July “In the Trend of VM” (#17): vulnerabilities in Microsoft Windows and Roundcube. A traditional monthly roundup. This time, it’s a very short one. 🙂
🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)
Only three trending vulnerabilities:
🔻 Remote Code Execution – Internet Shortcut Files (CVE-2025-33053)
🔻 Elevation of Privilege – Windows SMB Client (CVE-2025-33073)
🔻 Remote Code Execution – Roundcube (CVE-2025-49113)
About Remote Code Execution – Internet Shortcut Files (CVE-2025-33053) vulnerability. A vulnerability from the June Microsoft Patch Tuesday. This vulnerability immediately showed signs of exploitation in the wild. This flaw allows a remote attacker to execute arbitrary code when a victim opens a specially crafted .url file, delivered, for example, through a phishing attack.
🔹 The vulnerability was reported by Check Point researchers. On June 10, the day of Microsoft’s June Patch Tuesday, they published technical details on their website. The vulnerability had been exploited by the APT group Stealth Falcon since at least March 2025. The exploitation led to the download and execution of malware (Horus Agent) from the attacker’s WebDAV server.
🔹 Exploits for this vulnerability have been available on GitHub since June 12.
About Remote Code Execution – Roundcube (CVE-2025-49113) vulnerability. Roundcube is a popular open-source webmail client (IMAP). An authenticated attacker can exploit this vulnerability to execute arbitrary code on the Roundcube Webmail server. The issue is caused by the Deserialization of Untrusted Data (CWE-502).
🔹 On June 1, the vendor released patched versions 1.6.11 and 1.5.10. Within 48 hours, attackers had analyzed the patch, and exploit sale offers began appearing on the dark web.
🔹 On June 3, PT SWARM experts successfully reproduced the vulnerability.
🔹 Since June 5, public exploits have been available on GitHub.
🔹 On June 6, Kirill Firsov, the researcher who reported the vulnerability, published a detailed write-up. He claims the vulnerability existed in the code for 10 years and that it shows signs of exploitation in the wild.
🔹 On June 16, reports emerged of a successful attack on a German email hosting provider using this vulnerability.
July Microsoft Patch Tuesday. A total of 152 vulnerabilities – twice as many as in June. Of these, 15 vulnerabilities were added between the June and July MSPT. One vulnerability is exploited in the wild:
🔻 Memory Corruption – Chromium (CVE-2025-6554)
One vulnerability has an exploit available on GitHub:
🔸 EoP – Windows Update Service (CVE-2025-48799). This vulnerability may be exploited on Windows 11/10 hosts with two or more hard drives.
Notable among the rest:
🔹 RCE – CDPService (CVE-2025-49724), KDC Proxy Service (CVE-2025-49735), SharePoint (CVE-2025-49704, CVE-2025-49701), Hyper-V DDA (CVE-2025-48822), MS Office (CVE-2025-49695), NEGOEX (CVE-2025-47981), MS SQL Server (CVE-2025-49717)
🔹 InfDisc – MS SQL Server (CVE-2025-49719)
🔹 EoP – MS VHD (CVE-2025-49689), TCP/IP Driver (CVE-2025-49686), Win32k (CVE-2025-49727, CVE-2025-49733, CVE-2025-49667), Graphics Component (CVE-2025-49732, CVE-2025-49744)
About Elevation of Privilege – Windows SMB Client (CVE-2025-33073) vulnerability. A vulnerability from the June Microsoft Patch Tuesday allows an attacker to execute a malicious script, forcing the victim’s host to connect to the attacker’s SMB server and authenticate, resulting in gaining SYSTEM privileges.
🔹 Details on how to exploit the vulnerability were published on June 11 (the day after MSPT) on the websites of RedTeam Pentesting and Synacktiv companies.
🔹 Exploits for the vulnerability have been available on GitHub since June 15.
🔹 The PT ESC research team confirmed the exploitability of the vulnerability and, on June 24, published an explainer, exploitation methods, and information on detection techniques.
Install the update and enforce SMB signing on domain controllers and workstations.
No in-the-wild exploitation has been reported yet.
June Linux Patch Wednesday. This time, there are 598 vulnerabilities, almost half as many as in May. Of these, 355 are in the Linux Kernel. There are signs of exploitation in the wild for 3 vulnerabilities (CISA KEV).
🔻 SFB – Chromium (CVE-2025-2783)
🔻 MemCor – Chromium (CVE-2025-5419)
🔻 CodeInj – Hibernate Validator (CVE-2025-35036). This vulnerability is exploited in attacks on Ivanti EPMM (CVE-2025-4428).
Additionally, for 40 (❗️) vulnerabilities public exploits are available or there are signs of their existence. Notable among them are:
🔸 RCE – Roundcube (CVE-2025-49113)
🔸 EoP – libblockdev (CVE-2025-6019)
🔸 DoS – Apache Tomcat (CVE-2025-48988), Apache Commons FileUpload (CVE-2025-48976)
🔸 InfDisc – HotelDruid (CVE-2025-44203)
🔸 DoS – ModSecurity (CVE-2025-47947)
I added support for ALT Linux OVAL content in Linux Patch Wednesday. Now I track when specific CVEs were fixed in ALT Linux packages and take that into account when generating the monthly bulletins. The more data sources on patched vulnerabilities in Linux distributions are used, the more accurate the bulletins become. 👍 Especially when those Linux distributions are independent, not derivatives. 😇
Currently, the LPW generator uses 7 OVAL sources:
🔹 Debian
🔹 Ubuntu
🔹 Oracle Linux
🔹 RedOS
🔹 AlmaLinux
🔹 Red Hat
🔹 ALT Linux
Plus one more source from Debian’s mailing list.
I’m a bit late with the June Linux Patch Wednesday review (due to these improvements and my vacation), but I plan to release it soon. Especially since there aren’t that many vulnerabilities this time – only 598. 🙂
На русском
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.