Tag Archives: Windows

About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability

Leave a reply

About Spoofing - Windows File Explorer (CVE-2025-24071) vulnerability

About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability. The vulnerability is from the March Microsoft Patch Tuesday. The VM vendors didn’t highlight it in their reviews. A week later, on March 18, researcher 0x6rss published a write-up and a PoC exploit. According to him, the vulnerability is exploited in the wild, and the exploit has likely been available for purchase since November 2024.

The point is this. When Windows File Explorer detects a .library-ms file in a folder, it automatically starts parsing it. If the file contains a link to a remote SMB share, an NTLM authentication handshake begins. An attacker controlling the SMB share can intercept the NTLMv2 hash, crack it, or use it in pass-the-hash attacks.

But how does an attacker deliver such a file to the victim? It turns out that just extracting a ZIP/RAR archive with the file is enough to trigger the exploit. No need to open the file.

This is super effective for phishing. 😱

На русском

March Microsoft Patch Tuesday

Leave a reply

March Microsoft Patch Tuesday

March Microsoft Patch Tuesday. 77 CVEs, 20 of which were added during the month. 7 vulnerabilities with signs of exploitation in the wild:

🔻 RCE – Windows Fast FAT File System Driver (CVE-2025-24985)
🔻 RCE – Windows NTFS (CVE-2025-24993)
🔻 SFB – Microsoft Management Console (CVE-2025-26633)
🔻 EoP – Windows Win32 Kernel Subsystem (CVE-2025-24983)
🔻 InfDisc – Windows NTFS (CVE-2025-24991, CVE-2025-24984)
🔻 AuthBypass – Power Pages (CVE-2025-24989) – in Microsoft web service, can be ignored

There are no vulnerabilities with public exploits, there are 2 more with private ones:

🔸 RCE – Bing (CVE-2025-21355) – in Microsoft web service, can be ignored
🔸 SFB – Windows Kernel (CVE-2025-21247)

Among the others:

🔹 RCE – Windows Remote Desktop Client (CVE-2025-26645) and Services (CVE-2025-24035, CVE-2025-24045), MS Office (CVE-2025-26630), WSL2 (CVE-2025-24084)
🔹 EoP – Windows Win32 Kernel Subsystem (CVE-2025-24044)

🗒 Full Vulristics report

На русском

New episode “In the Trend of VM” (#12): 8 February CVEs & Why the Darknet Matters for VM Specialists

Leave a reply

New episode “In the Trend of VM” (#12): 8 February CVEs & Why the Darknet Matters for VM Specialists. Now with a new design and new video editing. 😉

📹 Video on YouTube and LinkedIn
🗞 Post on Habr (rus)
🗒 Digest on the PT website

Content:

🔻 00:00 Greetings
🔻 00:23 Remote Code Execution – Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49112)
🔻 01:35 Remote Code Execution – Microsoft Configuration Manager (CVE-2024-43468)
🔻 02:38 Remote Code Execution – Windows OLE (CVE-2025-21298)
🔻 03:55 Elevation of Privilege – Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335)
🔻 05:02 Authentication Bypass – FortiOS/FortiProxy (CVE-2024-55591)
🔻 06:16 Remote Code Execution – 7-Zip (CVE-2025-0411)
🔻 07:27 Should a VM specialist be aware of what is happening in the Darknet?
🔻 08:48 About the digest of trending vulnerabilities

На русском

New episode “In The Trend of VM” (#11): vulnerabilities that became trending in December and the final report on trending vulnerabilities for 2024

Leave a reply

New episode “In The Trend of VM” (#11): vulnerabilities that became trending in December and the final report on trending vulnerabilities for 2024. I made this episode exclusively for the Telegram channel @avleonovcom “Vulnerability Management and More”. 😉

📹 Video on YouTube, LinkedIn
🗞 Post on Habr (rus)
🗒 Digest on the PT website

Content:

🔻 00:00 Greetings
🔻 00:28 Elevation of Privilege – Windows Kernel Streaming WOW Thunk Service Driver (CVE-2024-38144)
🔻 01:30 Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138)
🔻 02:37 Remote Code Execution – Apache Struts (CVE-2024-53677)
🔻 03:31 Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972)
🔻 04:44 Trending vulnerabilities for 2024

👾 08:10 Channel mascot 😅

На русском

February Microsoft Patch Tuesday

Leave a reply

February Microsoft Patch Tuesday

February Microsoft Patch Tuesday. 89 CVEs, 33 added since January. Two with signs of exploitation in the wild:

🔻 EoP – Windows Ancillary Function Driver for WinSock (CVE-2025-21418)
🔻 EoP – Windows Storage (CVE-2025-21391)

There are no vulnerabilities with public exploits, but there are 7 with private ones:

🔸 RCE – Microsoft Edge (CVE-2025-21279, CVE-2025-21283)
🔸 Auth. Bypass – Azure (CVE-2025-21415)
🔸 EoP – Windows Setup Files Cleanup (CVE-2025-21419)
🔸 Spoofing – Windows NTLM (CVE-2025-21377)
🔸 Spoofing – Microsoft Edge (CVE-2025-21267, CVE-2025-21253)

Among the rest, the following can be highlighted:

🔹 RCE – Windows LDAP (CVE-2025-21376), Microsoft Excel (CVE-2025-21381, CVE-2025-21387), Microsoft SharePoint Server (CVE-2025-21400), DHCP Client Service (CVE-2025-21379)
🔹 EoP – Windows Core Messaging (CVE-2025-21184, CVE-2025-21358, CVE-2025-21414), Windows Installer (CVE-2025-21373)

🗒 Full Vulristics report

На русском

About Elevation of Privilege – Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) vulnerability

Leave a reply

About Elevation of Privilege - Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) vulnerability

About Elevation of Privilege – Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) vulnerability. These three vulnerabilities were disclosed as part of Microsoft’s January Patch Tuesday and share the same description. They were found in a component used for communications between the host OS and container-type virtual machines, such as Windows Sandbox and Microsoft Defender Application Guard (MDAG).

If the vulnerabilities are successfully exploited, an attacker can gain System privileges. Microsoft specifically notes that this is a local privilege escalation on the host system, not any type of guest to host escape.

👾 These vulnerabilities are being actively exploited in the wild, though no public exploits are currently available.

The only difference in the vulnerability descriptions is that CVE-2025-21333 is caused by Heap-based Buffer Overflow, while CVE-2025-21334 and CVE-2025-21335 are caused by Use After Free.

На русском

About Remote Code Execution – 7-Zip (CVE-2025-0411) vulnerability

Leave a reply

About Remote Code Execution - 7-Zip (CVE-2025-0411) vulnerability

About Remote Code Execution – 7-Zip (CVE-2025-0411) vulnerability. 7-Zip is a popular, free, open-source archiver widely used by organizations as a standard tool for managing archives.

The vulnerability is a bypass of the Mark-of-the-Web mechanism.

🔹 If you download and run a suspicious executable file on Windows, Microsoft Defender’s SmartScreen will block it from executing because it comes from an untrusted source.

🔹 However, if you download a 7z archive containing another 7z archive with malware, you can execute the file with just three double-clicks, and SmartScreen won’t trigger. 🤷‍♂️ This happens because 7-Zip versions prior to 24.09, released on November 30, 2024, failed to properly apply the Mark-of-the-Web label to extracted files. An exploit example is available on GitHub.

No signs of exploitation in the wild yet, but they are likely to emerge, as this is an easy way to increase the success rate of phishing attacks. Update 7-Zip!

На русском