zero budget VM and who should look for patches. The competition for the best question on the topic of VM continues. 😉🎁
New episode “In The Trend of VM” (#9): 4 trending vulnerabilities of October, scandal at The Linux Foundation, social “attack on the complainer”, “Ford’s method” for motivating IT specialists to fix vulnerabilities. The competition for the best question on the topic of VM continues. 😉🎁
🔻 00:37Elevation of Privilege – Microsoft Streaming Service (CVE-2024-30090) 🔻 01:46Elevation of Privilege – Windows Kernel-Mode Driver (CVE-2024-35250) 🔻 02:38Spoofing – Windows MSHTML Platform (CVE-2024-43573) 🔻 03:43Remote Code Execution – XWiki Platform (CVE-2024-31982) 🔻 04:44 The scandal with the removal of Russian maintainers at The Linux Foundation, its impact on security and possible consequences. 🔻 05:22 Social “Attack on the complainer“ 🔻 06:35 “Ford’s method” for motivating IT staff to fix vulnerabilities: will it work? 🔻 08:00 About the digest, habr and the question contest 🎁 🔻 08:29 Backstage
September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses. Starting this month, we decided to slightly expand the topics of the videos and increase their duration. I cover not only the trending vulnerabilities of September, but also social engineering cases, real-world vulnerability exploitation, and practices of vulnerability management process. At the end we announce a contest of questions about Vulnerability Management with gifts. 🎁
🔻 00:51Elevation of Privilege – Windows Installer (CVE-2024-38014) and details about this vulnerability 🔻 02:42Security Feature Bypass – Windows Mark of the Web “LNK Stomping” (CVE-2024-38217) 🔻 03:50Spoofing – Windows MSHTML Platform (CVE-2024-43461) 🔻 05:07Remote Code Execution – VMware vCenter (CVE-2024-38812) 🔻 06:20Remote Code Execution – Veeam Backup & Replication (CVE-2024-40711), while the video was being edited, data about exploitation in the wild appeared 🔻 08:33Cross Site Scripting – Roundcube Webmail (CVE-2024-37383) 🔻 09:31SQL Injection – The Events Calendar plugin for WordPress (CVE-2024-8275) 🔻 10:30 Human vulnerabilities: fake reCAPTCHA 🔻 11:45 Real world vulnerabilities: еxplosions of pagers and other electronic devices in Lebanon and the consequences for the whole world 🔻 14:42 Vulnerability management process practices: tie annual bonuses of IT specialists to meeting SLAs for eliminating vulnerabilities 🔻 16:03 Final and announcement of the contest 🔻 16:24 Backstage
August episode of “In The Trend of VM”: 5 vulnerabilities in Microsoft Windows and one in WordPress. We have branched off from Seclab news videos and started releasing separate episodes. Hooray! 🥳😎 If we get enough views, we will continue to release them in the future. It’s up to you, please follow the link to the video platform and click “Like” button and/or leave a comment. 🥺
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.
