Tag Archives: Windows

September Microsoft Patch Tuesday

September Microsoft Patch Tuesday. A total of 103 vulnerabilities, 29 fewer than in August. Of these, 25 vulnerabilities were added between the August and September MSPT. So far, no vulnerabilities are known to be exploited in the wild. Two have public PoC exploits:

🔸 DoS – Newtonsoft.Json (CVE-2024-21907)
🔸 EoP – Azure Networking (CVE-2025-54914)

Notable among the other vulnerabilities without public exploits:

🔹 RCE – Microsoft Office (CVE-2025-54910), Windows Graphics Component (CVE-2025-55228), NTFS (CVE-2025-54916), SharePoint (CVE-2025-54897), Microsoft HPC Pack (CVE-2025-55232), Hyper-V (CVE-2025-55224), Graphics Kernel (CVE-2025-55226, CVE-2025-55236)
🔹 EoP – Windows NTLM (CVE-2025-54918), Windows Kernel (CVE-2025-54110), Windows SMB (CVE-2025-55234), Windows TCP/IP Driver (CVE-2025-54093), Hyper-V (CVE-2025-54091, CVE-2025-54092, CVE-2025-54098, CVE-2025-54115)

🗒 Full Vulristics report

На русском

August Microsoft Patch Tuesday

Leave a reply

August Microsoft Patch Tuesday. A total of 132 vulnerabilities, 20 fewer than in July. Of these, 25 were added between the July and August MSPT. Three are actively exploited, including two related to the trending SharePoint “ToolShell” flaw, exploited since July 17.

🔻 RCE – Microsoft SharePoint Server (CVE-2025-53770)
🔻 Spoofing – Microsoft SharePoint Server (CVE-2025-53771)

Another actively exploited vulnerability affects Chromium:

🔻SFB – Chromium (CVE-2025-6558)

Notable among the rest, without public exploits or exploitation signs, are:

🔹 RCE – SharePoint (CVE-2025-49712), GDI+ (CVE-2025-53766), Windows Graphics Component (CVE-2025-50165), DirectX Graphics Kernel (CVE-2025-50176), Microsoft Office (CVE-2025-53731, CVE-2025-53740), MSMQ (CVE-2025-53144, CVE-2025-53145, CVE-2025-50177)
🔹 EoP – Kerberos (CVE-2025-53779), NTLM (CVE-2025-53778)

🗒 Full Vulristics report

На русском

August “In the Trend of VM” (#18): vulnerabilities in Microsoft Windows and SharePoint

Leave a reply

August “In the Trend of VM” (#18): vulnerabilities in Microsoft Windows and SharePoint. A traditional monthly roundup – this time, it’s extremely short.

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

Only two trending vulnerabilities:

🔻 Remote Code Execution – Microsoft SharePoint Server “ToolShell” (CVE-2025-53770). The vulnerability is being widely exploited; attackers may even have gained access to U.S. nuclear secrets. The vulnerability is also relevant for Russia.
🔻 Elevation of Privilege – Windows Update Service (CVE-2025-48799). The vulnerability affects Windows 10/11 installations with at least two hard drives.

На русском

About Elevation of Privilege – Windows Update Service (CVE-2025-48799) vulnerability

Leave a reply

About Elevation of Privilege – Windows Update Service (CVE-2025-48799) vulnerability. This vulnerability is from the July Microsoft Patch Tuesday. Improper link resolution before file access (‘link following’) in the Windows Update Service allows an authorized attacker to elevate privileges to “NT AUTHORITY\SYSTEM”.

🛠 An exploit for this vulnerability was published by researcher Filip Dragović (Wh04m1001) on July 8, the day of MSPT. In the exploit description, he states that the vulnerability affects Windows 10/11 systems with at least two hard drives. If the installation location for new apps is changed to the secondary drive (using Storage Sense), then during the installation of a new app, the wuauserv service will arbitrarily delete folders without checking for symbolic links, leading to to LPE.

🎞 In the demonstration video, Filip Dragović runs the EXE file and gets an administrator console.

👾 No signs of exploitation in the wild yet.

На русском

July “In the Trend of VM” (#17): vulnerabilities in Microsoft Windows and Roundcube

Leave a reply

July “In the Trend of VM” (#17): vulnerabilities in Microsoft Windows and Roundcube. A traditional monthly roundup. This time, it’s a very short one. 🙂

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

Only three trending vulnerabilities:

🔻 Remote Code Execution – Internet Shortcut Files (CVE-2025-33053)
🔻 Elevation of Privilege – Windows SMB Client (CVE-2025-33073)
🔻 Remote Code Execution – Roundcube (CVE-2025-49113)

На русском

About Remote Code Execution – Internet Shortcut Files (CVE-2025-33053) vulnerability

Leave a reply

About Remote Code Execution – Internet Shortcut Files (CVE-2025-33053) vulnerability. A vulnerability from the June Microsoft Patch Tuesday. This vulnerability immediately showed signs of exploitation in the wild. This flaw allows a remote attacker to execute arbitrary code when a victim opens a specially crafted .url file, delivered, for example, through a phishing attack.

🔹 The vulnerability was reported by Check Point researchers. On June 10, the day of Microsoft’s June Patch Tuesday, they published technical details on their website. The vulnerability had been exploited by the APT group Stealth Falcon since at least March 2025. The exploitation led to the download and execution of malware (Horus Agent) from the attacker’s WebDAV server.

🔹 Exploits for this vulnerability have been available on GitHub since June 12.

На русском

July Microsoft Patch Tuesday

Leave a reply

July Microsoft Patch Tuesday. A total of 152 vulnerabilities – twice as many as in June. Of these, 15 vulnerabilities were added between the June and July MSPT. One vulnerability is exploited in the wild:

🔻 Memory Corruption – Chromium (CVE-2025-6554)

One vulnerability has an exploit available on GitHub:

🔸 EoP – Windows Update Service (CVE-2025-48799). This vulnerability may be exploited on Windows 11/10 hosts with two or more hard drives.

Notable among the rest:

🔹 RCE – CDPService (CVE-2025-49724), KDC Proxy Service (CVE-2025-49735), SharePoint (CVE-2025-49704, CVE-2025-49701), Hyper-V DDA (CVE-2025-48822), MS Office (CVE-2025-49695), NEGOEX (CVE-2025-47981), MS SQL Server (CVE-2025-49717)
🔹 InfDisc – MS SQL Server (CVE-2025-49719)
🔹 EoP – MS VHD (CVE-2025-49689), TCP/IP Driver (CVE-2025-49686), Win32k (CVE-2025-49727, CVE-2025-49733, CVE-2025-49667), Graphics Component (CVE-2025-49732, CVE-2025-49744)

🗒 Full Vulristics report

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: Windows

September Microsoft Patch Tuesday

August Microsoft Patch Tuesday

August “In the Trend of VM” (#18): vulnerabilities in Microsoft Windows and SharePoint

About Elevation of Privilege – Windows Update Service (CVE-2025-48799) vulnerability

July “In the Trend of VM” (#17): vulnerabilities in Microsoft Windows and Roundcube

About Remote Code Execution – Internet Shortcut Files (CVE-2025-33053) vulnerability

July Microsoft Patch Tuesday