Tag Archives: DWM

March “In the Trend of VM” (#25): once again, vulnerabilities are only in Microsoft products

March “In the Trend of VM” (#25): once again, vulnerabilities are only in Microsoft products. I present the traditional monthly roundup of trending vulnerabilities according to Positive Technologies. As in February, it turned out to be quite compact and focused on a single vendor.

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

All four vulnerabilities are from the February Microsoft Patch Tuesday, and all are actively being exploited in the wild:

🔻 RCE – Windows Shell (CVE-2026-21510)
🔻 RCE – Microsoft Word (CVE-2026-21514)

💬 Microsoft classified the two vulnerabilities above as Security Feature Bypass, but in fact, they are Remote Code Execution.

🔻 EoP – Windows Remote Desktop Services (CVE-2026-21533)
🔻 EoP – Desktop Window Manager (CVE-2026-21519)

🟥 The full list of trending vulnerabilities can be found on the portal

About Elevation of Privilege – Desktop Window Manager (CVE-2026-21519) vulnerability

Leave a reply

About Elevation of Privilege – Desktop Window Manager (CVE-2026-21519) vulnerability. The vulnerability is from the February Microsoft Patch Tuesday. Desktop Window Manager is a compositing window manager included in Windows starting with Windows Vista. A Type Confusion error (CWE-843) in Desktop Window Manager allows an authorized attacker to locally elevate privileges to the SYSTEM level. By fixing this vulnerability, Microsoft most likely attempted to counter the same attacker who exploited the January Information Disclosure vulnerability (CVE-2026-20805) in the same component. It is possible that the original fix did not fully resolve the issue.

👾 Microsoft reports that the vulnerability has been exploited in the wild. The vulnerability has been in the CISA KEV since February 10.

🛠 No public exploits are available yet.

На русском

February “In the Trend of VM” (#24): vulnerabilities in Microsoft products

Leave a reply

February “In the Trend of VM” (#24): vulnerabilities in Microsoft products. A traditional monthly roundup of trending vulnerabilities. This time, compact and all-Microsoft.

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

In total, two vulnerabilities:

🔻 RCE – Microsoft Office (CVE-2026-21509)
🔻 InfDisc – Desktop Window Manager (CVE-2026-20805)

🟥 Trending Vulnerabilities Portal

На русском

February Microsoft Patch Tuesday

Leave a reply

February Microsoft Patch Tuesday. A total of 55 vulnerabilities, half as many as in January. There are as many as six (❗️) vulnerabilities being exploited in the wild:

🔻 SFB/RCE – Windows Shell (CVE-2026-21510)
🔻 SFB/RCE – Microsoft Word (CVE-2026-21514)
🔻 SFB – MSHTML Framework (CVE-2026-21513)
🔻 EoP – Windows Remote Desktop Services (CVE-2026-21533)
🔻 EoP – Desktop Window Manager (CVE-2026-21519)
🔻 DoS – Windows Remote Access Connection Manager (CVE-2026-21525)

There is also one vulnerability with a public exploit:

🔸 DoS – libjpeg (CVE-2023-2804)

Notable remaining vulnerabilities:

🔹 RCE – Windows Notepad (CVE-2026-20841)
🔹 Spoofing – Outlook (CVE-2026-21511)
🔹 EoP – Windows Kernel (CVE-2026-21231, CVE-2026-21239, CVE-2026-21245), Windows AFD.sys (CVE-2026-21236, CVE-2026-21238, CVE-2026-21241)

🗒 Full Vulristics report

На русском

About Information Disclosure – Desktop Window Manager (CVE-2026-20805) vulnerability

Leave a reply

About Information Disclosure – Desktop Window Manager (CVE-2026-20805) vulnerability. Desktop Window Manager is a compositing window manager that has been part of Windows since Windows Vista. Exploitation of the vulnerability, which was addressed in the January Microsoft Patch Tuesday, allows a local attacker to disclose the “section address from a remote ALPC port which is user-mode memory”.

👾 Microsoft noted that this vulnerability is being exploited in attacks. The vulnerability was added to CISA’s KEV catalog on January 13. There are no public details about the attacks yet, but Rapid7 experts suggest that the disclosed memory address can be used to bypass ASLR, “increasing the chance of developing a stable elevation of privilege exploit for DWM”.

🛠 Public exploit PoCs have been available on GitHub since January 14.

На русском

January Microsoft Patch Tuesday

Leave a reply

January Microsoft Patch Tuesday. A total of 114 vulnerabilities, twice as many as in December. There is one vulnerability with evidence of in-the-wild exploitation:

🔻 InfDisc – Desktop Window Manager (CVE-2026-20805)

There are also two vulnerabilities with public exploits:

🔸 RCE – Windows Deployment Services (CVE-2026-0386)
🔸 EoP – Windows Agere Soft Modem Driver (CVE-2023-31096)

Other notable vulnerabilities include:

🔹 RCE – Microsoft Office (CVE-2026-20952, CVE-2026-20953), Windows NTFS (CVE-2026-20840, CVE-2026-20922)
🔹 EoP – Desktop Windows Manager (CVE-2026-20871), Windows Virtualization-Based Security (VBS) Enclave (CVE-2026-20876)
🔹 SFB – Secure Boot Certificate Expiration (CVE-2026-21265)

Also noteworthy, reported by Positive Technologies:

🟥 EoP – Windows Telephony Service (CVE-2026-20931)

🗒 Full Vulristics report

На русском

June “In the Trend of VM” (#16): vulnerabilities in Microsoft Windows, Apache HTTP Server, the web interfaces of MDaemon and Zimbra, and the 7-Zip archiver

Leave a reply

June “In the Trend of VM” (#16): vulnerabilities in Microsoft Windows, Apache HTTP Server, the web interfaces of MDaemon and Zimbra, and the 7-Zip archiver. A traditional monthly vulnerability roundup. 🙂

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

A total of 7 trending vulnerabilities:

🔻 Elevation of Privilege – Microsoft DWM Core Library (CVE-2025-30400)
🔻 Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706)
🔻 Remote Code Execution & Arbitrary File Reading – Apache HTTP Server (CVE-2024-38475)
🔻 Cross Site Scripting – MDaemon Email Server (CVE-2024-11182)
🔻 Cross Site Scripting – Zimbra Collaboration (CVE-2024-27443)
🔻 Remote Code Execution – 7-Zip (BDU:2025-01793)

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: DWM

March “In the Trend of VM” (#25): once again, vulnerabilities are only in Microsoft products

About Elevation of Privilege – Desktop Window Manager (CVE-2026-21519) vulnerability

February “In the Trend of VM” (#24): vulnerabilities in Microsoft products

February Microsoft Patch Tuesday

About Information Disclosure – Desktop Window Manager (CVE-2026-20805) vulnerability

January Microsoft Patch Tuesday

June “In the Trend of VM” (#16): vulnerabilities in Microsoft Windows, Apache HTTP Server, the web interfaces of MDaemon and Zimbra, and the 7-Zip archiver