Tag Archives: Windows

August Microsoft Patch Tuesday

August Microsoft Patch Tuesday. A total of 132 vulnerabilities, 20 fewer than in July. Of these, 25 were added between the July and August MSPT. Three are actively exploited, including two related to the trending SharePoint “ToolShell” flaw, exploited since July 17.

🔻 RCE – Microsoft SharePoint Server (CVE-2025-53770)
🔻 Spoofing – Microsoft SharePoint Server (CVE-2025-53771)

Another actively exploited vulnerability affects Chromium:

🔻SFB – Chromium (CVE-2025-6558)

Notable among the rest, without public exploits or exploitation signs, are:

🔹 RCE – SharePoint (CVE-2025-49712), GDI+ (CVE-2025-53766), Windows Graphics Component (CVE-2025-50165), DirectX Graphics Kernel (CVE-2025-50176), Microsoft Office (CVE-2025-53731, CVE-2025-53740), MSMQ (CVE-2025-53144, CVE-2025-53145, CVE-2025-50177)
🔹 EoP – Kerberos (CVE-2025-53779), NTLM (CVE-2025-53778)

🗒 Full Vulristics report

На русском

August “In the Trend of VM” (#18): vulnerabilities in Microsoft Windows and SharePoint

Leave a reply

August “In the Trend of VM” (#18): vulnerabilities in Microsoft Windows and SharePoint. A traditional monthly roundup – this time, it’s extremely short.

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

Only two trending vulnerabilities:

🔻 Remote Code Execution – Microsoft SharePoint Server “ToolShell” (CVE-2025-53770). The vulnerability is being widely exploited; attackers may even have gained access to U.S. nuclear secrets. The vulnerability is also relevant for Russia.
🔻 Elevation of Privilege – Windows Update Service (CVE-2025-48799). The vulnerability affects Windows 10/11 installations with at least two hard drives.

На русском

About Elevation of Privilege – Windows Update Service (CVE-2025-48799) vulnerability

1 Reply

About Elevation of Privilege – Windows Update Service (CVE-2025-48799) vulnerability. This vulnerability is from the July Microsoft Patch Tuesday. Improper link resolution before file access (‘link following’) in the Windows Update Service allows an authorized attacker to elevate privileges to “NT AUTHORITY\SYSTEM”.

🛠 An exploit for this vulnerability was published by researcher Filip Dragović (Wh04m1001) on July 8, the day of MSPT. In the exploit description, he states that the vulnerability affects Windows 10/11 systems with at least two hard drives. If the installation location for new apps is changed to the secondary drive (using Storage Sense), then during the installation of a new app, the wuauserv service will arbitrarily delete folders without checking for symbolic links, leading to to LPE.

🎞 In the demonstration video, Filip Dragović runs the EXE file and gets an administrator console.

👾 No signs of exploitation in the wild yet.

На русском

July “In the Trend of VM” (#17): vulnerabilities in Microsoft Windows and Roundcube

Leave a reply

July “In the Trend of VM” (#17): vulnerabilities in Microsoft Windows and Roundcube. A traditional monthly roundup. This time, it’s a very short one. 🙂

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

Only three trending vulnerabilities:

🔻 Remote Code Execution – Internet Shortcut Files (CVE-2025-33053)
🔻 Elevation of Privilege – Windows SMB Client (CVE-2025-33073)
🔻 Remote Code Execution – Roundcube (CVE-2025-49113)

На русском

About Remote Code Execution – Internet Shortcut Files (CVE-2025-33053) vulnerability

2 Replies

About Remote Code Execution – Internet Shortcut Files (CVE-2025-33053) vulnerability. A vulnerability from the June Microsoft Patch Tuesday. This vulnerability immediately showed signs of exploitation in the wild. This flaw allows a remote attacker to execute arbitrary code when a victim opens a specially crafted .url file, delivered, for example, through a phishing attack.

🔹 The vulnerability was reported by Check Point researchers. On June 10, the day of Microsoft’s June Patch Tuesday, they published technical details on their website. The vulnerability had been exploited by the APT group Stealth Falcon since at least March 2025. The exploitation led to the download and execution of malware (Horus Agent) from the attacker’s WebDAV server.

🔹 Exploits for this vulnerability have been available on GitHub since June 12.

На русском

July Microsoft Patch Tuesday

2 Replies

July Microsoft Patch Tuesday. A total of 152 vulnerabilities – twice as many as in June. Of these, 15 vulnerabilities were added between the June and July MSPT. One vulnerability is exploited in the wild:

🔻 Memory Corruption – Chromium (CVE-2025-6554)

One vulnerability has an exploit available on GitHub:

🔸 EoP – Windows Update Service (CVE-2025-48799). This vulnerability may be exploited on Windows 11/10 hosts with two or more hard drives.

Notable among the rest:

🔹 RCE – CDPService (CVE-2025-49724), KDC Proxy Service (CVE-2025-49735), SharePoint (CVE-2025-49704, CVE-2025-49701), Hyper-V DDA (CVE-2025-48822), MS Office (CVE-2025-49695), NEGOEX (CVE-2025-47981), MS SQL Server (CVE-2025-49717)
🔹 InfDisc – MS SQL Server (CVE-2025-49719)
🔹 EoP – MS VHD (CVE-2025-49689), TCP/IP Driver (CVE-2025-49686), Win32k (CVE-2025-49727, CVE-2025-49733, CVE-2025-49667), Graphics Component (CVE-2025-49732, CVE-2025-49744)

🗒 Full Vulristics report

На русском

About Elevation of Privilege – Windows SMB Client (CVE-2025-33073) vulnerability

Leave a reply

About Elevation of Privilege – Windows SMB Client (CVE-2025-33073) vulnerability. A vulnerability from the June Microsoft Patch Tuesday allows an attacker to execute a malicious script, forcing the victim’s host to connect to the attacker’s SMB server and authenticate, resulting in gaining SYSTEM privileges.

🔹 Details on how to exploit the vulnerability were published on June 11 (the day after MSPT) on the websites of RedTeam Pentesting and Synacktiv companies.

🔹 Exploits for the vulnerability have been available on GitHub since June 15.

🔹 The PT ESC research team confirmed the exploitability of the vulnerability and, on June 24, published an explainer, exploitation methods, and information on detection techniques.

Install the update and enforce SMB signing on domain controllers and workstations.

No in-the-wild exploitation has been reported yet.

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: Windows

August Microsoft Patch Tuesday

August “In the Trend of VM” (#18): vulnerabilities in Microsoft Windows and SharePoint

About Elevation of Privilege – Windows Update Service (CVE-2025-48799) vulnerability

July “In the Trend of VM” (#17): vulnerabilities in Microsoft Windows and Roundcube

About Remote Code Execution – Internet Shortcut Files (CVE-2025-33053) vulnerability

July Microsoft Patch Tuesday

About Elevation of Privilege – Windows SMB Client (CVE-2025-33073) vulnerability