Tag Archives: Windows

About Elevation of Privilege – Windows SMB Client (CVE-2025-33073) vulnerability

About Elevation of Privilege – Windows SMB Client (CVE-2025-33073) vulnerability. A vulnerability from the June Microsoft Patch Tuesday allows an attacker to execute a malicious script, forcing the victim’s host to connect to the attacker’s SMB server and authenticate, resulting in gaining SYSTEM privileges.

🔹 Details on how to exploit the vulnerability were published on June 11 (the day after MSPT) on the websites of RedTeam Pentesting and Synacktiv companies.

🔹 Exploits for the vulnerability have been available on GitHub since June 15.

🔹 The PT ESC research team confirmed the exploitability of the vulnerability and, on June 24, published an explainer, exploitation methods, and information on detection techniques.

Install the update and enforce SMB signing on domain controllers and workstations.

No in-the-wild exploitation has been reported yet.

На русском

June Microsoft Patch Tuesday

Leave a reply

June Microsoft Patch Tuesday. A total of 81 vulnerabilities, roughly the same as in May. Among them, 15 vulnerabilities were added between the May and June MSPT. There are 3 vulnerabilities with signs of exploitation in the wild:

🔻 RCE – WEBDAV/Internet Shortcut Files (CVE-2025-33053). For successful exploitation, the victim must click on a malicious .url file.
🔻 SFB – Chromium (CVE-2025-4664)
🔻 Memory Corruption – Chromium (CVE-2025-5419)

There’s a PoC for one of the vulnerabilities on GitHub, but I doubt it actually works:

🔸 EoP – Microsoft Edge (CVE-2025-47181)

Other notable ones include:

🔹 RCE – Microsoft Office (CVE-2025-47162, CVE-2025-47164, CVE-2025-47167, CVE-2025-47953), KPSSVC (CVE-2025-33071), SharePoint (CVE-2025-47172), Outlook (CVE-2025-47171)
🔹 EoP – SMB Client (CVE-2025-33073), CLFS (CVE-2025-32713), Netlogon (CVE-2025-33070)

🗒 Full Vulristics report

На русском

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706) vulnerabilities

Leave a reply

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706) vulnerabilities. When Microsoft disclosed these vulnerabilities in the May Patch Tuesday, attackers were already exploiting them in the wild. The Common Log File System (CLFS) is a general-purpose logging service that can be used by software clients running in user-mode or kernel-mode.

The impact of exploiting these vulnerabilities is identical: an attacker can gain SYSTEM privileges. Their CVSS vectors are also the same (Base Score: 7.8).

What’s the difference? Bug type: for CVE-2025-32701 it’s CWE-416: Use After Free, while for CVE-2025-32706 it’s CWE-20: Improper Input Validation. CVE-2025-32701 credits MSTIC, while CVE-2025-32706 credits Google TIG and CrowdStrike ART.

No public exploits or exploitation details yet. 🤷‍♂️ But these vulns are likely being used in ransomware attacks, just like the EoP in CLFS (CVE-2025-29824) from April MSPT. 😉

На русском

About Elevation of Privilege – Microsoft DWM Core Library (CVE-2025-30400) vulnerability

Leave a reply

About Elevation of Privilege – Microsoft DWM Core Library (CVE-2025-30400) vulnerability. The vulnerability, patched as part of May Microsoft Patch Tuesday, affects the Desktop Window Manager component. This is a compositing window manager that has been part of Windows since Windows Vista. Successful exploitation could grant an attacker SYSTEM-level privileges. At the time the vulnerability was disclosed, there were signs of in-the-wild exploitation. No details about the attacks are available yet.

According to the Acknowledgements, exploitation was discovered by the Microsoft Threat Intelligence Center, which rarely shares details. 🤷‍♂️ We’ll have to wait for reports from other researchers or a public exploit. There is currently one GitHub repository with a PoC, but its functionality is highly questionable. 🤔

The previous actively exploited EoP vulnerability in the DWM Core Library (CVE-2024-30051) was patched in May last year.

На русском

May “In the Trend of VM” (#15): vulnerabilities in Microsoft Windows and the Erlang/OTP framework

Leave a reply

May “In the Trend of VM” (#15): vulnerabilities in Microsoft Windows and the Erlang/OTP framework. A traditional monthly vulnerability roundup. 🙂

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

A total of 4 trending vulnerabilities:

🔻 Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824)
🔻 Elevation of Privilege – Windows Process Activation (CVE-2025-21204)
🔻 Spoofing – Windows NTLM (CVE-2025-24054)
🔻 Remote Code Execution – Erlang/OTP (CVE-2025-32433)

На русском

About Remote Code Execution – 7-Zip (BDU:2025-01793) vulnerability

Leave a reply

About Remote Code Execution – 7-Zip (BDU:2025-01793) vulnerability. It’s about the fact that files unpacked using 7-Zip don’t get the Mark-of-the-Web. As a result, Windows security mechanisms don’t block the execution of the unpacked malware. If you remember, there was a similar vulnerability in January – CVE-2025-0411. The problem was with running files from the 7-Zip UI, and a fix has been released. But in this case, the problem is with fully unpacked archives — and the developers aren’t planning to fix it! 🤷‍♂️

Igor Pavlov, the author of the utility, responded to our colleague Konstantin Dymov that not assigning the Mark-of-the-Web by default is intentional behavior. They don’t plan to change the default settings. To have the Mark-of-the-Web applied, you need to set “” to “”.

If 7-Zip is used in your organization, be aware of this insecure default behavior. Apply hardening measures or switch to a different tool.

На русском

May Microsoft Patch Tuesday

Leave a reply

May Microsoft Patch Tuesday. A total of 93 vulnerabilities – about 1.5 times fewer than in April. Of these, 22 were added between the April and May MSPT. There are 5 vulnerabilities show signs of in-the-wild exploitation:

🔻 EoP – Microsoft DWM Core Library (CVE-2025-30400)
🔻 EoP – Windows CLFS Driver (CVE-2025-32701, CVE-2025-32706)
🔻 EoP – Windows Ancillary Function Driver for WinSock (CVE-2025-32709)
🔻 Memory Corruption – Scripting Engine (CVE-2025-30397). RCE when clicking a malicious link. Exploitation requires the “Allow sites to be reloaded in Internet Explorer” option.

There are currently no vulnerabilities with public exploits.

Notable among the rest:

🔹 RCE – Remote Desktop Client (CVE-2025-29966, CVE-2025-29967), Office (CVE-2025-30377, CVE-2025-30386), Graphics Component (CVE-2025-30388), Visual Studio (CVE-2025-32702)
🔹 EoP – Kernel Streaming (CVE-2025-24063), CLFS Driver (CVE-2025-30385)

🗒 Full Vulristics report

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: Windows

About Elevation of Privilege – Windows SMB Client (CVE-2025-33073) vulnerability

June Microsoft Patch Tuesday

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706) vulnerabilities

About Elevation of Privilege – Microsoft DWM Core Library (CVE-2025-30400) vulnerability

May “In the Trend of VM” (#15): vulnerabilities in Microsoft Windows and the Erlang/OTP framework

About Remote Code Execution – 7-Zip (BDU:2025-01793) vulnerability

May Microsoft Patch Tuesday