Tag Archives: CLFS

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706) vulnerabilities

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706) vulnerabilities. When Microsoft disclosed these vulnerabilities in the May Patch Tuesday, attackers were already exploiting them in the wild. The Common Log File System (CLFS) is a general-purpose logging service that can be used by software clients running in user-mode or kernel-mode.

The impact of exploiting these vulnerabilities is identical: an attacker can gain SYSTEM privileges. Their CVSS vectors are also the same (Base Score: 7.8).

What’s the difference? Bug type: for CVE-2025-32701 it’s CWE-416: Use After Free, while for CVE-2025-32706 it’s CWE-20: Improper Input Validation. CVE-2025-32701 credits MSTIC, while CVE-2025-32706 credits Google TIG and CrowdStrike ART.

No public exploits or exploitation details yet. But these vulns are likely being used in ransomware attacks, just like the EoP in CLFS (CVE-2025-29824) from April MSPT.

На русском

May “In the Trend of VM” (#15): vulnerabilities in Microsoft Windows and the Erlang/OTP framework

Leave a reply

May “In the Trend of VM” (#15): vulnerabilities in Microsoft Windows and the Erlang/OTP framework. A traditional monthly vulnerability roundup.

Post on Habr (rus)
Digest on the PT website (rus)

A total of 4 trending vulnerabilities:

Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824)
Elevation of Privilege – Windows Process Activation (CVE-2025-21204)
Spoofing – Windows NTLM (CVE-2025-24054)
Remote Code Execution – Erlang/OTP (CVE-2025-32433)

На русском

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824) vulnerability

Leave a reply

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824) vulnerability. The vulnerability from the April Microsoft Patch Tuesday allows an attacker operating under a regular user account to escalate their privileges to SYSTEM level.

According to Microsoft, the vulnerability was exploited in attacks against organizations in the U.S., Venezuela, Spain, and Saudi Arabia. The exploit was embedded in the PipeMagic malware used by the Storm-2460 group to deploy ransomware.

On May 7, Symantec reported technical details about another exploit for the vulnerability, used by Balloonfly group (associated with the Play ransomware) in an attack on a U.S. organization prior to April 8.

Are there public exploits? According to BDU FSTEC — yes. NVD also lists “exploit links”, but they point to detection and mitigation scripts. No mentions yet in exploit packs or on GitHub.

На русском

New episode “In The Trend of VM” (#11): vulnerabilities that became trending in December and the final report on trending vulnerabilities for 2024

Leave a reply

New episode “In The Trend of VM” (#11): vulnerabilities that became trending in December and the final report on trending vulnerabilities for 2024. I made this episode exclusively for the Telegram channel @avleonovcom “Vulnerability Management and More”.

Video on YouTube, LinkedIn
Post on Habr (rus)
Digest on the PT website

Content:

00:00 Greetings
00:28 Elevation of Privilege – Windows Kernel Streaming WOW Thunk Service Driver (CVE-2024-38144)
01:30 Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138)
02:37 Remote Code Execution – Apache Struts (CVE-2024-53677)
03:31 Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972)
04:44 Trending vulnerabilities for 2024

08:10 Channel mascot

На русском

The Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138) has become more critical

Leave a reply

The Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138) has become more critical. Just as I wrote that nothing had been heard about this vulnerability for a month since it was first published in Microsoft’s December Patch Tuesday, a public exploit for it appeared on January 15th. It was developed by Alessandro Iandoli from HN Security. The source code and video demonstrating the exploit are available on GitHub: a local attacker runs an exe file in PowerShell and, after a second, becomes “nt authority/system”. The researcher tested the exploit on Windows 11 23h2. He also promises to publish a blog post with a detailed analysis of the vulnerability.

На русском

What has become known about the Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138) vulnerability from the December Microsoft Patch Tuesday a month later?

Leave a reply

What has become known about the Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138) vulnerability from the December Microsoft Patch Tuesday a month later? Almost nothing. This is a vulnerability in a standard Windows component, available in all versions starting with Windows Server 2003 R2. Its description is typical for EoP in Windows: if successfully exploited, a local attacker can gain SYSTEM privileges. The cause of the vulnerability is Heap-based Buffer Overflow.

Microsoft has labeled the vulnerability as being exploited in the wild, but has not provided information on where the vulnerability was being exploited or how widespread the attacks were.

The vulnerability was reported by CrowdStrike’s Advanced Research Team. But neither they nor other researchers have provided technical details yet. And there are no exploits yet either.

So install the December Microsoft security updates and let’s wait for news!

Update

На русском

Microsoft Patch Tuesday April 2023: CLFS EoP, Word RCE, MSMQ QueueJumper RCE, PCL6, DNS, DHCP

1 Reply

Microsoft Patch Tuesday April 2023: CLFS EoP, Word RCE, MSMQ QueueJumper RCE, PCL6, DNS, DHCP. Hello everyone! This episode will be about Microsoft Patch Tuesday for April 2023, including vulnerabilities that were added between March and April Patch Tuesdays.

Alternative video link (for Russia): https://vk.com/video-149273431_456239123

As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews. And this is the first Patch Tuesday report since I added EPSS support to Vulristics.

Compared to March, Microsoft Patch Tuesday for April 2023 is kind of weak.

Continue reading →

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: CLFS

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706) vulnerabilities

May “In the Trend of VM” (#15): vulnerabilities in Microsoft Windows and the Erlang/OTP framework

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824) vulnerability

New episode “In The Trend of VM” (#11): vulnerabilities that became trending in December and the final report on trending vulnerabilities for 2024

The Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138) has become more critical

What has become known about the Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138) vulnerability from the December Microsoft Patch Tuesday a month later?

Microsoft Patch Tuesday April 2023: CLFS EoP, Word RCE, MSMQ QueueJumper RCE, PCL6, DNS, DHCP