Tag Archives: Windows

December Microsoft Patch Tuesday

December Microsoft Patch Tuesday. A total of 56 vulnerabilities were fixed – 9 fewer than in November. There is one vulnerability with confirmed in-the-wild exploitation:

🔻 EoP – Windows Cloud Files Mini Filter Driver (CVE-2025-62221)

There are currently no vulnerabilities with publicly available exploits. Among the remaining vulnerabilities, the following stand out:

🔹 RCE – Microsoft Office (CVE-2025-62554, CVE-2025-62557), Microsoft PowerShell (CVE-2025-54100), Microsoft Outlook (CVE-2025-62562), GitHub Copilot for JetBrains (CVE-2025-64671)
🔹 EoP – Windows Win32k (CVE-2025-62458), Windows Cloud Files Mini Filter Driver (CVE-2025-62454, CVE-2025-62457), Windows Common Log File System Driver (CVE-2025-62470), Windows Remote Access Connection Manager (CVE-2025-62472), Windows Storage (CVE-2025-59516)

🗒 Full Vulristics report

На русском

About Elevation of Privilege – Windows Kernel (CVE-2025-62215) vulnerability

Leave a reply

About Elevation of Privilege – Windows Kernel (CVE-2025-62215) vulnerability. The vulnerability was addressed in the November Microsoft Patch Tuesday. Exploitation of this vulnerability allows a local attacker to gain SYSTEM privileges. The root cause of the vulnerability is a Race Condition (CWE-362) and a Double Free (CWE-415).

⚙️ Updates are available for Windows 10/11 and Windows Server 2019/2022/2025.

👾 Microsoft reported active exploitation of the vulnerability in attacks on November 11 as part of MSPT, and the following day the vulnerability was added to the CISA KEV catalog. No details about the attacks have been disclosed so far.

🛠 Public exploits have been available on GitHub since November 18.

На русском

November “In the Trend of VM” (#21): vulnerabilities in Windows, SharePoint, Redis, XWiki, Zimbra Collaboration, and Linux

Leave a reply

November “In the Trend of VM” (#21): vulnerabilities in Windows, SharePoint, Redis, XWiki, Zimbra Collaboration, and Linux. The usual monthly roundup. After several months, here’s a big one. 🔥

🗞 Post on Habr (rus)
🗞 Post on SecurityLab (rus)
🗒 Digest on the PT website (rus)

A total of nine vulnerabilities:

🔻 RCE – Windows Server Update Services (WSUS) (CVE-2025-59287)
🔻 RCE – Microsoft SharePoint “ToolShell” (CVE-2025-49704)
🔻 RCE – Windows LNK File (CVE-2025-9491)
🔻 EoP – Windows Remote Access Connection Manager (CVE-2025-59230)
🔻 EoP – Windows Agere Modem Driver (CVE-2025-24990)
🔻 RCE – Redis “RediShell” (CVE-2025-49844)
🔻 RCE – XWiki Platform (CVE-2025-24893)
🔻 XSS – Zimbra Collaboration (CVE-2025-27915)
🔻 EoP – Linux Kernel (CVE-2025-38001)

🟥 Trending Vulnerabilities Portal

На русском

November Microsoft Patch Tuesday

Leave a reply

November Microsoft Patch Tuesday. A total of 65 vulnerabilities. I’m not comparing this with the October report because I’ve decided to cover only MSPT-day vulnerabilities. The thing is, Microsoft has started massively adding Linux-product vulnerabilities to their official website, and these clutter the “extended” MSPT reports. 🤷‍♂️

There is one vulnerability with evidence of in-the-wild exploitation:

🔻 EoP – Windows Kernel (CVE-2025-62215)

No vulnerabilities have publicly available exploits yet. Notable ones include:

🔹 RCE – GDI+ (CVE-2025-60724), Microsoft Office (CVE-2025-62199), Microsoft Office (CVE-2025-62205, CVE-2025-62216), Agentic AI and Visual Studio Code (CVE-2025-62222), Visual Studio (CVE-2025-62214)
🔹 EoP – Windows Client-Side Caching (CVE-2025-60705), Windows Ancillary Function Driver for WinSock (CVE-2025-60719, CVE-2025-62213, CVE-2025-62217), Microsoft SQL Server (CVE-2025-59499)

🗒 Full Vulristics report

На русском

About Remote Code Execution – Windows LNK File (CVE-2025-9491) vulnerability

Leave a reply

About Remote Code Execution – Windows LNK File (CVE-2025-9491) vulnerability. A vulnerability in the Microsoft Windows shortcut (.LNK) handling mechanism allows malicious command-line arguments to be hidden in the Target field using whitespace characters, making them invisible to standard tools. Opening such an LNK file may lead to arbitrary code execution.

🔻 Peter Girnus, an expert at Trend Micro, notified Microsoft about the vulnerability on September 20, 2024, but they decided not to fix it. 🤷‍♂️ On August 26, 2025, this 0-day vulnerability (ZDI-CAN-25373) was assigned the identifier CVE-2025-9491.

👾 On March 18, 2025, Trend Micro reported that this vulnerability was exploited in APT attacks, and on October 30, Arctic Wolf Labs confirmed it was used to deploy PlugX malware against Hungarian and Belgian diplomatic missions.

🛠 The method for modifying .LNK files is described in the Trend Micro report.

На русском

About Elevation of Privilege – Windows Agere Modem Driver (CVE-2025-24990) vulnerability

1 Reply

About Elevation of Privilege – Windows Agere Modem Driver (CVE-2025-24990) vulnerability. The vulnerability is from Microsoft’s October Patch Tuesday. Agere Modem Driver (ltmdm64.sys) is a software component that allows a computer to communicate with an Agere (or LSI) modem for dial‑up or fax connections. 📠🙄 Despite its questionable practical usefulness, the driver continued to be shipped with Windows. A local attacker who successfully exploits this vulnerability in the driver can obtain administrative privileges.

⚙️ The Microsoft cumulative update from October 14 removes this driver from the system.

🛠 On October 16, an exploit for the vulnerability was published on GitHub. The author reports that the driver has been shipped since Windows Vista. Microsoft had known about the issue since at least 2014 (11 years ❗️) but ignored it. 🤷‍♂️

👾 On October 22, this vulnerability was added to the CISA KEV; details about active attacks are not yet known.

На русском

About Remote Code Execution – Windows Server Update Services (WSUS) (CVE-2025-59287) vulnerability

1 Reply

About Remote Code Execution – Windows Server Update Services (WSUS) (CVE-2025-59287) vulnerability. WSUS is a legacy Windows Server component that allows IT administrators to manage the download and installation of Microsoft product updates on computers within a local network. Vulnerability summary: An unauthenticated remote attacker can execute code with SYSTEM privileges on a Windows server with the WSUS Server Role enabled (it is disabled by default) by sending specially crafted POST requests. This is possible due to a flaw in deserializing untrusted data.

⚙️ Initial patches were released on October 14 as part of Microsoft’s October Patch Tuesday.

🛠 A public exploit has been available on GitHub since October 18.

⚙️ On October 24, Microsoft released additional patches to fully address the vulnerability (server reboot is required).

👾 On October 24, the vulnerability was added to the CISA KEV, and there are reports of observed exploitation attempts.

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: Windows

December Microsoft Patch Tuesday

About Elevation of Privilege – Windows Kernel (CVE-2025-62215) vulnerability

November “In the Trend of VM” (#21): vulnerabilities in Windows, SharePoint, Redis, XWiki, Zimbra Collaboration, and Linux

November Microsoft Patch Tuesday

About Remote Code Execution – Windows LNK File (CVE-2025-9491) vulnerability

About Elevation of Privilege – Windows Agere Modem Driver (CVE-2025-24990) vulnerability

About Remote Code Execution – Windows Server Update Services (WSUS) (CVE-2025-59287) vulnerability