May “In the Trend of VM” (#15): vulnerabilities in Microsoft Windows and the Erlang/OTP framework. A traditional monthly vulnerability roundup. 🙂
🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)
A total of 4 trending vulnerabilities:
🔻 Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824)
🔻 Elevation of Privilege – Windows Process Activation (CVE-2025-21204)
🔻 Spoofing – Windows NTLM (CVE-2025-24054)
🔻 Remote Code Execution – Erlang/OTP (CVE-2025-32433)
I’m done preparing the slides for my talk about Vulristics at PHDays. 😇 I’ll be speaking on the last day of the festival – Saturday, May 24, at 16:00 in Popov Hall 25. If you’re there at that time, I’d be glad to see you. If not – join online! 😉
I’ll have an hour to dive into Vulristics, vulnerability analysis & prioritization. 🤩 I’ll walk through the Vulristics report structure, typical tasks (like analyzing Microsoft Patch Tuesday, Linux Patch Wednesday, individual trending CVEs, and vulnerability sets), how the work with data sources is organized, the challenges of accurately detecting vulnerability types and vulnerable products. Finally, I’ll discuss Vulristics integration into pipelines. Feel free to use the code – Vulristics is MIT-licensed. 🆓
➡️ Talk on the PHDays website – you can download the .ics calendar file there 😉
⏰ May 24, 2025, 16:00 (MSK)
📍 Luzhniki, Popov Hall 25
April “In the Trend of VM” (#14): vulnerabilities in Microsoft Windows, VMware products, Kubernetes, and Apache Tomcat. We decided to pause recording new videos, so for now only text. 🤷♂️🙂
🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)
A total of 11 trending vulnerabilities:
🔻 Elevation of Privilege – Windows Cloud Files Mini Filter Driver (CVE-2024-30085)
🔻 Spoofing – Windows File Explorer (CVE-2025-24071)
🔻 Four Windows vulnerabilities from March Microsoft Patch Tuesday were exploited in the wild (CVE-2025-24985, CVE-2025-24993, CVE-2025-26633, CVE-2025-24983)
🔻 Three VMware “ESXicape” Vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226)
🔻 Remote Code Execution – Apache Tomcat (CVE-2025-24813)
🔻 Remote Code Execution – Kubernetes (CVE-2025-1974)
March episode “In the Trend of VM” (#13): vulnerabilities of Microsoft, PAN-OS, СommuniGate and who should patch hosts with deployed application. I’m posting the translated video with a big delay, but it’s better than never. 😉
📹 Video on YouTube and LinkedIn
🗞 Post on Habr (rus)
🗒 Digest on the PT website
Content:
🔻 00:00 Greetings
🔻 00:31 Elevation of Privilege – Windows Ancillary Function Driver for WinSock (CVE-2025-21418)
🔻 01:12 Elevation of Privilege – Windows Storage (CVE-2025-21391)
🔻 01:53 Authentication Bypass – PAN-OS (CVE-2025-0108)
🔻 03:09 Remote Code Execution – CommuniGate Pro (BDU:2025-01331)
🔻 04:27 The VM riddle: who should patch hosts with a deployed application?
🔻 07:11 About the digest of trending vulnerabilities
About Elevation of Privilege – Windows Cloud Files Mini Filter Driver (CVE-2024-30085) vulnerability. cldflt.sys is a Windows Cloud Files Mini Filter driver responsible for representing cloud-stored files and folders as if they were located on the local machine. The vulnerability in this driver, fixed as part of the June 2024 Microsoft Patch Tuesday, allows an attacker to gain SYSTEM privileges. The root cause of the vulnerability is a Heap-based Buffer Overflow (CWE-122).
🔻 A private exploit was presented at the TyphoonPWN 2024 competition on May 30, 2024. It was used as part of an exploit chain to achieve a VMware Workstation Guest-to-Host escape.
🔻 On December 19, 2024, a technical write-up and exploit code were published on the SSD Secure Disclosure website.
🔻 On March 3, a blog post by Positive Technologies was published that examines the roots of the vulnerability and exploitation techniques.
New episode “In the Trend of VM” (#12): 8 February CVEs & Why the Darknet Matters for VM Specialists. Now with a new design and new video editing. 😉
📹 Video on YouTube and LinkedIn
🗞 Post on Habr (rus)
🗒 Digest on the PT website
Content:
🔻 00:00 Greetings
🔻 00:23 Remote Code Execution – Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49112)
🔻 01:35 Remote Code Execution – Microsoft Configuration Manager (CVE-2024-43468)
🔻 02:38 Remote Code Execution – Windows OLE (CVE-2025-21298)
🔻 03:55 Elevation of Privilege – Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335)
🔻 05:02 Authentication Bypass – FortiOS/FortiProxy (CVE-2024-55591)
🔻 06:16 Remote Code Execution – 7-Zip (CVE-2025-0411)
🔻 07:27 Should a VM specialist be aware of what is happening in the Darknet?
🔻 08:48 About the digest of trending vulnerabilities
Should a VM specialist be aware of what is happening in the Darknet? Of course. At least roughly. Otherwise, he’ll fall for the “nobody’s attacking us” myth. 😏
The reality is that every organization is under attack all the time. It’s like commercial fishing with trawlers. Anything that gets caught in the nets will be classified, priced, and put up for sale. 🐟 In today’s world of cybercrime, access to an organization’s infrastructure is a commodity. 🏪 The same is true for vulnerabilities, exploits, and ready-made malware.
Attacker groups have specialized:
🔻 some research vulnerabilities and write exploits
🔻 others embed them in malware
🔻 still others implement bypass of the InfoSec systems
🔻 the fourth get primary access
🔻 fifth people monetize this access 💰
🔻 sixth support the operation of trading platforms
And whether these guys can break your organization depends on you, VM specialist!
🟥 PT has published a large study on this topic. 👍
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.