May “In the Trend of VM” (#15): vulnerabilities in Microsoft Windows and the Erlang/OTP framework. A traditional monthly vulnerability roundup. 
Post on Habr (rus)
Digest on the PT website (rus)
A total of 4 trending vulnerabilities:
Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824) Elevation of Privilege – Windows Process Activation (CVE-2025-21204) Spoofing – Windows NTLM (CVE-2025-24054) Remote Code Execution – Erlang/OTP (CVE-2025-32433)
About Spoofing – Windows NTLM (CVE-2025-24054) vulnerability. It was patched in the March Microsoft Patch Tuesday. VM vendors didn’t mention this vulnerability in their reviews; it was only known to be exploited via user interaction with a malicious file.
A month later, on April 16, Check Point published a blog post with technical details, revealing that the vulnerability is exploited using specially crafted files…
Wait a minute — there was a trending vulnerability in March MSPT: CVE-2025-24071, related to the same files. 
Turns out, it’s THE SAME vulnerability. 
Check Point reports: “Microsoft had initially assigned the vulnerability the CVE identifier CVE-2025-24071, but it has since been updated to CVE-2025-24054“. What a mess. 
Technical details in the previous post.
Since March 19, Check Point has tracked about 11 campaigns exploiting this vulnerability to collect NTLMv2-SSP hashes.
April “In the Trend of VM” (#14): vulnerabilities in Microsoft Windows, VMware products, Kubernetes, and Apache Tomcat. We decided to pause recording new videos, so for now only text.
Post on Habr (rus) Digest on the PT website (rus)
A total of 11 trending vulnerabilities:
Elevation of Privilege – Windows Cloud Files Mini Filter Driver (CVE-2024-30085) Spoofing – Windows File Explorer (CVE-2025-24071) Four Windows vulnerabilities from March Microsoft Patch Tuesday were exploited in the wild (CVE-2025-24985, CVE-2025-24993, CVE-2025-26633, CVE-2025-24983) Three VMware “ESXicape” Vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) Remote Code Execution – Apache Tomcat (CVE-2025-24813) Remote Code Execution – Kubernetes (CVE-2025-1974)
About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability. The vulnerability is from the March Microsoft Patch Tuesday. The VM vendors didn’t highlight it in their reviews. A week later, on March 18, researcher 0x6rss published a write-up and a PoC exploit. According to him, the vulnerability is exploited in the wild, and the exploit has likely been available for purchase since November 2024.
The point is this. When Windows File Explorer detects a .library-ms file in a folder, it automatically starts parsing it. If the file contains a link to a remote SMB share, an NTLM authentication handshake begins. An attacker controlling the SMB share can intercept the NTLMv2 hash, crack it, or use it in pass-the-hash attacks.
But how does an attacker deliver such a file to the victim? It turns out that just extracting a ZIP/RAR archive with the file is enough to trigger the exploit. No need to open the file.
This is super effective for phishing. 
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.