Tag Archives: SharePoint

August Microsoft Patch Tuesday

1 Reply

August Microsoft Patch Tuesday

August Microsoft Patch Tuesday. A total of 132 vulnerabilities, 20 fewer than in July. Of these, 25 were added between the July and August MSPT. Three are actively exploited, including two related to the trending SharePoint "ToolShell" flaw, exploited since July 17.

🔻 RCE - Microsoft SharePoint Server (CVE-2025-53770)
🔻 Spoofing - Microsoft SharePoint Server (CVE-2025-53771)

Another actively exploited vulnerability affects Chromium:

🔻SFB - Chromium (CVE-2025-6558)

Notable among the rest, without public exploits or exploitation signs, are:

🔹 RCE - SharePoint (CVE-2025-49712), GDI+ (CVE-2025-53766), Windows Graphics Component (CVE-2025-50165), DirectX Graphics Kernel (CVE-2025-50176), Microsoft Office (CVE-2025-53731, CVE-2025-53740), MSMQ (CVE-2025-53144, CVE-2025-53145, CVE-2025-50177)
🔹 EoP - Kerberos (CVE-2025-53779), NTLM (CVE-2025-53778)

🗒 Full Vulristics report

На русском

August "In the Trend of VM" (#18): vulnerabilities in Microsoft Windows and SharePoint

1 Reply

August In the Trend of VM (#18): vulnerabilities in Microsoft Windows and SharePoint

August "In the Trend of VM" (#18): vulnerabilities in Microsoft Windows and SharePoint. A traditional monthly roundup - this time, it's extremely short.

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

Only two trending vulnerabilities:

🔻 Remote Code Execution - Microsoft SharePoint Server "ToolShell" (CVE-2025-53770). The vulnerability is being widely exploited; attackers may even have gained access to U.S. nuclear secrets. The vulnerability is also relevant for Russia.
🔻 Elevation of Privilege - Windows Update Service (CVE-2025-48799). The vulnerability affects Windows 10/11 installations with at least two hard drives.

На русском

About Remote Code Execution - Microsoft SharePoint Server "ToolShell" (CVE-2025-53770) vulnerability

1 Reply

About Remote Code Execution - Microsoft SharePoint Server ToolShell (CVE-2025-53770) vulnerability

About Remote Code Execution - Microsoft SharePoint Server "ToolShell" (CVE-2025-53770) vulnerability. SharePoint is a web application developed by Microsoft for corporate intranet portals, document management, and collaborative work. A flaw in the deserialization mechanism of an on-premises SharePoint Server instance allows remote unauthenticated attackers to execute arbitrary code.

👾 On July 18, Eye Security researchers reported mass exploitation of this vulnerability in conjunction with the spoofing vulnerability CVE-2025-53771. CVE-2025-53770 and CVE-2025-53771 are evolutions of the vulnerabilities CVE-2025-49704 and CVE-2025-49706 from the July MSPT.

🔻 On July 19, Microsoft released updates for SharePoint Server 2016, 2019, and Subscription Edition. They also recommended integrating with the Antimalware Scan Interface.

🔨 Public exploits have been available on GitHub since July 21.

На русском

The severity of the Remote Code Execution - Microsoft SharePoint (CVE-2024-38094) vulnerability has increased

Leave a reply

The severity of the Remote Code Execution - Microsoft SharePoint (CVE-2024-38094) vulnerability has increased

The severity of the Remote Code Execution - Microsoft SharePoint (CVE-2024-38094) vulnerability has increased. It was fixed as part of the July Microsoft Patch Tuesday (July 9).

SharePoint is a popular platform for corporate portals. According to the Microsoft bulletin, аn authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server.

On July 10, a repository with a PoC exploit for this vulnerability appeared on GitHub, as well as a video demonstrating how an attacker can launch processes on the attacked SharePoint server. A GitHub search by CVE number does not find a repository with the exploit, but a link is available in the The Hacker News article. Exploit also relates to the July SharePoint RCEs CVE-2024-38023 and CVE-2024-38024.

On October 22, the vulnerability was added to the CISA KEV, which means it was exploited in the wild.

На русском

July Microsoft Patch Tuesday

4 Replies

July Microsoft Patch Tuesday

July Microsoft Patch Tuesday. There are 175 vulnerabilities in total, 33 of which appeared between June and July Patch Tuesday.

There are 2 vulnerabilities with the sign of exploitation in the wild:

🔻 Spoofing - Windows MSHTML Platform (CVE-2024-38112). It’s not clear what exactly is being spoofed. Let's wait for the details. It is currently known that to exploit the vulnerability, an attacker must send the victim a malicious (MSHTML?) file, which the victim must somehow run/open.
🔻 Elevation of Privilege - Windows Hyper-V (CVE-2024-38080). This vulnerability allows an authenticated attacker to execute code with SYSTEM privileges. Again, no details. This could be interpreted that the guest OS user can gain privileges in the host OS (I hope this is not the case).

From the rest we can highlight:

🔸 Elevation of Privilege - various Windows components (CVE-2024-38059, CVE-2024-38066, CVE-2024-38100, CVE-2024-38034, CVE-2024-38079, CVE-2024-38085, CVE-2024-38062, CVE-2024-30079, CVE-2024-38050). EoPs quite often become exploitable.
🔸 Remote Code Execution - Windows Remote Desktop Licensing Service (CVE-2024-38074, CVE-2024-38076, CVE-2024-38077)
🔸 Remote Code Execution - Microsoft Office (CVE-2024-38021)
🔸 Remote Code Execution - Windows Imaging Component (CVE-2024-38060). All you need to do is upload a malicious TIFF file to the server.
🔸 Remote Code Execution - Microsoft SharePoint Server (CVE-2024-38023, CVE-2024-38024). Authentication is required, but "Site Owner" permissions are sufficient.

🗒 Vulristics report on July Microsoft Patch Tuesday

Vulristics shows an exploit existence for Spoofing - RADIUS Protocol (CVE-2024-3596) on GitHub, but in reality it is just a detection utility.

На русском

May Microsoft Patch Tuesday

1 Reply

May Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch Tuesday

May Microsoft Patch Tuesday. There are 91 vulnerabilities in total. Of those, 29 were added between April and May Patch Tuesday.

Two vulnerabilities have signs of exploitation in the wild and the presence of a functional exploit (not yet public):

🔻 Security Feature Bypass - Windows MSHTML Platform (CVE-2024-30040). In fact, an attacker can execute arbitrary code when the victim opens a specially crafted document. It is exploited through phishing.
🔻 Elevation of Privilege - Windows DWM Core Library (CVE-2024-30051). A local attacker can gain SYSTEM privileges on the vulnerable host. Microsoft credits four different groups for reporting the bug, indicating that the vulnerability is being widely exploited. The vulnerability is associated with the QakBot malware.

Among the rest we can note:

🔸 Security Feature Bypass - Windows Mark of the Web (CVE-2024-30050). Such vulnerabilities have been frequently exploited recently. Microsoft indicates that there is a functional exploit (private) for the vulnerability.
🔸 Remote Code Execution - Microsoft SharePoint Server (CVE-2024-30044). An authenticated attacker with Site Owner privileges or higher can execute arbitrary code in the context of SharePoint Server by uploading a specially crafted file.
🔸 Elevation of Privilege - Windows Search Service (CVE-2024-30033). ZDI believes that the vulnerability has the potential to be exploited in the wild.
🔸 Remote Code Execution - Microsoft Excel (CVE-2024-30042). An attacker can execute code, presumably in the user's context, when a malicious file is opened.

🗒 Vulristics report

На русском

November 2023 - January 2024: New Vulristics Features, 3 Months of Microsoft Patch Tuesdays and Linux Patch Wednesdays, Year 2023 in Review

1 Reply

November 2023 – January 2024: New Vulristics Features, 3 Months of Microsoft Patch Tuesdays and Linux Patch Wednesdays, Year 2023 in Review. Hello everyone! It has been 3 months since the last episode. I spent most of this time improving my Vulristics project. So in this episode, let’s take a look at what’s been done.

Alternative video link (for Russia): https://vk.com/video-149273431_456239139

Also, let’s take a look at the Microsoft Patch Tuesdays vulnerabilities, Linux Patch Wednesdays vulnerabilities and some other interesting vulnerabilities that have been released or updated in the last 3 months. Finally, I’d like to end this episode with a reflection on how my 2023 went and what I’d like to do in 2024.

Continue reading