Tag Archives: sudo

October “In the Trend of VM” (#20): vulnerabilities in Cisco ASA/FTD and sudo

October “In the Trend of VM” (#20): vulnerabilities in Cisco ASA/FTD and sudo. A traditional monthly roundup. This time, once again, no Microsoft vulnerabilities. 😲

🗞 Post on Habr (rus)
🗞 Post on SecurityLab (rus)
🗒 Digest on the PT website (rus)

Only three identifiers in total:

🔻 Remote Code Execution – Cisco ASA/FTD (CVE-2025-20333, CVE-2025-20362). This vulnerability chain has been exploited in attacks since May 2025, but there are no public exploits yet.
🔻 Elevation of Privilege – Sudo (CVE-2025-32463). There are signs of in-the-wild exploitation and many public exploits are available.

На русском

About Elevation of Privilege – Sudo (CVE-2025-32463) vulnerability

Leave a reply

About Elevation of Privilege – Sudo (CVE-2025-32463) vulnerability. Sudo is a utility in Unix-like operating systems that allows a user to run a program with the privileges of another user, by default the superuser (root).

🔻 The vulnerability allows a local attacker to escalate privileges by forcing sudo to load an arbitrary dynamic library when using a root directory specified via the -R (–chroot) option. An attacker can execute arbitrary commands as root on systems that support (Name Service Switch configuration file).

⚙️ The vulnerability was fixed in sudo 1.9.17p1, released on June 30, 2025.

🛠 On the same day, a write-up by researcher Rich Mirch was published with a PoC exploit.

🐧 I noted Linux vendors’ remediation of this vulnerability in July Linux Patch Wednesday. Multiple public exploits for the vulnerability were available.

👾 On September 29, the vulnerability was added to CISA KEV.

На русском

July Linux Patch Wednesday

1 Reply

July Linux Patch Wednesday. This time, there are 470 vulnerabilities, slightly fewer than in June. Of these, 291 are in the Linux Kernel. One vulnerability shows signs of being exploited in the wild (CISA KEV):

🔻 SFB – Chromium (CVE-2025-6554)

There are also 36 (❗️) vulnerabilities for which public exploits are available or suspected to exist. Notable among them:

🔸 RCE – Redis (CVE-2025-32023), pgAdmin (CVE-2024-3116), Git (CVE-2025-48384)
🔸 EoP – Sudo (CVE-2025-32462, CVE-2025-32463)
🔸 PathTrav – Tar (CVE-2025-45582)
🔸 XSS – jQuery (CVE-2012-6708)
🔸 SFB – PHP (CVE-2025-1220)
🔸 DoS – LuaJIT (CVE-2024-25177), Linux Kernel (CVE-2025-38089)
🔸 MemCor – DjVuLibre (CVE-2025-53367)

🗒 Full Vulristics report

На русском

Last Week’s Security News: Black Hat Pwnie Awards, iPhone Checks Photos, Evil Windows Print Server, Cisco VPN Routers Takeovers

Leave a reply

Last Week’s Security News: Black Hat Pwnie Awards, iPhone Checks Photos, Evil Windows Print Server, Cisco VPN Routers Takeovers. Hello everyone! Last Week’s Security News, August 1 – August 8.

Black Hat Pwnie Awards

Last week was more quiet than normal with Black Hat USA and DEF CON security conferences. I would like to start with the Pwnie Awards, which are held annually at Black Hat. It’s like an Oscar or Tony in the information security world. Pwnie Awards recognizes both excellence and incompetence. And, in general, is a very respectable, adequate and fun event.

There were 10 nominations. I will note a few.

Firstly 2 nominations, which were received by the guys from Qualys.
Best Privilege Escalation Bug: Baron Samedit, a 10-year-old exploit in sudo.
Most Under-Hyped Research: 21Nails, 21 vulnerabilities in Exim, the Internet’s most popular mail server.
Best Server-Side Bug: Orange Tsai, for his Microsoft Exchange Server ProxyLogon attack surface discoveries.
Most Epic Fail: Microsoft, for their failure to fix PrintNightmare.
Best Song: The Ransomware Song by Forrest Brazeal

Continue reading →

Vulristics: Beyond Microsoft Patch Tuesdays, Analyzing Arbitrary CVEs

Leave a reply

Vulristics: Beyond Microsoft Patch Tuesdays, Analyzing Arbitrary CVEs. Hello everyone! In this episode I would like to share an update for my Vulristics project.

For those who don’t know, in this project I am working on an alternative vulnerability scoring based on publicly available data to highlight vulnerabilities that need to be fixed as soon as possible. Roughly speaking, this is something like Tenable VPR, but more transparent and even open source. Currently it works with much less data sources. It mainly depends on the type of vulnerability, the prevalence of vulnerable software, public exploits and exploitation in the wild.

I started with Microsoft PatchTuesday Vulnerabilities because Microsoft provides much better data than other vendors. They have the type of vulnerability and the name of the vulnerable software in the title.

Elevation of Privilege - Windows Win32k MS site

But it’s time to go further and now you can use Vulristics to analyze any set of CVEs. I changed the scirpts that were closely related to the Microsoft datasource and added new features to get the type of vulnerability and name of the software from the CVE description.

Elevation of Privilege - Sudo (CVE-2021-3156) - High [595]

Continue reading →

Making Expect scripts for SSH Authentication and Privilege Elevation

2 Replies

Making Expect scripts for SSH Authentication and Privilege Elevation. Expect can help you to automate interactive console applications. For example, expect script can go to some Linux host via SSH with password authentication, make additional authentication procedures (su, sudo) to elevate privileges and execute some commands. Like Vulnerability and Compliance management products do during the active Linux scanning, right? 🙂 For example you can get the list of installed packages and make Vulnerability Assessment without Vulnerability Scanner.

Expect SSH exec

Actually, the tool is pretty old. It was presented more than 20 years ago! And perhaps now it makes more sense to use python scripts, for example paramiko with paramiko-expect. Or even use some software provisioning tool, like Ansible. But my fun was in creating (generating?) a small old-school scripts that could be sent to any remote host (with expect installed) to gather information from the accessible hosts.

Continue reading →

Qualys authenticated scanning

3 Replies

Qualys authenticated scanning. Let’s see how authenticated scanning works in Qualys. Nessus stores scanning credentials in related Scan Policy (see “Tenable Nessus: registration, installation, scanning and reporting“). Iit’s not always convenient. In Qualys you can set up a scanning record and configure for which hosts it will be used.

I downloaded Qualys Virtual Scanning Appliance VirtualBox image and configured it as it was described in “Using Qualys Virtual Scanner Appliance“. The only difference: I configured second network device as VirtualBox “Host Only Adapter” to scan virtual machines on my host. You can see how to configure VirtualBox “Host Only Adapter” in my post here.

Continue reading →

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: sudo

October “In the Trend of VM” (#20): vulnerabilities in Cisco ASA/FTD and sudo

About Elevation of Privilege – Sudo (CVE-2025-32463) vulnerability

July Linux Patch Wednesday

Last Week’s Security News: Black Hat Pwnie Awards, iPhone Checks Photos, Evil Windows Print Server, Cisco VPN Routers Takeovers

Black Hat Pwnie Awards

Vulristics: Beyond Microsoft Patch Tuesdays, Analyzing Arbitrary CVEs

Making Expect scripts for SSH Authentication and Privilege Elevation

Qualys authenticated scanning