May

May

May Linux Patch Wednesday. This time: 1091 vulnerabilities. Of those, 716 are in the Linux Kernel. 🤯 5 vulnerabilities are exploited in the wild:

🔻 RCE – PHP CSS Parser (CVE-2020-13756). In AttackerKB, an exploit exists.
🔻 DoS – Apache ActiveMQ (CVE-2025-27533). In AttackerKB, an exploit exists.
🔻 SFB – Chromium (CVE-2025-4664). In CISA KEV.
🔻 PathTrav – buildkit (CVE-2024-23652) and MemCor – buildkit (CVE-2024-23651). In BDU FSTEC.

For 52 (❗️) more, there are signs of existing public exploits. Two trending vulnerabilities I’ve mentioned before::

🔸 RCE – Kubernetes “IngressNightmare” (CVE-2025-1974 and 4 others)
🔸 RCE – Erlang/OTP (CVE-2025-32433)

Exploits for these are also notable:

🔸 EoP – Linux Kernel (CVE-2023-53033)
🔸 XSS – Horde IMP (CVE-2025-30349)
🔸 PathTrav – tar-fs (CVE-2024-12905)
🔸 SFB – kitty (CVE-2025-43929)
🔸 DoS – libxml2 (CVE-2025-32414)

🗒 Full Vulristics report

На русском

May “In the Trend of VM” (#15): vulnerabilities in Microsoft Windows and the Erlang/OTP framework

May In the Trend of VM (#15): vulnerabilities in Microsoft Windows and the Erlang/OTP framework

May “In the Trend of VM” (#15): vulnerabilities in Microsoft Windows and the Erlang/OTP framework. A traditional monthly vulnerability roundup. 🙂

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

A total of 4 trending vulnerabilities:

🔻 Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824)
🔻 Elevation of Privilege – Windows Process Activation (CVE-2025-21204)
🔻 Spoofing – Windows NTLM (CVE-2025-24054)
🔻 Remote Code Execution – Erlang/OTP (CVE-2025-32433)

На русском

About Remote Code Execution – 7-Zip (BDU:2025-01793) vulnerability

About Remote Code Execution - 7-Zip (BDU:2025-01793) vulnerability

About Remote Code Execution – 7-Zip (BDU:2025-01793) vulnerability. It’s about the fact that files unpacked using 7-Zip don’t get the Mark-of-the-Web. As a result, Windows security mechanisms don’t block the execution of the unpacked malware. If you remember, there was a similar vulnerability in January – CVE-2025-0411. The problem was with running files from the 7-Zip UI, and a fix has been released. But in this case, the problem is with fully unpacked archives — and the developers aren’t planning to fix it! 🤷‍♂️

Igor Pavlov, the author of the utility, responded to our colleague Konstantin Dymov that not assigning the Mark-of-the-Web by default is intentional behavior. They don’t plan to change the default settings. To have the Mark-of-the-Web applied, you need to set “” to “”.

If 7-Zip is used in your organization, be aware of this insecure default behavior. Apply hardening measures or switch to a different tool.

На русском

I’m done preparing the slides for my talk about Vulristics at PHDays

I'm done preparing the slides for my talk about Vulristics at PHDays

I’m done preparing the slides for my talk about Vulristics at PHDays. 😇 I’ll be speaking on the last day of the festival – Saturday, May 24, at 16:00 in Popov Hall 25. If you’re there at that time, I’d be glad to see you. If not – join online! 😉

I’ll have an hour to dive into Vulristics, vulnerability analysis & prioritization. 🤩 I’ll walk through the Vulristics report structure, typical tasks (like analyzing Microsoft Patch Tuesday, Linux Patch Wednesday, individual trending CVEs, and vulnerability sets), how the work with data sources is organized, the challenges of accurately detecting vulnerability types and vulnerable products. Finally, I’ll discuss Vulristics integration into pipelines. Feel free to use the code – Vulristics is MIT-licensed. 🆓

➡️ Talk on the PHDays website – you can download the .ics calendar file there 😉
⏰ May 24, 2025, 16:00 (MSK)
📍 Luzhniki, Popov Hall 25

На русском

I checked out the European vulnerability database, EUVD, which was officially launched yesterday

I checked out the European vulnerability database, EUVD, which was officially launched yesterdayI checked out the European vulnerability database, EUVD, which was officially launched yesterdayI checked out the European vulnerability database, EUVD, which was officially launched yesterdayI checked out the European vulnerability database, EUVD, which was officially launched yesterdayI checked out the European vulnerability database, EUVD, which was officially launched yesterdayI checked out the European vulnerability database, EUVD, which was officially launched yesterdayI checked out the European vulnerability database, EUVD, which was officially launched yesterday

I checked out the European vulnerability database, EUVD, which was officially launched yesterday. Its usefulness is questionable for now. 🤷‍♂️

🔹 Basically, they pull data from public sources (MITRE CVE DB, CISA KEV, GHSA, EPSS, and a few others), map it under their own EUVD identifier (everything is mapped by CVE 😉), and provide a web interface.

🔹 The web interface is a bit odd. For example, there’s no search by alternative IDs, and CVEs can only be found via full-text search. 🙄

🔹 Do they have original vulns? Sort of. EU CSIRT is a CVE CNA. Vulnerabilities submitted via this CSIRT are shown separately on the EUVD dashboard – but they all have CVE IDs, so you can just view them on MITRE or NVD. So, what’s the point? 🙂

🔹 You can see delays in database updates for recent vulnerabilities, even though the data is available in the upstream databases.

🔹 There’s no effective way to export the database for analysis. The API only lets you export 100 identifiers per request. 😏

На русском

May Microsoft Patch Tuesday

May Microsoft Patch Tuesday

May Microsoft Patch Tuesday. A total of 93 vulnerabilities – about 1.5 times fewer than in April. Of these, 22 were added between the April and May MSPT. There are 5 vulnerabilities show signs of in-the-wild exploitation:

🔻 EoP – Microsoft DWM Core Library (CVE-2025-30400)
🔻 EoP – Windows CLFS Driver (CVE-2025-32701, CVE-2025-32706)
🔻 EoP – Windows Ancillary Function Driver for WinSock (CVE-2025-32709)
🔻 Memory Corruption – Scripting Engine (CVE-2025-30397). RCE when clicking a malicious link. Exploitation requires the “Allow sites to be reloaded in Internet Explorer” option.

There are currently no vulnerabilities with public exploits.

Notable among the rest:

🔹 RCE – Remote Desktop Client (CVE-2025-29966, CVE-2025-29967), Office (CVE-2025-30377, CVE-2025-30386), Graphics Component (CVE-2025-30388), Visual Studio (CVE-2025-32702)
🔹 EoP – Kernel Streaming (CVE-2025-24063), CLFS Driver (CVE-2025-30385)

🗒 Full Vulristics report

На русском

About Remote Code Execution – Erlang/OTP (CVE-2025-32433) vulnerability

About Remote Code Execution - Erlang/OTP (CVE-2025-32433) vulnerability

About Remote Code Execution – Erlang/OTP (CVE-2025-32433) vulnerability. Erlang is a programming language used to build massively scalable soft real-time systems with requirements for high availability. Used in telecom, banking, e-commerce, telephony, and messaging. OTP is a set of Erlang libraries and design principles providing middle-ware to develop these systems.

A message handling vulnerability in the Erlang/OTP SSH server allows an unauthenticated attacker to execute arbitrary code. The code runs in the context of the SSH daemon. If the daemon is running as root, this grants full control over the device.

🔻 The vendor bulletin was released on April 16. Updated versions: OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20.

🔻 On April 17, a write-up and a PoC exploit (developed using AI) appeared on the Platform Security blog.

🔻 Cisco devices are affected – and likely not the only ones. 😏

👾 No signs of exploitation in the wild so far.

На русском