Tag Archives: CISAKEV

About Elevation of Privilege - Microsoft Defender "RedSun" (CVE-2026-41091) vulnerability

Leave a reply

About Elevation of Privilege - Microsoft Defender RedSun (CVE-2026-41091) vulnerability

About Elevation of Privilege - Microsoft Defender "RedSun" (CVE-2026-41091) vulnerability. Microsoft Defender is a built-in security solution developed by Microsoft to protect the Windows operating system and user data from viruses, malware, and other cyber threats in real time. An improper link resolution vulnerability prior to file access ("link following", CWE-59) in Microsoft Defender, specifically within the Malware Protection Engine component, allows an authenticated local attacker to escalate privileges to SYSTEM level. As a result, an attacker could gain full control over the affected system, including unrestricted access to data, the ability to modify system settings, install software, manage user accounts, and disable security protections.

🛠 An exploit for the vulnerability was published on GitHub by security researcher Nightmare Eclipse on April 15, alongside exploits targeting other Windows component vulnerabilities. The account was later removed by GitHub administrators; however, this did not prevent the exploit code from spreading further.

⚙️ The security advisory and patches were released on May 19 outside Microsoft's regular Patch Tuesday schedule. Versions of Microsoft Malware Protection Engine from 1.1.26030.3008 through 1.1.26040.8 are affected. Systems with Microsoft Defender disabled are not vulnerable. By default, Microsoft Defender automatically updates Windows security components, antivirus definitions, and Microsoft Malware Protection Engine, so no additional user action is typically required. Malware Protection Engine is updated monthly or as new threats emerge, while antivirus definitions are updated several times per day. Update checks may run automatically anywhere from once to several times daily when an Internet connection is available. Manual update checks are also supported.

👾 According to Microsoft, the vulnerability is being exploited in the wild. The vulnerability was added to the CISA KEV catalog on May 20.

💡 Special attention should be paid to server and desktop Windows hosts where Microsoft Defender is not disabled, but Internet access is unavailable for regular updates.

About Remote Code Execution - PAN-OS (CVE-2026-0300) vulnerability

Leave a reply

About Remote Code Execution - PAN-OS (CVE-2026-0300) vulnerability

About Remote Code Execution - PAN-OS (CVE-2026-0300) vulnerability. PAN-OS is an operating system for Palo Alto Networks firewalls and security platforms. User-ID™ Authentication Portal (also known as Captive Portal) is a non-default PAN-OS feature used to map IP addresses to usernames. By exploiting a buffer overflow vulnerability (CWE-787), an unauthenticated remote attacker can send specially crafted packets to a device with the Authentication Portal enabled, achieving arbitrary code execution with root privileges on the affected device. No authentication or user interaction is required. If the vulnerability is successfully exploited, the attacker gains full control over network traffic: they can intercept, modify, or block connections, access sensitive data, bypass security policies, hide traces of compromise, install backdoors, and use the device as a foothold for attacks on internal infrastructure.

⚙️ The vendor security advisory was published on May 6. PA-Series and VM-Series firewalls are affected. Prisma Access, Cloud NGFW, and Panorama appliances are not impacted by this vulnerability. Security updates for affected devices became available on May 13. As a workaround, the vendor recommended restricting User-ID™ Authentication Portal access to only trusted internal zones or disabling the User-ID™ Authentication Portal entirely if it is not required.

👾 On the same day, May 6, researchers from Palo Alto Networks Unit 42 published a report on active exploitation of the vulnerability in the wild. Post-exploitation activity includes deployment of publicly available tunneling tools (EarthWorm, ReverseSocks5), Active Directory enumeration using credentials likely obtained from the firewall, and systematic destruction of logs and other evidence of compromise. On the same day, the vulnerability was added to the CISA KEV catalog.

🛠 A public exploit was also published on GitHub on May 6.

🌐 PAN-OS is among the most widely deployed enterprise firewall operating systems in the world. As of June 5, Shodan identifies approximately 135,755 internet-facing PAN-OS instances, representing a significant attack surface.

May Linux Patch Wednesday

Leave a reply

May Linux Patch Wednesday

May Linux Patch Wednesday. A total of 1,638 vulnerabilities (474 in the Linux kernel). For comparison, in April there were 1,035 vulnerabilities (a record!). And this time it turns out to be a record again, more than one and a half times higher! The acceleration is both impressive and alarming. But we will see what happens next. At some point it should stabilize. Although the number of critical vulnerabilities is already so high that reviewing all of them becomes quite problematic. For 7 vulnerabilities there are signs of exploitation in the wild. And for another 264 there are public exploits. Let’s start, as usual, with vulnerabilities being actively exploited according to CISA KEV and VulnCheck KEV data. Here, at the top, as expected, are two high-profile ways to get a root shell:

🔻 EoP - Linux Kernel "Copy Fail" (CVE-2026-31431)
🔻 EoP - Linux Kernel "Dirty Frag" (CVE-2026-43500)

Other vulnerabilities being exploited in the wild:

🔻 RCE - Apache ActiveMQ (CVE-2026-40466). Based on the description, this appears to be a bypass of the fix for CVE-2026-34197, which I already wrote about earlier.

🔻 AuthBypass - Rclone (CVE-2026-41176). Rclone ("rsync for cloud storage") is a command-line utility for synchronizing files and directories between various cloud storage services and local systems. Exploitation of the vulnerability can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods.

🔻 RCE - NGINX (CVE-2026-42945). The bug enables unauthenticated remote code execution against servers using rewrite and set directives.

🔻 DoS - PgBouncer (CVE-2026-6664). PgBouncer is a lightweight, open-source connection pooler for PostgreSQL databases. It reduces connection overhead by managing a pool of connections to one or more PostgreSQL servers, improving performance and resource efficiency for applications with frequent short-lived database connections. An integer overflow in the network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash.

🔻 XSS - Postorius (CVE-2026-44742). The Postorius Django app provides a web user interface to access GNU Mailman. Mailman is free software for managing electronic mail discussion and e-newsletter lists. The vulnerability is being exploited according to VulnCheck KEV; however, no public exploits has been observed yet.

From the remaining vulnerabilities with public exploits, but without any signs of exploitation in the wild so far, the following can be highlighted:

🔸 RCE - Apache HTTP Server (CVE-2026-23918). Double-free error in Apache httpd mod_http2 stream cleanup, leading to pre-auth RCE.

🔸 RCE - Apache Tomcat (CVE-2026-34486). Apache Tomcat Tribes cluster communication module fails to discard messages when EncryptInterceptor decryption fails, allowing unauthenticated attackers to trigger Remote Code Execution via Java deserialization on port 4000.

🔸 RCE - ProFTPD (CVE-2026-42167). The flaw exists in how mod_sql handles certain logging variables (like %U), allowing an unauthenticated attacker to inject SQL commands via the USER command.

🔸 EoP - Linux Kernel "DirtyDecrypt" (CVE-2026-31635). Linux local privilege escalation in the RxRPC/GSSAPI decryption path. A missing skb_cow_data() check in rxgk_decrypt_skb() allows an unprivileged local attacker to corrupt cache pages and overwrite in-memory contents of read-only files.

🔸 EoP - Linux Kernel "Fragnesia" (CVE-2026-46300). I also analyzed this vulnerability earlier. A bug in skb_try_coalesce() allowing page-cache write via fragmented ESP packets.

🔸 EoP - Linux Kernel (CVE-2026-46333). Local root privilege escalation and credential disclosure in the Linux kernel ptrace path, discovered by researchers at Qualys.

🔸 EoP - PackageKit "Pack2TheRoot" (CVE-2026-41651). PackageKit is a free and open-source suite of software applications designed to provide a consistent and high-level abstraction layer for a number of different package management systems. The vulnerability allows an attacker to escalate privileges, potentially gaining root access or compromising the system.

🔸 ComInj - Composer (CVE-2026-40261, CVE-2026-40176). Composer is a dependency manager for PHP. The vulnerability exists in the Perforce::generateP4Command() method. Due to insufficient sanitization of repository configuration parameters (such as url, p4user, or client) when constructing shell commands, an attacker who controls a composer.json file can execute arbitrary commands on the victim's system when composer install or composer update is executed.

🗒 Full Vulristics report

May "In the Trend of VM" (#27): high-profile vulnerabilities in Linux, ActiveMQ, SharePoint, and Adobe Acrobat Reader

Leave a reply

May In the Trend of VM (#27): high-profile vulnerabilities in Linux, ActiveMQ, SharePoint, and Adobe Acrobat Reader

May "In the Trend of VM" (#27): high-profile vulnerabilities in Linux, ActiveMQ, SharePoint, and Adobe Acrobat Reader. Presenting the traditional monthly roundup of trending vulnerabilities according to Positive Technologies. While the previous April edition featured only one vulnerability, this one includes four, covering different technologies and attack scenarios.

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

🔻 EoP - Linux Kernel "Copy Fail" (CVE-2026-31431). The vulnerability allows an attacker to gain root privileges.

🔻 RCE - Apache ActiveMQ (CVE-2026-34197). A vulnerability in a solution widely used in enterprise systems and integration platforms.

🔻 Spoofing - Microsoft SharePoint Server (CVE-2026-32201). A vulnerability in a Microsoft solution widely used in enterprise systems for collaboration, document management, and internal portal development.

🔻 RCE - Adobe Reader (CVE-2026-34621). A vulnerability in a widely used PDF document viewer; actively exploited in phishing attacks.

🟥 The full list of trending vulnerabilities is available on the portal

About Remote Code Execution - Apache ActiveMQ (CVE-2026-34197) vulnerability

Leave a reply

About Remote Code Execution - Apache ActiveMQ (CVE-2026-34197) vulnerability

About Remote Code Execution - Apache ActiveMQ (CVE-2026-34197) vulnerability. Apache ActiveMQ is a popular open-source message broker written in Java. Its main purpose is to send messages between different services, systems, and microservices without a direct connection between them.

This vulnerability is from the April Linux Patch Wednesday. Details about this vulnerability were published on April 7 in the HORIZON3.ai company blog. They claim that the Apache ActiveMQ Classic vulnerability has been hiding in plain sight for 13 years. An attacker can invoke a management operation through ActiveMQ's Jolokia API to trick the broker into fetching a remote configuration file and running arbitrary OS commands. As a result, the attacker can gain access to sensitive information, including messages, credentials, and configuration files, deploy malware, or use the compromised server to conduct further attacks within the internal infrastructure.

The vulnerability requires credentials, but default credentials (admin:admin) are common in many environments. On some versions (6.0.0–6.1.1), no credentials are required at all due to another vulnerability, CVE-2024-32114, which inadvertently exposes the Jolokia API without authentication. In those versions, CVE-2026-34197 is effectively an unauthenticated RCE.

🛠 Public exploits have been available on GitHub since April 8.

👾 Indicators of exploitation in the wild were observed by FortiGuard experts on April 13. The vulnerability was added to the CISA KEV catalog on April 16.

🌐 According to data from The Shadowserver Foundation, as of May 14, approximately 7,000 vulnerable Apache ActiveMQ servers remain exposed on the internet.

⚙️ According to the vendor bulletin, the vulnerability has been fixed in ActiveMQ versions 5.19.4 and 6.2.3. However, according to HORIZON3.ai, it was fixed in 5.19.6 and 6.2.5. It is better to install newer versions. 😉

Про уязвимость Spoofing - Microsoft SharePoint Server (CVE-2026-32201)

Leave a reply

Про уязвимость Spoofing - Microsoft SharePoint Server (CVE-2026-32201)

About Spoofing - Microsoft SharePoint Server (CVE-2026-32201) vulnerability. A vulnerability from the April Microsoft Patch Tuesday. The description provided by Microsoft experts is extremely vague: "Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability)." Spoofing is an attack in which a threat actor forges data, an address, an identifier, or a trusted source in order to impersonate a legitimate user, service, or system.

What is actually hidden behind this description? In the April review on MSPT, a ZDI expert noted that vulnerabilities of this kind in SharePoint are often associated with XSS attacks.

🛠 On April 23, an exploit was published on GitHub, whose author claims that the vulnerability can be summarized as follows: "An unauthenticated attacker can send a specially crafted HTTP request to inject malicious JavaScript (reflected XSS), which executes in the security context of the SharePoint site."

In other words, the attacker sends a specially crafted request to the SharePoint server, causing SharePoint to generate a malicious link on behalf of a trusted source. The attacker then passes this link to the user. When the user opens such a link, the injected malicious JavaScript executes in the context of SharePoint, which can be used to steal data from the current session, intercept authentication tokens, as well as perform actions on behalf of the user through the user's active session.

👾 Microsoft experts noted the vulnerability as being exploited in the wild on the day of publication of the April Microsoft Patch Tuesday, April 14. The vulnerability was added to the CISA KEV. On the same day, researchers from Defused reported coordinated reconnaissance activity targeting vulnerable SharePoint servers, which was carried out from four IP addresses between April 1 and April 11.

⚙️ Updates are available for Microsoft SharePoint Server 2016, 2019, and Subscription Edition.

About Elevation of Privilege - Linux Kernel "Copy Fail" (CVE-2026-31431) vulnerability

Leave a reply

About Elevation of Privilege - Linux Kernel Copy Fail (CVE-2026-31431) vulnerability

About Elevation of Privilege - Linux Kernel "Copy Fail" (CVE-2026-31431) vulnerability. A local privilege escalation vulnerability in the Linux kernel AF_ALG component, which is caused by a memory handling flaw, allows an unprivileged user to escalate privileges to root. By exploiting this vulnerability, an attacker can fully compromise the system: read and modify any files, including passwords and keys, replace system binaries, disable security controls and monitoring tools, stealthily install backdoors and maintain persistence, hide traces of their activity, and use the host as a foothold for attacks on other network assets.

⚙️🛠 On April 1, patches addressing the vulnerability were merged into the main branch of the Linux kernel. On April 22, a CVE identifier was assigned to the vulnerability. On April 29, experts from Theori published an analysis of the vulnerability and a public exploit. The vulnerability's exploitability has been confirmed on up-to-date versions of widely used Linux distributions, including Ubuntu, Amazon Linux, RHEL, and SUSE.

👾 On May 1, the vulnerability was added to the CISA KEV catalog, indicating it is being exploited in the wild.

What distinguishes this vulnerability from similar EOP/LPE issues in Linux?

There have been high-profile privilege escalation vulnerabilities in the Linux kernel. Dirty COW required winning a race condition. Multiple attempts were often needed, and this sometimes led to system crashes. Dirty Pipe was tied to specific versions and required precise pipe buffer manipulation.

But unlike Dirty COW and Dirty Pipe, researchers report that Copy Fail is a straight-line logic flaw. It triggers without races, retries, or crash-prone timing windows.

🧬 Portability. The same exploit script works across all tested distributions and architectures, including Ubuntu, Amazon Linux, Red Hat Enterprise Linux (RHEL), and SUSE Linux Enterprise. No per-distribution offsets. No recompilation. No version checks in the exploit.

✧ Minimalism. The entire exploit is a short Python script using only standard library modules (os, socket, zlib). It requires Python 3.10+ for os.splice. No compiled payloads, no dependency installation.

🥷 Stealth. The write bypasses the ordinary VFS write path. The corrupted page is never marked dirty by the kernel's writeback machinery. Standard file integrity tools that compare on-disk checksums will not detect it, because the on-disk file remains unchanged. Only the in-memory page cache is corrupted.

📦 Cross-container impact. The page cache is shared across all processes on the system, including across container boundaries. Copy Fail is not just a local privilege escalation. It is a container escape primitive and a vector for Kubernetes node compromise.

How to fix the vulnerability?

To remediate the vulnerability, users need to update to Linux kernel versions 6.18.22, 6.19.12, and 7.0. The kernel can be built manually, or users can wait for their Linux distribution vendor to release updated kernel packages. As of May 4, updates have been released for Ubuntu, Debian, RHEL, Fedora, SUSE, CloudLinux, Arch Linux, and ROSA Linux.

As a workaround, researchers suggest blocking the creation of AF_ALG sockets:

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
rmmod algif_aead 2>/dev/null