Tag Archives: Microsoft

November “In the Trend of VM” (#21): vulnerabilities in Windows, SharePoint, Redis, XWiki, Zimbra Collaboration, and Linux

Leave a reply

November In the Trend of VM (#21): vulnerabilities in Windows, SharePoint, Redis, XWiki, Zimbra Collaboration, and Linux

November “In the Trend of VM” (#21): vulnerabilities in Windows, SharePoint, Redis, XWiki, Zimbra Collaboration, and Linux. The usual monthly roundup. After several months, here’s a big one. 🔥

🗞 Post on Habr (rus)
🗞 Post on SecurityLab (rus)
🗒 Digest on the PT website (rus)

A total of nine vulnerabilities:

🔻 RCE – Windows Server Update Services (WSUS) (CVE-2025-59287)
🔻 RCE – Microsoft SharePoint “ToolShell” (CVE-2025-49704)
🔻 RCE – Windows LNK File (CVE-2025-9491)
🔻 EoP – Windows Remote Access Connection Manager (CVE-2025-59230)
🔻 EoP – Windows Agere Modem Driver (CVE-2025-24990)
🔻 RCE – Redis “RediShell” (CVE-2025-49844)
🔻 RCE – XWiki Platform (CVE-2025-24893)
🔻 XSS – Zimbra Collaboration (CVE-2025-27915)
🔻 EoP – Linux Kernel (CVE-2025-38001)

🟥 Trending Vulnerabilities Portal

На русском

November Microsoft Patch Tuesday

Leave a reply

November Microsoft Patch Tuesday

November Microsoft Patch Tuesday. A total of 65 vulnerabilities. I’m not comparing this with the October report because I’ve decided to cover only MSPT-day vulnerabilities. The thing is, Microsoft has started massively adding Linux-product vulnerabilities to their official website, and these clutter the “extended” MSPT reports. 🤷‍♂️

There is one vulnerability with evidence of in-the-wild exploitation:

🔻 EoP – Windows Kernel (CVE-2025-62215)

No vulnerabilities have publicly available exploits yet. Notable ones include:

🔹 RCE – GDI+ (CVE-2025-60724), Microsoft Office (CVE-2025-62199), Microsoft Office (CVE-2025-62205, CVE-2025-62216), Agentic AI and Visual Studio Code (CVE-2025-62222), Visual Studio (CVE-2025-62214)
🔹 EoP – Windows Client-Side Caching (CVE-2025-60705), Windows Ancillary Function Driver for WinSock (CVE-2025-60719, CVE-2025-62213, CVE-2025-62217), Microsoft SQL Server (CVE-2025-59499)

🗒 Full Vulristics report

На русском

About Remote Code Execution – Microsoft SharePoint “ToolShell” (CVE-2025-49704) vulnerability

Leave a reply

About Remote Code Execution - Microsoft SharePoint ToolShell (CVE-2025-49704) vulnerability

About Remote Code Execution – Microsoft SharePoint “ToolShell” (CVE-2025-49704) vulnerability. This vulnerability is from the Microsoft’s July Patch Tuesday. SharePoint is a web application developed by Microsoft for corporate intranet portals, document management, and collaborative work. Deserialization of untrusted data in the DataSetSurrogateSelector class leads to remote code execution in the context of the SharePoint web server process. Exploitation requires authentication, obtainable for example via CVE-2025-49706 (“ToolShell” chain).

🔬 The “ToolShell” chain was demonstrated by the Viettel Cyber Security team at Pwn2Own Berlin, May 15–17, 2025 (prize $100,000).

👾 Signs of exploitation in the wild have been observed since July 7. The vulnerability was added to CISA KEV on July 22.

🛠 Public exploits available on GitHub since July 21.

➡️ Later “ToolShell” vulnerabilities: CVE-2025-53770 and CVE-2025-53771.

На русском

About Elevation of Privilege – Windows Remote Access Connection Manager (CVE-2025-59230) vulnerability

Leave a reply

About Elevation of Privilege - Windows Remote Access Connection Manager (CVE-2025-59230) vulnerability

About Elevation of Privilege – Windows Remote Access Connection Manager (CVE-2025-59230) vulnerability. A vulnerability from the October Microsoft Patch Tuesday. The Windows Remote Access Connection Manager (RasMan) service is a core Windows component that manages dial-up and Virtual Private Network (VPN) connections, ensuring secure communication between a computer and remote networks. An access control flaw in the RasMan service could allow an authenticated attacker to elevate privileges to the SYSTEM level.

👾 On October 14, Microsoft reported signs of the vulnerability being exploited in the wild. On October 22, it was added to the CISA KEV catalog. No further details about the attacks have been disclosed so far.

🛠 No public exploits have been observed yet.

На русском

About Remote Code Execution – Windows LNK File (CVE-2025-9491) vulnerability

Leave a reply

About Remote Code Execution - Windows LNK File (CVE-2025-9491) vulnerability

About Remote Code Execution – Windows LNK File (CVE-2025-9491) vulnerability. A vulnerability in the Microsoft Windows shortcut (.LNK) handling mechanism allows malicious command-line arguments to be hidden in the Target field using whitespace characters, making them invisible to standard tools. Opening such an LNK file may lead to arbitrary code execution.

🔻 Peter Girnus, an expert at Trend Micro, notified Microsoft about the vulnerability on September 20, 2024, but they decided not to fix it. 🤷‍♂️ On August 26, 2025, this 0-day vulnerability (ZDI-CAN-25373) was assigned the identifier CVE-2025-9491.

👾 On March 18, 2025, Trend Micro reported that this vulnerability was exploited in APT attacks, and on October 30, Arctic Wolf Labs confirmed it was used to deploy PlugX malware against Hungarian and Belgian diplomatic missions.

🛠 The method for modifying .LNK files is described in the Trend Micro report.

На русском

About Remote Code Execution – Windows Server Update Services (WSUS) (CVE-2025-59287) vulnerability

Leave a reply

About Remote Code Execution - Windows Server Update Services (WSUS) (CVE-2025-59287) vulnerability

About Remote Code Execution – Windows Server Update Services (WSUS) (CVE-2025-59287) vulnerability. WSUS is a legacy Windows Server component that allows IT administrators to manage the download and installation of Microsoft product updates on computers within a local network. Vulnerability summary: An unauthenticated remote attacker can execute code with SYSTEM privileges on a Windows server with the WSUS Server Role enabled (it is disabled by default) by sending specially crafted POST requests. This is possible due to a flaw in deserializing untrusted data.

⚙️ Initial patches were released on October 14 as part of Microsoft’s October Patch Tuesday.

🛠 A public exploit has been available on GitHub since October 18.

⚙️ On October 24, Microsoft released additional patches to fully address the vulnerability (server reboot is required).

👾 On October 24, the vulnerability was added to the CISA KEV, and there are reports of observed exploitation attempts.

На русском

October Microsoft Patch Tuesday

2 Replies

October Microsoft Patch Tuesday

October Microsoft Patch Tuesday. A total of 213 vulnerabilities – twice as many as in September. Of these, 41 vulnerabilities were added between the September and October MSPT. There are four vulnerabilities with evidence of exploitation in the wild:

🔻 SFB – IGEL OS (CVE-2025-47827) – public exploit available
🔻 EoP – Windows Agere Modem Driver (CVE-2025-24990)
🔻 EoP – Windows Remote Access Connection Manager (CVE-2025-59230)
🔻 MemCor – Chromium (CVE-2025-10585)

Another vulnerability with a public PoC exploit:

🔸 RCE – Unity Runtime (CVE-2025-59489)

Among the remaining vulnerabilities with no public exploits or signs of exploitation in the wild, the following stand out:

🔹 RCE – WSUS (CVE-2025-59287), Microsoft Office (CVE-2025-59227, CVE-2025-59234)
🔹 EoP – Windows Agere Modem Driver (CVE-2025-24052), Windows Cloud Files Mini Filter Driver (CVE-2025-55680)

🗒 Full Vulristics Report

На русском