Tag Archives: Microsoft

About Remote Code Execution – Windows Server Update Services (WSUS) (CVE-2025-59287) vulnerability

1 Reply

About Remote Code Execution - Windows Server Update Services (WSUS) (CVE-2025-59287) vulnerability

About Remote Code Execution – Windows Server Update Services (WSUS) (CVE-2025-59287) vulnerability. WSUS is a legacy Windows Server component that allows IT administrators to manage the download and installation of Microsoft product updates on computers within a local network. Vulnerability summary: An unauthenticated remote attacker can execute code with SYSTEM privileges on a Windows server with the WSUS Server Role enabled (it is disabled by default) by sending specially crafted POST requests. This is possible due to a flaw in deserializing untrusted data.

⚙️ Initial patches were released on October 14 as part of Microsoft’s October Patch Tuesday.

🛠 A public exploit has been available on GitHub since October 18.

⚙️ On October 24, Microsoft released additional patches to fully address the vulnerability (server reboot is required).

👾 On October 24, the vulnerability was added to the CISA KEV, and there are reports of observed exploitation attempts.

На русском

October Microsoft Patch Tuesday

2 Replies

October Microsoft Patch Tuesday

October Microsoft Patch Tuesday. A total of 213 vulnerabilities – twice as many as in September. Of these, 41 vulnerabilities were added between the September and October MSPT. There are four vulnerabilities with evidence of exploitation in the wild:

🔻 SFB – IGEL OS (CVE-2025-47827) – public exploit available
🔻 EoP – Windows Agere Modem Driver (CVE-2025-24990)
🔻 EoP – Windows Remote Access Connection Manager (CVE-2025-59230)
🔻 MemCor – Chromium (CVE-2025-10585)

Another vulnerability with a public PoC exploit:

🔸 RCE – Unity Runtime (CVE-2025-59489)

Among the remaining vulnerabilities with no public exploits or signs of exploitation in the wild, the following stand out:

🔹 RCE – WSUS (CVE-2025-59287), Microsoft Office (CVE-2025-59227, CVE-2025-59234)
🔹 EoP – Windows Agere Modem Driver (CVE-2025-24052), Windows Cloud Files Mini Filter Driver (CVE-2025-55680)

🗒 Full Vulristics Report

На русском

September Microsoft Patch Tuesday

Leave a reply

September Microsoft Patch Tuesday

September Microsoft Patch Tuesday. A total of 103 vulnerabilities, 29 fewer than in August. Of these, 25 vulnerabilities were added between the August and September MSPT. So far, no vulnerabilities are known to be exploited in the wild. Two have public PoC exploits:

🔸 DoS – Newtonsoft.Json (CVE-2024-21907)
🔸 EoP – Azure Networking (CVE-2025-54914)

Notable among the other vulnerabilities without public exploits:

🔹 RCE – Microsoft Office (CVE-2025-54910), Windows Graphics Component (CVE-2025-55228), NTFS (CVE-2025-54916), SharePoint (CVE-2025-54897), Microsoft HPC Pack (CVE-2025-55232), Hyper-V (CVE-2025-55224), Graphics Kernel (CVE-2025-55226, CVE-2025-55236)
🔹 EoP – Windows NTLM (CVE-2025-54918), Windows Kernel (CVE-2025-54110), Windows SMB (CVE-2025-55234), Windows TCP/IP Driver (CVE-2025-54093), Hyper-V (CVE-2025-54091, CVE-2025-54092, CVE-2025-54098, CVE-2025-54115)

🗒 Full Vulristics report

На русском

August Microsoft Patch Tuesday

1 Reply

August Microsoft Patch Tuesday

August Microsoft Patch Tuesday. A total of 132 vulnerabilities, 20 fewer than in July. Of these, 25 were added between the July and August MSPT. Three are actively exploited, including two related to the trending SharePoint “ToolShell” flaw, exploited since July 17.

🔻 RCE – Microsoft SharePoint Server (CVE-2025-53770)
🔻 Spoofing – Microsoft SharePoint Server (CVE-2025-53771)

Another actively exploited vulnerability affects Chromium:

🔻SFB – Chromium (CVE-2025-6558)

Notable among the rest, without public exploits or exploitation signs, are:

🔹 RCE – SharePoint (CVE-2025-49712), GDI+ (CVE-2025-53766), Windows Graphics Component (CVE-2025-50165), DirectX Graphics Kernel (CVE-2025-50176), Microsoft Office (CVE-2025-53731, CVE-2025-53740), MSMQ (CVE-2025-53144, CVE-2025-53145, CVE-2025-50177)
🔹 EoP – Kerberos (CVE-2025-53779), NTLM (CVE-2025-53778)

🗒 Full Vulristics report

На русском

August “In the Trend of VM” (#18): vulnerabilities in Microsoft Windows and SharePoint

1 Reply

August In the Trend of VM (#18): vulnerabilities in Microsoft Windows and SharePoint

August “In the Trend of VM” (#18): vulnerabilities in Microsoft Windows and SharePoint. A traditional monthly roundup – this time, it’s extremely short.

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

Only two trending vulnerabilities:

🔻 Remote Code Execution – Microsoft SharePoint Server “ToolShell” (CVE-2025-53770). The vulnerability is being widely exploited; attackers may even have gained access to U.S. nuclear secrets. The vulnerability is also relevant for Russia.
🔻 Elevation of Privilege – Windows Update Service (CVE-2025-48799). The vulnerability affects Windows 10/11 installations with at least two hard drives.

На русском

About Elevation of Privilege – Windows Update Service (CVE-2025-48799) vulnerability

1 Reply

About Elevation of Privilege - Windows Update Service (CVE-2025-48799) vulnerability

About Elevation of Privilege – Windows Update Service (CVE-2025-48799) vulnerability. This vulnerability is from the July Microsoft Patch Tuesday. Improper link resolution before file access (‘link following’) in the Windows Update Service allows an authorized attacker to elevate privileges to “NT AUTHORITY\SYSTEM”.

🛠 An exploit for this vulnerability was published by researcher Filip Dragović (Wh04m1001) on July 8, the day of MSPT. In the exploit description, he states that the vulnerability affects Windows 10/11 systems with at least two hard drives. If the installation location for new apps is changed to the secondary drive (using Storage Sense), then during the installation of a new app, the wuauserv service will arbitrarily delete folders without checking for symbolic links, leading to to LPE.

🎞 In the demonstration video, Filip Dragović runs the EXE file and gets an administrator console.

👾 No signs of exploitation in the wild yet.

На русском

About Remote Code Execution – Microsoft SharePoint Server “ToolShell” (CVE-2025-53770) vulnerability

1 Reply

About Remote Code Execution - Microsoft SharePoint Server ToolShell (CVE-2025-53770) vulnerability

About Remote Code Execution – Microsoft SharePoint Server “ToolShell” (CVE-2025-53770) vulnerability. SharePoint is a web application developed by Microsoft for corporate intranet portals, document management, and collaborative work. A flaw in the deserialization mechanism of an on-premises SharePoint Server instance allows remote unauthenticated attackers to execute arbitrary code.

👾 On July 18, Eye Security researchers reported mass exploitation of this vulnerability in conjunction with the spoofing vulnerability CVE-2025-53771. CVE-2025-53770 and CVE-2025-53771 are evolutions of the vulnerabilities CVE-2025-49704 and CVE-2025-49706 from the July MSPT.

🔻 On July 19, Microsoft released updates for SharePoint Server 2016, 2019, and Subscription Edition. They also recommended integrating with the Antimalware Scan Interface.

🔨 Public exploits have been available on GitHub since July 21.

На русском