Tag Archives: Windows

About Remote Code Execution – 7-Zip (CVE-2025-0411) vulnerability

Leave a reply

About Remote Code Execution - 7-Zip (CVE-2025-0411) vulnerability

About Remote Code Execution – 7-Zip (CVE-2025-0411) vulnerability. 7-Zip is a popular, free, open-source archiver widely used by organizations as a standard tool for managing archives.

The vulnerability is a bypass of the Mark-of-the-Web mechanism.

🔹 If you download and run a suspicious executable file on Windows, Microsoft Defender’s SmartScreen will block it from executing because it comes from an untrusted source.

🔹 However, if you download a 7z archive containing another 7z archive with malware, you can execute the file with just three double-clicks, and SmartScreen won’t trigger. 🤷‍♂️ This happens because 7-Zip versions prior to 24.09, released on November 30, 2024, failed to properly apply the Mark-of-the-Web label to extracted files. An exploit example is available on GitHub.

No signs of exploitation in the wild yet, but they are likely to emerge, as this is an easy way to increase the success rate of phishing attacks. Update 7-Zip!

На русском

I have finalized the list of trending vulnerabilities for 2024 according to Positive Technologies

Leave a reply

I have finalized the list of trending vulnerabilities for 2024 according to Positive Technologies

I have finalized the list of trending vulnerabilities for 2024 according to Positive Technologies. Last year, 74 vulnerabilities were classified as trending (to compare the scale, just over 40,000 were added to NVD in 2024).

All trending vulnerabilities are found in Western commercial products and open source projects. This year, the vulnerabilities of domestic Russian products did not reach the level of criticality required to classify them as trending.

For 55 of all trending vulnerabilities there are currently signs of exploitation in attacks, for 17 there are public exploits (but no signs of exploitation) and for the remaining 2 there is only a possibility of future exploitation.

Vulnerabilities were often added to trending ones before signs of exploitation in the wild appeared. For example, the remote code execution vulnerability in VMware vCenter (CVE-2024-38812) was added to the list of trending vulnerabilities on September 20, 3 days after the vendor’s security bulletin appeared. There were no signs of exploitation in the wild or public exploit for this vulnerability. Signs of exploitation appeared only 2 months later, on November 18.

Most of the vulnerabilities in the trending list are of the following types: Remote Code or Command Execution (24) and Elevation of Privilege (21).

4 vulnerabilities in Barracuda Email Security Gateway (CVE-2023-2868), MOVEit Transfer (CVE-2023-34362), papercut (CVE-2023-27350) and SugarCRM (CVE-2023-22952) were added in early January 2024. These vulnerabilities were massively exploited in the West in 2023, and attacks using these vulnerabilities could also tangentially affect those domestic Russian organizations where these products had not yet been taken out of service. The rest of the vulnerabilities became trending in 2024.

34 trending vulnerabilities affect Microsoft products (45%).

🔹 17 of them are Elevation of Privilege vulnerabilities in the Windows kernel and standard components.

🔹 1 Remote Code Execution vulnerability in Windows Remote Desktop Licensing Service (CVE-2024-38077).

2 trending Elevation of Privilege vulnerabilities affect Linux systems: one in nftables (CVE-2024-1086), and the second in needrestart (CVE-2024-48990).

Other groups of vulnerabilities

🔻 Phishing attacks: 19 (Windows components, Outlook, Exchange, Ghostscript, Roundcube)
🔻 Network security and entry points: 13 (Palo Alto, Fortinet, Juniper, Ivanti, Check Point, Zyxel)
🔻 Virtual infrastructure and backups: 7 (VMware, Veeam, Acronis)
🔻 Software development: 6 (GitLab, TeamCity, Jenkins, PHP, Fluent Bit, Apache Struts)
🔻 Collaboration tools: 3 (Atlassian Confluence, XWiki)
🔻 CMS WordPress plugins: 3 (LiteSpeed Cache, The Events Calendar, Hunk Companion)

🗒 Full Vulristics report

🟥 Article on the official website “Vulnerable software and hardware vs. security researchers” (rus)

На русском

The Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138) has become more critical

Leave a reply

The Elevation of Privilege - Windows Common Log File System Driver (CVE-2024-49138) has become more critical

The Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138) has become more critical. Just as I wrote that nothing had been heard about this vulnerability for a month since it was first published in Microsoft’s December Patch Tuesday, a public exploit for it appeared on January 15th. 🙂 It was developed by Alessandro Iandoli from HN Security. The source code and video demonstrating the exploit are available on GitHub: a local attacker runs an exe file in PowerShell and, after a second, becomes “nt authority/system”. The researcher tested the exploit on Windows 11 23h2. He also promises to publish a blog post with a detailed analysis of the vulnerability.

На русском

What has become known about the Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138) vulnerability from the December Microsoft Patch Tuesday a month later?

Leave a reply

What has become known about the Elevation of Privilege - Windows Common Log File System Driver (CVE-2024-49138) vulnerability from the December Microsoft Patch Tuesday a month later?

What has become known about the Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138) vulnerability from the December Microsoft Patch Tuesday a month later? Almost nothing. 🙄 This is a vulnerability in a standard Windows component, available in all versions starting with Windows Server 2003 R2. Its description is typical for EoP in Windows: if successfully exploited, a local attacker can gain SYSTEM privileges. The cause of the vulnerability is Heap-based Buffer Overflow.

Microsoft has labeled the vulnerability as being exploited in the wild, but has not provided information on where the vulnerability was being exploited or how widespread the attacks were.

The vulnerability was reported by CrowdStrike’s Advanced Research Team. But neither they nor other researchers have provided technical details yet. 🤷‍♂️ And there are no exploits yet either.

So install the December Microsoft security updates and let’s wait for news! 😉

Update

На русском

January Microsoft Patch Tuesday

Leave a reply

January Microsoft Patch Tuesday

January Microsoft Patch Tuesday. 170 CVEs, 10 of them were added since December MSPT. 3 exploited in the wild:

🔻 EoP – Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335). No details yet.

No vulnerabilities have public exploits. 5 have private ones:

🔸 Security Feature Bypass – Microsoft Update Catalog (CVE-2024-49147), MapUrlToZone (CVE-2025-21268, CVE-2025-21189)
🔸 EoP – Windows Installer (CVE-2025-21287)
🔸 Auth. Bypass – Azure (CVE-2025-21380)

Notable among the rest:

🔹 RCE – Windows OLE (CVE-2025-21298), Windows RMCAST (CVE-2025-21307), Microsoft Office (CVE-2025-21365), Windows Remote Desktop Services (CVE-2025-21297, CVE-2025-21309), NEGOEX (CVE-2025-21295)
🔹 EoP – Windows NTLM V1 (CVE-2025-21311), Windows Search Service (CVE-2025-21292), Windows App Package Installer (CVE-2025-21275)
🔹 Spoofing – Windows Themes (CVE-2025-21308)

🗒 Full Vulristics report

На русском

About Elevation of Privilege – Windows Kernel Streaming WOW Thunk Service Driver (CVE-2024-38144) vulnerability

Leave a reply

About Elevation of Privilege - Windows Kernel Streaming WOW Thunk Service Driver (CVE-2024-38144) vulnerability

About Elevation of Privilege – Windows Kernel Streaming WOW Thunk Service Driver (CVE-2024-38144) vulnerability. The vulnerability is from the August Microsoft Patch Tuesday. It wasn’t highlighted in reviews; all we knew was that a local attacker could gain SYSTEM privileges.

Three and a half months later, on November 27, SSD Secure Disclosure released a write-up with exploit code. This vulnerability was exploited at TyphoonPWN 2024, earning the researcher a $70,000 prize.

SSD stated in their write-up that communications with Microsoft were problematic and noted that “at the time of trying this on the latest version of Windows 11, the vulnerability still worked”. It’s unclear if this “time of trying” was before the August MSPT or just before the write-up was released in November. If the second option, the vulnerability might still be a 0day. 🤔🤷‍♂️

No reports of this vulnerability being exploited in attacks yet.

На русском

About Remote Code Execution – Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49112)

Leave a reply

About Remote Code Execution - Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49112)

About Remote Code Execution – Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49112). The vulnerability is from the December Microsoft Patch Tuesday. Three weeks later, on January 1, researchers from SafeBreach released a write-up on this vulnerability, labeled as LDAPNightmare, and an exploit PoC.

The exploit causes a forced reboot of Windows servers. One prerequisite: the victim domain controller’s DNS server must have Internet connectivity.

The attack flow starts with sending a DCE/RPC request to the victim server, causing the LSASS (Local Security Authority Subsystem Service) to crash and force a reboot when an attacker sends a specially crafted CLDAP (Connectionless Lightweight Directory Access Protocol) referral response packet.

But this is all about DoS, why RCE? 🤔 Researchers note that RCE can be achieved by modifying the CLDAP packet.

На русском