February “In the Trend of VM” (#24): vulnerabilities in Microsoft products. A traditional monthly roundup of trending vulnerabilities. This time, compact and all-Microsoft.
🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)
In total, two vulnerabilities:
🔻 RCE – Microsoft Office (CVE-2026-21509)
🔻 InfDisc – Desktop Window Manager (CVE-2026-20805)
February Microsoft Patch Tuesday. A total of 55 vulnerabilities, half as many as in January. There are as many as six (❗️) vulnerabilities being exploited in the wild:
🔻 SFB – Windows Shell (CVE-2026-21510)
🔻 SFB/RCE – Microsoft Word (CVE-2026-21514)
🔻 SFB – MSHTML Framework (CVE-2026-21513)
🔻 EoP – Windows Remote Desktop Services (CVE-2026-21533)
🔻 EoP – Desktop Window Manager (CVE-2026-21519)
🔻 DoS – Windows Remote Access Connection Manager (CVE-2026-21525)
There is also one vulnerability with a public exploit:
🔸 DoS – libjpeg (CVE-2023-2804)
Among the remaining vulnerabilities, the following stand out:
🔹 RCE – Windows Notepad (CVE-2026-20841)
🔹 Spoofing – Outlook (CVE-2026-21511)
🔹 EoP – Windows Kernel (CVE-2026-21231, CVE-2026-21239, CVE-2026-21245), Windows AFD.sys (CVE-2026-21236, CVE-2026-21238, CVE-2026-21241)
January “In the Trend of VM” (#23): vulnerabilities in Windows, React and MongoDB. Traditional monthly roundup of trending vulnerabilities. Launching the 2026 season. 🙂
🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)
In total, three vulnerabilities:
🔻 EoP – Windows Cloud Files Mini Filter Driver (CVE-2025-62221)
🔻 RCE – React Server Components “React2Shell” (CVE-2025-55182)
🔻 InfDisc – MongoDB “MongoBleed” (CVE-2025-14847)
About Information Disclosure – Desktop Window Manager (CVE-2026-20805) vulnerability. Desktop Window Manager is a compositing window manager that has been part of Windows since Windows Vista. Exploitation of the vulnerability, which was addressed in the January Microsoft Patch Tuesday, allows a local attacker to disclose the “section address from a remote ALPC port which is user-mode memory”.
👾 Microsoft noted that this vulnerability is being exploited in attacks. The vulnerability was added to CISA’s KEV catalog on January 13. There are no public details about the attacks yet, but Rapid7 experts suggest that the disclosed memory address can be used to bypass ASLR, “increasing the chance of developing a stable elevation of privilege exploit for DWM”.
🛠 Public exploit PoCs have been available on GitHub since January 14.
About Elevation of Privilege – Windows Cloud Files Mini Filter Driver (CVE-2025-62221) vulnerability. cldflt.sys is the Windows Cloud Files Mini Filter driver whose purpose is to present files and folders stored in the cloud as if they were located on the local computer. A vulnerability in this driver, fixed as part of Microsoft’s December Patch Tuesday, allows a local attacker to obtain SYSTEM privileges. The root cause of the vulnerability is a Use After Free issue (CWE-416).
⚙️ The vulnerability was discovered by Microsoft researchers (from MSTIC and MSRC). Updates are available for Windows 10/11 and Windows Server 2019/2022/2025.
👾 The vulnerability has been exploited in the wild and added to the CISA KEV catalog. No attack details are available yet.
🛠 Since December 10, alleged exploit repositories briefly appeared on GitHub and were later removed; exploit sale offers have also been observed (possibly fraudulent).
January Microsoft Patch Tuesday. A total of 114 vulnerabilities, twice as many as in December. There is one vulnerability with evidence of in-the-wild exploitation:
🔻 InfDisc – Desktop Window Manager (CVE-2026-20805)
There are also two vulnerabilities with public exploits:
🔸 RCE – Windows Deployment Services (CVE-2026-0386)
🔸 EoP – Windows Agere Soft Modem Driver (CVE-2023-31096)
Other notable vulnerabilities include:
🔹 RCE – Microsoft Office (CVE-2026-20952, CVE-2026-20953), Windows NTFS (CVE-2026-20840, CVE-2026-20922)
🔹 EoP – Desktop Windows Manager (CVE-2026-20871), Windows Virtualization-Based Security (VBS) Enclave (CVE-2026-20876)
🔹 SFB – Secure Boot Certificate Expiration (CVE-2026-21265)
Also noteworthy, reported by Positive Technologies:
🟥 EoP – Windows Telephony Service (CVE-2026-20931)
December “In the Trend of VM” (#22): vulnerabilities in Windows, the expr-eval library, Control Web Panel, and Django. A traditional monthly roundup of trending vulnerabilities – this time, a fairly compact one. 💽
🗞 Post on Habr (rus)
🗞 Post on SecurityLab (rus)
🗒 Digest on the PT website (rus)
Four vulnerabilities in total:
🔻 EoP – Windows Kernel (CVE-2025-62215)
🔻 RCE – expr-eval (CVE-2025-12735)
🔻 RCE – Control Web Panel (CVE-2025-48703)
🔻 SQLi – Django (CVE-2025-64459)
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.