About Remote Code Execution - Microsoft SharePoint (CVE-2026-20963) vulnerability

About Remote Code Execution - Microsoft SharePoint (CVE-2026-20963) vulnerability. This vulnerability was fixed in the January MSPT. At the time of the MSPT release on January 13, VM vendors did not highlight this vulnerability in their reviews, and Microsoft reported no evidence of exploitation in the wild. The CVSS vector was initially rated as CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8). The "PR:L" indicates that authentication was required to exploit the vulnerability. However, on March 17, Microsoft updated both the vulnerability description and its CVSS vector. The updated CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8). The "PR:N" indicates that authentication is not required for exploitation.

Current vulnerability description:

"Deserialization of untrusted data (CWE-502) in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network. In a network-based attack, an unauthenticated attacker could write arbitrary code to inject and execute code remotely on the SharePoint Server."

👾 On March 18, the vulnerability was added to the CISA KEV catalog. No detailed information about exploitation is available yet, and there are currently no public exploits. However, in terms of potential impact, this vulnerability may be comparable to last year's RCE "ToolShell" (CVE-2025-49704).

The situation surrounding this vulnerability demonstrates that the criticality of any vulnerability cannot be determined once and for all. Indicators of exploitation in the wild or public exploits may emerge at any time, and the vendor may also revise the vulnerability description and CVSS metrics for various reasons. Therefore, all vulnerabilities detected within an infrastructure must be continuously monitored (either internally or via a VM vendor), with their criticality regularly reassessed and remediation deadlines adjusted accordingly.

Given that the status of any specific vulnerability may change at any time, it is not advisable to dismiss vulnerabilities as definitively non-critical or non-exploitable. A responsible approach assumes that all detected vulnerabilities require remediation, prioritized according to their continuously updated risk levels.

March Linux Patch Wednesday

Leave a reply

March Linux Patch Wednesday. In March, Linux vendors began addressing 575 vulnerabilities, which is 57 fewer than in February. Of these, 93 are in the Linux Kernel (⬇️ a significant decrease - there were 305 in February). There are two vulnerabilities with signs of in-the-wild exploitation:

🔻 RCE - Chromium (CVE-2026-3909, CVE-2026-3910)

Additionally, for 130 (❗️) vulnerabilities, public exploits are available or there are indications of their existence. Notable ones include:

🔸 RCE - Caddy (CVE-2026-27590), NLTK (CVE-2025-14009), Rollup (CVE-2026-27606), GVfs (CVE-2026-28296), SPIP (CVE-2026-27475), OpenStack Vitrage (CVE-2026-28370)
🔸 AuthBypass - Curl (CVE-2026-3783), coTURN (CVE-2026-27624), Libsoup (CVE-2026-3099)
🔸 InfDisc - Glances (CVE-2026-30928, CVE-2026-32596)
🔸 PathTrav - gSOAP (CVE-2019-25355), basic-ftp (CVE-2026-27699)
🔸 EoP - Snapd (CVE-2026-3888), GNU Inetutils (CVE-2026-28372)
🔸 SFB - Caddy (CVE-2026-27585, CVE-2026-27587/88/89), Keycloak (CVE-2026-1529), PyJWT (CVE-2026-32597), Authlib (CVE-2026-27962, CVE-2026-28498, CVE-2026-28802)
🔸 CodeInj - lxml_html_clean (CVE-2026-28350), ormar (CVE-2026-26198)
🔸 SSRF - Libsoup (CVE-2026-3632)

🗒 Full Vulristics report

March "In the Trend of VM" (#25): once again, vulnerabilities are only in Microsoft products

Leave a reply

March "In the Trend of VM" (#25): once again, vulnerabilities are only in Microsoft products. I present the traditional monthly roundup of trending vulnerabilities according to Positive Technologies. As in February, it turned out to be quite compact and focused on a single vendor.

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

All four vulnerabilities are from the February Microsoft Patch Tuesday, and all are actively being exploited in the wild:

🔻 RCE - Windows Shell (CVE-2026-21510)
🔻 RCE - Microsoft Word (CVE-2026-21514)

💬 Microsoft classified the two vulnerabilities above as Security Feature Bypass, but in fact, they are Remote Code Execution.

🔻 EoP - Windows Remote Desktop Services (CVE-2026-21533)
🔻 EoP - Desktop Window Manager (CVE-2026-21519)

🟥 The full list of trending vulnerabilities can be found on the portal

About the Remote Code Execution Vulnerability - n8n (CVE-2025-68613)

Leave a reply

About Remote Code Execution Vulnerability - n8n (CVE-2025-68613). n8n is a workflow automation platform available under a fair-code license. Improper Control of Dynamically-Managed Code Resources (CWE-913) in the n8n workflow expression evaluation system allows a remote authenticated attacker without administrative privileges to execute arbitrary code.

⚙️ The vulnerability was fixed in late December 2025.

⚒️ Exploits on GitHub have been available since December 22, including those for combined exploitation with CVE-2026-21858 (Ni8mare).

👾 On December 26, a detailed write-up by Resecurity was published, reporting signs of exploitation in the wild. On February 27, Akamai reported exploitation of the vulnerability by Zerobot malware. On March 11, the vulnerability was added to the CISA KEV.

🌐 In January, CyberOK SKIPA recorded just under 9,000 active n8n instances in the Runet, ~70% of which were vulnerable.

About Elevation of Privilege - Desktop Window Manager (CVE-2026-21519) vulnerability

Leave a reply

About Elevation of Privilege - Desktop Window Manager (CVE-2026-21519) vulnerability. The vulnerability is from the February Microsoft Patch Tuesday. Desktop Window Manager is a compositing window manager included in Windows starting with Windows Vista. A Type Confusion error (CWE-843) in Desktop Window Manager allows an authorized attacker to locally elevate privileges to the SYSTEM level. By fixing this vulnerability, Microsoft most likely attempted to counter the same attacker who exploited the January Information Disclosure vulnerability (CVE-2026-20805) in the same component. It is possible that the original fix did not fully resolve the issue.

👾 Microsoft reports that the vulnerability has been exploited in the wild. The vulnerability has been in the CISA KEV since February 10.

🛠 No public exploits are available yet.

На русском

About Elevation of Privilege - Windows RDS (CVE-2026-21533) vulnerability

Leave a reply

About Elevation of Privilege - Windows RDS (CVE-2026-21533) vulnerability. The vulnerability is from the February Microsoft Patch Tuesday. Remote Desktop Services (RDS) is a component of Microsoft Windows that allows a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection using the Remote Desktop Protocol (RDP). Improper Privilege Management (CWE-269) in Windows Remote Desktop allows a local attacker to gain SYSTEM privileges. According to CrowdStrike, the exploit binary modifies a service configuration key, allowing the attacker to elevate privileges and "add a new user to the Administrator group".

👾 Microsoft reports exploitation of the vulnerability in the wild. The vulnerability has been listed in the CISA KEV since February 10.

🛠 No public exploits are available yet, but there are reports of the exploit being advertised for sale for $220,000 on a dark forum.

На русском

March Microsoft Patch Tuesday

Leave a reply

March Microsoft Patch Tuesday. A total of 79 vulnerabilities, about one and a half times more than in February. What's truly unusual is that this time there were no vulnerabilities with signs of exploitation in the wild or a public exploit! 🤔 At least not yet. 😏

The following vulnerabilities can be highlighted:

🔹 RCE - Print Spooler (CVE-2026-23669), Office (CVE-2026-26110, CVE-2026-26113), Excel (CVE-2026-26107, CVE-2026-26108, CVE-2026-26109, CVE-2026-26112), SharePoint Server (CVE-2026-26106, CVE-2026-26114)
🔹 EoP - SQL Server (CVE-2026-21262, CVE-2026-26115, CVE-2026-26116), Windows Kernel (CVE-2026-24287, CVE-2026-24289, CVE-2026-26132), Windows Win32k (CVE-2026-24285), SMB Server (CVE-2026-24294, CVE-2026-26128), Windows Graphics Component (CVE-2026-23668), .NET (CVE-2026-26131)
🔹 DoS - .NET (CVE-2026-26127)

🗒 Full Vulristics report

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

About Remote Code Execution - Microsoft SharePoint (CVE-2026-20963) vulnerability

March Linux Patch Wednesday

March "In the Trend of VM" (#25): once again, vulnerabilities are only in Microsoft products

About the Remote Code Execution Vulnerability - n8n (CVE-2025-68613)

About Elevation of Privilege - Desktop Window Manager (CVE-2026-21519) vulnerability

About Elevation of Privilege - Windows RDS (CVE-2026-21533) vulnerability

March Microsoft Patch Tuesday