Tag Archives: TyphoonPWN

April “In the Trend of VM” (#14): vulnerabilities in Microsoft Windows, VMware products, Kubernetes, and Apache Tomcat

April “In the Trend of VM” (#14): vulnerabilities in Microsoft Windows, VMware products, Kubernetes, and Apache Tomcat. We decided to pause recording new videos, so for now only text.

Post on Habr (rus)
Digest on the PT website (rus)

A total of 11 trending vulnerabilities:

Elevation of Privilege – Windows Cloud Files Mini Filter Driver (CVE-2024-30085)
Spoofing – Windows File Explorer (CVE-2025-24071)
Four Windows vulnerabilities from March Microsoft Patch Tuesday were exploited in the wild (CVE-2025-24985, CVE-2025-24993, CVE-2025-26633, CVE-2025-24983)
Three VMware “ESXicape” Vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226)
Remote Code Execution – Apache Tomcat (CVE-2025-24813)
Remote Code Execution – Kubernetes (CVE-2025-1974)

На русском

About Elevation of Privilege – Windows Cloud Files Mini Filter Driver (CVE-2024-30085) vulnerability

Leave a reply

About Elevation of Privilege – Windows Cloud Files Mini Filter Driver (CVE-2024-30085) vulnerability. cldflt.sys is a Windows Cloud Files Mini Filter driver responsible for representing cloud-stored files and folders as if they were located on the local machine. The vulnerability in this driver, fixed as part of the June 2024 Microsoft Patch Tuesday, allows an attacker to gain SYSTEM privileges. The root cause of the vulnerability is a Heap-based Buffer Overflow (CWE-122).

A private exploit was presented at the TyphoonPWN 2024 competition on May 30, 2024. It was used as part of an exploit chain to achieve a VMware Workstation Guest-to-Host escape.

On December 19, 2024, a technical write-up and exploit code were published on the SSD Secure Disclosure website.

On March 3, a blog post by Positive Technologies was published that examines the roots of the vulnerability and exploitation techniques.

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: TyphoonPWN

April “In the Trend of VM” (#14): vulnerabilities in Microsoft Windows, VMware products, Kubernetes, and Apache Tomcat

About Elevation of Privilege – Windows Cloud Files Mini Filter Driver (CVE-2024-30085) vulnerability