Tag Archives: PHP

May Linux Patch Wednesday

Leave a reply

May Linux Patch Wednesday

May Linux Patch Wednesday. A total of 1,638 vulnerabilities (474 in the Linux kernel). For comparison, in April there were 1,035 vulnerabilities (a record!). And this time it turns out to be a record again, more than one and a half times higher! The acceleration is both impressive and alarming. But we will see what happens next. At some point it should stabilize. Although the number of critical vulnerabilities is already so high that reviewing all of them becomes quite problematic. For 7 vulnerabilities there are signs of exploitation in the wild. And for another 264 there are public exploits. Let’s start, as usual, with vulnerabilities being actively exploited according to CISA KEV and VulnCheck KEV data. Here, at the top, as expected, are two high-profile ways to get a root shell:

🔻 EoP - Linux Kernel "Copy Fail" (CVE-2026-31431)
🔻 EoP - Linux Kernel "Dirty Frag" (CVE-2026-43500)

Other vulnerabilities being exploited in the wild:

🔻 RCE - Apache ActiveMQ (CVE-2026-40466). Based on the description, this appears to be a bypass of the fix for CVE-2026-34197, which I already wrote about earlier.

🔻 AuthBypass - Rclone (CVE-2026-41176). Rclone ("rsync for cloud storage") is a command-line utility for synchronizing files and directories between various cloud storage services and local systems. Exploitation of the vulnerability can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods.

🔻 RCE - NGINX (CVE-2026-42945). The bug enables unauthenticated remote code execution against servers using rewrite and set directives.

🔻 DoS - PgBouncer (CVE-2026-6664). PgBouncer is a lightweight, open-source connection pooler for PostgreSQL databases. It reduces connection overhead by managing a pool of connections to one or more PostgreSQL servers, improving performance and resource efficiency for applications with frequent short-lived database connections. An integer overflow in the network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash.

🔻 XSS - Postorius (CVE-2026-44742). The Postorius Django app provides a web user interface to access GNU Mailman. Mailman is free software for managing electronic mail discussion and e-newsletter lists. The vulnerability is being exploited according to VulnCheck KEV; however, no public exploits has been observed yet.

From the remaining vulnerabilities with public exploits, but without any signs of exploitation in the wild so far, the following can be highlighted:

🔸 RCE - Apache HTTP Server (CVE-2026-23918). Double-free error in Apache httpd mod_http2 stream cleanup, leading to pre-auth RCE.

🔸 RCE - Apache Tomcat (CVE-2026-34486). Apache Tomcat Tribes cluster communication module fails to discard messages when EncryptInterceptor decryption fails, allowing unauthenticated attackers to trigger Remote Code Execution via Java deserialization on port 4000.

🔸 RCE - ProFTPD (CVE-2026-42167). The flaw exists in how mod_sql handles certain logging variables (like %U), allowing an unauthenticated attacker to inject SQL commands via the USER command.

🔸 EoP - Linux Kernel "DirtyDecrypt" (CVE-2026-31635). Linux local privilege escalation in the RxRPC/GSSAPI decryption path. A missing skb_cow_data() check in rxgk_decrypt_skb() allows an unprivileged local attacker to corrupt cache pages and overwrite in-memory contents of read-only files.

🔸 EoP - Linux Kernel "Fragnesia" (CVE-2026-46300). I also analyzed this vulnerability earlier. A bug in skb_try_coalesce() allowing page-cache write via fragmented ESP packets.

🔸 EoP - Linux Kernel (CVE-2026-46333). Local root privilege escalation and credential disclosure in the Linux kernel ptrace path, discovered by researchers at Qualys.

🔸 EoP - PackageKit "Pack2TheRoot" (CVE-2026-41651). PackageKit is a free and open-source suite of software applications designed to provide a consistent and high-level abstraction layer for a number of different package management systems. The vulnerability allows an attacker to escalate privileges, potentially gaining root access or compromising the system.

🔸 ComInj - Composer (CVE-2026-40261, CVE-2026-40176). Composer is a dependency manager for PHP. The vulnerability exists in the Perforce::generateP4Command() method. Due to insufficient sanitization of repository configuration parameters (such as url, p4user, or client) when constructing shell commands, an attacker who controls a composer.json file can execute arbitrary commands on the victim's system when composer install or composer update is executed.

🗒 Full Vulristics report

July Linux Patch Wednesday

1 Reply

July Linux Patch Wednesday

July Linux Patch Wednesday. This time, there are 470 vulnerabilities, slightly fewer than in June. Of these, 291 are in the Linux Kernel. One vulnerability shows signs of being exploited in the wild (CISA KEV):

🔻 SFB - Chromium (CVE-2025-6554)

There are also 36 (❗️) vulnerabilities for which public exploits are available or suspected to exist. Notable among them:

🔸 RCE - Redis (CVE-2025-32023), pgAdmin (CVE-2024-3116), Git (CVE-2025-48384)
🔸 EoP - Sudo (CVE-2025-32462, CVE-2025-32463)
🔸 PathTrav - Tar (CVE-2025-45582)
🔸 XSS - jQuery (CVE-2012-6708)
🔸 SFB - PHP (CVE-2025-1220)
🔸 DoS - LuaJIT (CVE-2024-25177), Linux Kernel (CVE-2025-38089)
🔸 MemCor - DjVuLibre (CVE-2025-53367)

🗒 Full Vulristics report

На русском

I have finalized the list of trending vulnerabilities for 2024 according to Positive Technologies

2 Replies

I have finalized the list of trending vulnerabilities for 2024 according to Positive Technologies

I have finalized the list of trending vulnerabilities for 2024 according to Positive Technologies. Last year, 74 vulnerabilities were classified as trending (to compare the scale, just over 40,000 were added to NVD in 2024).

All trending vulnerabilities are found in Western commercial products and open source projects. This year, the vulnerabilities of domestic Russian products did not reach the level of criticality required to classify them as trending.

For 55 of all trending vulnerabilities there are currently signs of exploitation in attacks, for 17 there are public exploits (but no signs of exploitation) and for the remaining 2 there is only a possibility of future exploitation.

Vulnerabilities were often added to trending ones before signs of exploitation in the wild appeared. For example, the remote code execution vulnerability in VMware vCenter (CVE-2024-38812) was added to the list of trending vulnerabilities on September 20, 3 days after the vendor's security bulletin appeared. There were no signs of exploitation in the wild or public exploit for this vulnerability. Signs of exploitation appeared only 2 months later, on November 18.

Most of the vulnerabilities in the trending list are of the following types: Remote Code or Command Execution (24) and Elevation of Privilege (21).

4 vulnerabilities in Barracuda Email Security Gateway (CVE-2023-2868), MOVEit Transfer (CVE-2023-34362), papercut (CVE-2023-27350) and SugarCRM (CVE-2023-22952) were added in early January 2024. These vulnerabilities were massively exploited in the West in 2023, and attacks using these vulnerabilities could also tangentially affect those domestic Russian organizations where these products had not yet been taken out of service. The rest of the vulnerabilities became trending in 2024.

34 trending vulnerabilities affect Microsoft products (45%).

🔹 17 of them are Elevation of Privilege vulnerabilities in the Windows kernel and standard components.

🔹 1 Remote Code Execution vulnerability in Windows Remote Desktop Licensing Service (CVE-2024-38077).

2 trending Elevation of Privilege vulnerabilities affect Linux systems: one in nftables (CVE-2024-1086), and the second in needrestart (CVE-2024-48990).

Other groups of vulnerabilities

🔻 Phishing attacks: 19 (Windows components, Outlook, Exchange, Ghostscript, Roundcube)
🔻 Network security and entry points: 13 (Palo Alto, Fortinet, Juniper, Ivanti, Check Point, Zyxel)
🔻 Virtual infrastructure and backups: 7 (VMware, Veeam, Acronis)
🔻 Software development: 6 (GitLab, TeamCity, Jenkins, PHP, Fluent Bit, Apache Struts)
🔻 Collaboration tools: 3 (Atlassian Confluence, XWiki)
🔻 CMS WordPress plugins: 3 (LiteSpeed Cache, The Events Calendar, Hunk Companion)

🗒 Full Vulristics report

🟥 Article on the official website "Vulnerable software and hardware vs. security researchers" (rus)

На русском

Trending vulnerabilities for June according to Positive Technologies

Leave a reply

Trending vulnerabilities for June according to Positive Technologies. Traditionally, in 3 formats (in Russian):

📹 The section "Trending VM" in the SecLab news video (starts at 15:03)
🗞 Post on the Habr website, in fact this is a slightly expanded scenario for the "Trending VM" section
🗒 Compact digest with technical details on the official PT website

List of vulnerabilities:

🔻 EoP in Microsoft Windows CSC (CVE-2024-26229)
🔻 EoP in Microsoft Windows Error Reporting (CVE-2024-26169)
🔻 EoP in Microsoft Windows Kernel (CVE-2024-30088)
🔻 RCE in PHP (CVE-2024-4577)
🔻 EoP in Linux Kernel (CVE-2024-1086)
🔻 InfDisclosure in Check Point Security Gateways (CVE-2024-24919)
🔻 RCE in VMware vCenter (CVE-2024-37079, CVE-2024-37080)
🔻 AuthBypass in Veeam Backup & Replication (CVE-2024-29849)

На русском

The Remote Code Execution vulnerability - PHP on Windows hosts (CVE-2024-4577) is used in ransomware attacks

1 Reply

The Remote Code Execution vulnerability - PHP on Windows hosts (CVE-2024-4577) is used in ransomware attacks

The Remote Code Execution vulnerability - PHP on Windows hosts (CVE-2024-4577) is used in ransomware attacks. I already had a post about this vulnerability earlier. Now Imperva Threat Research reports that this vulnerability is being used by attackers to deliver malware identified as a component of the TellYouThePass ransomware.

⏳ The attacks were noticed on June 8, less than 48 hours after the PHP developers released a patch. The attacks used an exploit that by that time was already publicly available.

TellYouThePass attacks have been reported since 2019. They target enterprises and individuals. Attackers encrypt both Windows and Linux infrastructure.

What conclusions can be drawn? If you see a vulnerability with a public exploit and a more or less clear vector of exploitation, don’t be lazy to patch it as quickly as possible. Because attackers will definitely not be too lazy to add this exploit to their malware. 😉

На русском

Critical Remote Code Execution - PHP on Windows hosts (CVE-2024-4577) vulnerability with a public exploit

1 Reply

Critical Remote Code Execution - PHP on Windows hosts (CVE-2024-4577) vulnerability with a public exploit

Critical Remote Code Execution - PHP on Windows hosts (CVE-2024-4577) vulnerability with a public exploit. CVSS 9.8. On June 6, PHP developers released an update to fix an RCE vulnerability which exists due to incorrect work with the Best-Fit encoding conversion function in the Windows operating system. An unauthenticated attacker performing an argument injection attack can bypass protection against the old actively exploited RCE vulnerability CVE-2012-1823 using certain character sequences and thus execute arbitrary code. Exploits for the vulnerability are already available on GitHub. The Shadowserver Foundation has noticed active scans aimed at detecting vulnerable hosts. 👾

The vulnerability affects all versions of PHP installed on the Windows operating system.

🔻 PHP 8.3 < 8.3.8
🔻 PHP 8.2 < 8.2.20
🔻 PHP 8.1 < 8.1.29 PHP 8.0, PHP 7 and PHP 5 are also vulnerable, but they are already in End-of-Life and are not supported. 🤷‍♂️ It is specifically emphasized that all XAMPP installations are also vulnerable by default. XAMPP is a free and open-source cross-platform web server solution containing Apache, MariaDB, PHP, Perl and a large number of additional libraries. If updating to the latest version of PHP is not possible, researchers from DEVCORE suggest configuration recommendations that prevent vulnerability exploitation. However, these recommendations apply to installations on Windows with certain language locales (Traditional Chinese, Simplified Chinese, Japanese) for which the exploitation of the vulnerability has been verified. For other locales, due to the wide range of PHP use cases, it is currently impossible to fully list and exclude all potential exploitation scenarios. Therefore, users are advised to conduct a comprehensive asset assessment, check PHP usage scenarios, and update PHP to the latest version.

На русском

Vulners Web Vulnerability Scanner plugin for Google Chrome v. 2.0

1 Reply

Vulners Web Vulnerability Scanner plugin for Google Chrome v. 2.0. Vulners Team released today the second version of their Web Vulnerability Scanning plugin for Google Chrome browser. You can read my description of the version 1.0 at “Vulners.com vulnerability detection plugins for Burp Suite and Google Chrome“.

Vulners web vulnerability scanner v.2.0

Killing feature of Vulners web scanner v. 2.0 is that you can now see all vulnerabilities on all scanned sites in a single window. You don’t need to checks all Google Chrome tabs manually.

Moreover, if some sites make request to other servers, for example googleapis.com, these servers will be checked automatically.

The plugin was fully refactored and now it is React driven. It works faster, analysis more data sources and detects vulnerabilities more accurately.

Continue reading