May “In the Trend of VM” (#15): vulnerabilities in Microsoft Windows and the Erlang/OTP framework. A traditional monthly vulnerability roundup. 
Post on Habr (rus)
Digest on the PT website (rus)
A total of 4 trending vulnerabilities:
Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824) Elevation of Privilege – Windows Process Activation (CVE-2025-21204) Spoofing – Windows NTLM (CVE-2025-24054) Remote Code Execution – Erlang/OTP (CVE-2025-32433)
May Microsoft Patch Tuesday. A total of 93 vulnerabilities – about 1.5 times fewer than in April. Of these, 22 were added between the April and May MSPT. There are 5 vulnerabilities show signs of in-the-wild exploitation:
EoP – Microsoft DWM Core Library (CVE-2025-30400) EoP – Windows CLFS Driver (CVE-2025-32701, CVE-2025-32706) EoP – Windows Ancillary Function Driver for WinSock (CVE-2025-32709) Memory Corruption – Scripting Engine (CVE-2025-30397). RCE when clicking a malicious link. Exploitation requires the “Allow sites to be reloaded in Internet Explorer” option.
There are currently no vulnerabilities with public exploits.
Notable among the rest:
RCE – Remote Desktop Client (CVE-2025-29966, CVE-2025-29967), Office (CVE-2025-30377, CVE-2025-30386), Graphics Component (CVE-2025-30388), Visual Studio (CVE-2025-32702) EoP – Kernel Streaming (CVE-2025-24063), CLFS Driver (CVE-2025-30385)
About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824) vulnerability. The vulnerability from the April Microsoft Patch Tuesday allows an attacker operating under a regular user account to escalate their privileges to SYSTEM level. According to Microsoft, the vulnerability was exploited in attacks against organizations in the U.S., Venezuela, Spain, and Saudi Arabia. The exploit was embedded in the PipeMagic malware used by the Storm-2460 group to deploy ransomware.
On May 7, Symantec reported technical details about another exploit for the vulnerability, used by Balloonfly group (associated with the Play ransomware) in an attack on a U.S. organization prior to April 8.
Are there public exploits? According to BDU FSTEC — yes. NVD also lists “exploit links”, but they point to detection and mitigation scripts. 
No mentions yet in exploit packs or on GitHub.
April “In the Trend of VM” (#14): vulnerabilities in Microsoft Windows, VMware products, Kubernetes, and Apache Tomcat. We decided to pause recording new videos, so for now only text.
Post on Habr (rus) Digest on the PT website (rus)
A total of 11 trending vulnerabilities:
Elevation of Privilege – Windows Cloud Files Mini Filter Driver (CVE-2024-30085) Spoofing – Windows File Explorer (CVE-2025-24071) Four Windows vulnerabilities from March Microsoft Patch Tuesday were exploited in the wild (CVE-2025-24985, CVE-2025-24993, CVE-2025-26633, CVE-2025-24983) Three VMware “ESXicape” Vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) Remote Code Execution – Apache Tomcat (CVE-2025-24813) Remote Code Execution – Kubernetes (CVE-2025-1974)
March episode “In the Trend of VM” (#13): vulnerabilities of Microsoft, PAN-OS, СommuniGate and who should patch hosts with deployed application. I’m posting the translated video with a big delay, but it’s better than never. 
Video on YouTube and LinkedIn Post on Habr (rus) Digest on the PT website
Content:
00:00 Greetings 00:31 Elevation of Privilege – Windows Ancillary Function Driver for WinSock (CVE-2025-21418) 01:12 Elevation of Privilege – Windows Storage (CVE-2025-21391) 01:53 Authentication Bypass – PAN-OS (CVE-2025-0108) 03:09 Remote Code Execution – CommuniGate Pro (BDU:2025-01331) 04:27 The VM riddle: who should patch hosts with a deployed application? 07:11 About the digest of trending vulnerabilities
April Microsoft Patch Tuesday. A total of 153 vulnerabilities, 2 times more than in March. Of these, 32 were added between the March and April MSPTs. Three vulnerabilities show signs of exploitation in the wild:
EoP – Windows Common Log File System Driver (CVE-2025-29824). An attacker can gain SYSTEM privileges. No technical details yet. SFB – Microsoft Edge (CVE-2025-2783). Sandbox escape with an existing PoC exploit. RCE – Microsoft Edge (CVE-2025-24201). Originally reported as a WebKit vuln on Apple OSes.
Microsoft also patched vulnerabilities in Kubernetes with known exploits (CVE-2025-1974, CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-24513)
Other notable ones:
RCE – LDAP (CVE-2025-26670, CVE-2025-26663), TCP/IP (CVE-2025-26686), Microsoft Office (CVE-2025-29794, CVE-2025-29793), RDS (CVE-2025-27480, CVE-2025-27482), Hyper-V (CVE-2025-27491) SFB – Kerberos (CVE-2025-29809)
March Microsoft Patch Tuesday. 77 CVEs, 20 of which were added during the month. 7 vulnerabilities with signs of exploitation in the wild:
RCE – Windows Fast FAT File System Driver (CVE-2025-24985) RCE – Windows NTFS (CVE-2025-24993) SFB – Microsoft Management Console (CVE-2025-26633) EoP – Windows Win32 Kernel Subsystem (CVE-2025-24983) InfDisc – Windows NTFS (CVE-2025-24991, CVE-2025-24984) AuthBypass – Power Pages (CVE-2025-24989) – in Microsoft web service, can be ignored
There are no vulnerabilities with public exploits, there are 2 more with private ones:
RCE – Bing (CVE-2025-21355) – in Microsoft web service, can be ignored SFB – Windows Kernel (CVE-2025-21247)
Among the others:
RCE – Windows Remote Desktop Client (CVE-2025-26645) and Services (CVE-2025-24035, CVE-2025-24045), MS Office (CVE-2025-26630), WSL2 (CVE-2025-24084) EoP – Windows Win32 Kernel Subsystem (CVE-2025-24044)
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.