Tag Archives: vulnerability

About Remote Code Execution – Redis “RediShell” (CVE-2025-49844) vulnerability

About Remote Code Execution – Redis “RediShell” (CVE-2025-49844) vulnerability. Redis is a popular in-memory key–value database, used as a distributed cache and message broker, with optional durability. This vulnerability allows a remote authenticated attacker to execute arbitrary code via a specially crafted Lua script. The requirement for authentication does not reduce its severity, because authentication in Redis is disabled by default and is often not used. 🤷‍♂️

⚙️ The vulnerability was discovered by Wiz researchers and presented at Pwn2Own Berlin in May of this year; it was fixed on October 3 (version 8.2.2).

🛠 As of October 7, a public exploit for the vulnerability is available on GitHub.

👾 There are no reports of attacks so far.

🌐 As of October 7, 330,000 Redis instances were accessible on the Internet, of which 60,000 had no authentication.

На русском

About Elevation of Privilege – Windows Agere Modem Driver (CVE-2025-24990) vulnerability

Leave a reply

About Elevation of Privilege – Windows Agere Modem Driver (CVE-2025-24990) vulnerability. The vulnerability is from Microsoft’s October Patch Tuesday. Agere Modem Driver (ltmdm64.sys) is a software component that allows a computer to communicate with an Agere (or LSI) modem for dial‑up or fax connections. 📠🙄 Despite its questionable practical usefulness, the driver continued to be shipped with Windows. A local attacker who successfully exploits this vulnerability in the driver can obtain administrative privileges.

⚙️ The Microsoft cumulative update from October 14 removes this driver from the system.

🛠 On October 16, an exploit for the vulnerability was published on GitHub. The author reports that the driver has been shipped since Windows Vista. Microsoft had known about the issue since at least 2014 (11 years ❗️) but ignored it. 🤷‍♂️

👾 On October 22, this vulnerability was added to the CISA KEV; details about active attacks are not yet known.

На русском

About Cross Site Scripting – Zimbra Collaboration (CVE-2025-27915) vulnerability

Leave a reply

About Cross Site Scripting – Zimbra Collaboration (CVE-2025-27915) vulnerability. Zimbra Collaboration is a collaboration software suite, somewhat similar to Microsoft Exchange. Exploiting this vulnerability in the web mail client (Classic Web Client) allows an unauthenticated attacker to execute arbitrary JavaScript in the context of the victim’s session. To do this, the attacker only needs to send an email with a specially crafted ICS file (iCalendar). The payload is triggered when the message is viewed in the web interface.

⚙️ The vulnerability was patched on January 27 in versions 9.0.0 Patch 44, 10.0.13, 10.1.5, as well as in the unofficial free Zimbra FOSS build from Maldua.

🛠 On September 30, StrikeReady Labs published a vulnerability analysis with a public exploit.

👾 StrikeReady Labs reported the vulnerability was exploited against Brazil’s military in January, before the patch was released. The vulnerability was added to CISA KEV on October 7.

На русском

About Remote Code Execution – Windows Server Update Services (WSUS) (CVE-2025-59287) vulnerability

Leave a reply

About Remote Code Execution – Windows Server Update Services (WSUS) (CVE-2025-59287) vulnerability. WSUS is a legacy Windows Server component that allows IT administrators to manage the download and installation of Microsoft product updates on computers within a local network. Vulnerability summary: An unauthenticated remote attacker can execute code with SYSTEM privileges on a Windows server with the WSUS Server Role enabled (it is disabled by default) by sending specially crafted POST requests. This is possible due to a flaw in deserializing untrusted data.

⚙️ Initial patches were released on October 14 as part of Microsoft’s October Patch Tuesday.

🛠 A public exploit has been available on GitHub since October 18.

⚙️ On October 24, Microsoft released additional patches to fully address the vulnerability (server reboot is required).

👾 On October 24, the vulnerability was added to the CISA KEV, and there are reports of observed exploitation attempts.

На русском

October Linux Patch Wednesday

Leave a reply

October Linux Patch Wednesday. In October, Linux vendors began addressing 801 vulnerabilities, slightly more than in September. Of these, 546 are in the Linux Kernel. One is being exploited in the wild:

🔻 EoP – VMware Tools (CVE-2025-41244). This vulnerability has been exploited since October 2024, and public exploits are available. According to the description, exploitation requires VMware Aria Operations.

Public or suspected exploits exist for 39 more vulnerabilities, including:

🔸 RCE – Redis (CVE-2025-49844 – RediShell, CVE-2025-46817), OpenSSH (CVE-2025-61984), 7-Zip (CVE-2025-11001, CVE-2025-11002)
🔸 EoP – FreeIPA (CVE-2025-7493), Asterisk (CVE-2025-1131)
🔸 SQLi – MapServer (CVE-2025-59431)
🔸 SFB – authlib (CVE-2025-59420)
🔸 MemCor – Binutils (CVE-2025-11082 and 7 more), Open Babel (CVE-2025-10995 and 6 more)

🗒 Full Vulristics report

На русском

October “In the Trend of VM” (#20): vulnerabilities in Cisco ASA/FTD and sudo

Leave a reply

October “In the Trend of VM” (#20): vulnerabilities in Cisco ASA/FTD and sudo. A traditional monthly roundup. This time, once again, no Microsoft vulnerabilities. 😲

🗞 Post on Habr (rus)
🗞 Post on SecurityLab (rus)
🗒 Digest on the PT website (rus)

Only three identifiers in total:

🔻 Remote Code Execution – Cisco ASA/FTD (CVE-2025-20333, CVE-2025-20362). This vulnerability chain has been exploited in attacks since May 2025, but there are no public exploits yet.
🔻 Elevation of Privilege – Sudo (CVE-2025-32463). There are signs of in-the-wild exploitation and many public exploits are available.

На русском

October Microsoft Patch Tuesday

2 Replies

October Microsoft Patch Tuesday. A total of 213 vulnerabilities – twice as many as in September. Of these, 41 vulnerabilities were added between the September and October MSPT. There are four vulnerabilities with evidence of exploitation in the wild:

🔻 SFB – IGEL OS (CVE-2025-47827) – public exploit available
🔻 EoP – Windows Agere Modem Driver (CVE-2025-24990)
🔻 EoP – Windows Remote Access Connection Manager (CVE-2025-59230)
🔻 MemCor – Chromium (CVE-2025-10585)

Another vulnerability with a public PoC exploit:

🔸 RCE – Unity Runtime (CVE-2025-59489)

Among the remaining vulnerabilities with no public exploits or signs of exploitation in the wild, the following stand out:

🔹 RCE – WSUS (CVE-2025-59287), Microsoft Office (CVE-2025-59227, CVE-2025-59234)
🔹 EoP – Windows Agere Modem Driver (CVE-2025-24052), Windows Cloud Files Mini Filter Driver (CVE-2025-55680)

🗒 Full Vulristics Report

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: vulnerability

About Remote Code Execution – Redis “RediShell” (CVE-2025-49844) vulnerability

About Elevation of Privilege – Windows Agere Modem Driver (CVE-2025-24990) vulnerability

About Cross Site Scripting – Zimbra Collaboration (CVE-2025-27915) vulnerability

About Remote Code Execution – Windows Server Update Services (WSUS) (CVE-2025-59287) vulnerability

October Linux Patch Wednesday

October “In the Trend of VM” (#20): vulnerabilities in Cisco ASA/FTD and sudo

October Microsoft Patch Tuesday