November Microsoft Patch Tuesday. A total of 65 vulnerabilities. I'm not comparing this with the October report because I've decided to cover only MSPT-day vulnerabilities. The thing is, Microsoft has started massively adding Linux-product vulnerabilities to their official website, and these clutter the "extended" MSPT reports. 🤷♂️
There is one vulnerability with evidence of in-the-wild exploitation:
🔻 EoP - Windows Kernel (CVE-2025-62215)
No vulnerabilities have publicly available exploits yet. Notable ones include:
🔹 RCE - GDI+ (CVE-2025-60724), Microsoft Office (CVE-2025-62199), Microsoft Office (CVE-2025-62205, CVE-2025-62216), Agentic AI and Visual Studio Code (CVE-2025-62222), Visual Studio (CVE-2025-62214)
🔹 EoP - Windows Client-Side Caching (CVE-2025-60705), Windows Ancillary Function Driver for WinSock (CVE-2025-60719, CVE-2025-62213, CVE-2025-62217), Microsoft SQL Server (CVE-2025-59499)
🗒 Full Vulristics report
На русском
@avleonovcom #Vulristics #PatchTuesday #Microsoft #Windows #WinKernel
There is one vulnerability with evidence of in-the-wild exploitation:
🔻 EoP - Windows Kernel (CVE-2025-62215)
No vulnerabilities have publicly available exploits yet. Notable ones include:
🔹 RCE - GDI+ (CVE-2025-60724), Microsoft Office (CVE-2025-62199), Microsoft Office (CVE-2025-62205, CVE-2025-62216), Agentic AI and Visual Studio Code (CVE-2025-62222), Visual Studio (CVE-2025-62214)
🔹 EoP - Windows Client-Side Caching (CVE-2025-60705), Windows Ancillary Function Driver for WinSock (CVE-2025-60719, CVE-2025-62213, CVE-2025-62217), Microsoft SQL Server (CVE-2025-59499)
🗒 Full Vulristics report
На русском
@avleonovcom #Vulristics #PatchTuesday #Microsoft #Windows #WinKernel
November "In the Trend of VM" (#21): vulnerabilities in Windows, SharePoint, Redis, XWiki, Zimbra Collaboration, and Linux. The usual monthly roundup. After several months, here's a big one. 🔥
🗞 Post on Habr (rus)
🗞 Post on SecurityLab (rus)
🗒 Digest on the PT website (rus)
A total of nine vulnerabilities:
🔻 RCE - Windows Server Update Services (WSUS) (CVE-2025-59287)
🔻 RCE - Microsoft SharePoint "ToolShell" (CVE-2025-49704)
🔻 RCE - Windows LNK File (CVE-2025-9491)
🔻 EoP - Windows Remote Access Connection Manager (CVE-2025-59230)
🔻 EoP - Windows Agere Modem Driver (CVE-2025-24990)
🔻 RCE - Redis "RediShell" (CVE-2025-49844)
🔻 RCE - XWiki Platform (CVE-2025-24893)
🔻 XSS - Zimbra Collaboration (CVE-2025-27915)
🔻 EoP - Linux Kernel (CVE-2025-38001)
🟥 Trending Vulnerabilities Portal
На русском
@avleonovcom #TrendVulns #PositiveTechnologies #Microsoft #Windows #WSUS #SharePoint #ToolShell #LNK #TrendMicro #ArcticWolf #PlugX #RasMan #Agere #ltmdm64 #Redis #Wiz #XWiki #Zimbra #Linux #LinuxKernel #HFSC
🗞 Post on Habr (rus)
🗞 Post on SecurityLab (rus)
🗒 Digest on the PT website (rus)
A total of nine vulnerabilities:
🔻 RCE - Windows Server Update Services (WSUS) (CVE-2025-59287)
🔻 RCE - Microsoft SharePoint "ToolShell" (CVE-2025-49704)
🔻 RCE - Windows LNK File (CVE-2025-9491)
🔻 EoP - Windows Remote Access Connection Manager (CVE-2025-59230)
🔻 EoP - Windows Agere Modem Driver (CVE-2025-24990)
🔻 RCE - Redis "RediShell" (CVE-2025-49844)
🔻 RCE - XWiki Platform (CVE-2025-24893)
🔻 XSS - Zimbra Collaboration (CVE-2025-27915)
🔻 EoP - Linux Kernel (CVE-2025-38001)
🟥 Trending Vulnerabilities Portal
На русском
@avleonovcom #TrendVulns #PositiveTechnologies #Microsoft #Windows #WSUS #SharePoint #ToolShell #LNK #TrendMicro #ArcticWolf #PlugX #RasMan #Agere #ltmdm64 #Redis #Wiz #XWiki #Zimbra #Linux #LinuxKernel #HFSC
November Linux Patch Wednesday. In November, Linux vendors began fixing 516 vulnerabilities, one and a half times fewer than in October. Of these, 232 are in the Linux Kernel. One vulnerability is exploited in the wild:
🔻 MemCor - Chromium (CVE-2025-13223). Added to CISA KEV on November 19.
For 64 more vulnerabilities, public or suspected exploits exist. Notable ones:
🔸 RCE - Samba (CVE-2025-10230), Apache Tomcat (CVE-2025-55752), NVIDIA Container Toolkit (CVE-2024-0132, CVE-2025-23359), Lasso (CVE-2025-47151), QuickJS (CVE-2025-62494), Keras (CVE-2025-9905)
🔸 SQLi - Django (CVE-2025-64459)
🔸 InfDisc - Webmin (CVE-2024-44762), Squid (CVE-2025-62168), BIND (CVE-2025-31133), QuickJS (CVE-2025-62492, CVE-2025-62493)
🔸 SFB - BIND (CVE-2025-40778)
🔸 AuthBypass - Webmin (CVE-2025-61541)
🔸 MemCor - Suricata (CVE-2025-59150)
🗒 Full Vulristics report
На русском
@avleonovcom #LinuxPatchWednesday #Vulristics #Linux #Samba #ApacheTomcat #NVIDIACTK #Lasso #QuickJS #Keras #Django #Webmin #Squid #BIND #Suricata
🔻 MemCor - Chromium (CVE-2025-13223). Added to CISA KEV on November 19.
For 64 more vulnerabilities, public or suspected exploits exist. Notable ones:
🔸 RCE - Samba (CVE-2025-10230), Apache Tomcat (CVE-2025-55752), NVIDIA Container Toolkit (CVE-2024-0132, CVE-2025-23359), Lasso (CVE-2025-47151), QuickJS (CVE-2025-62494), Keras (CVE-2025-9905)
🔸 SQLi - Django (CVE-2025-64459)
🔸 InfDisc - Webmin (CVE-2024-44762), Squid (CVE-2025-62168), BIND (CVE-2025-31133), QuickJS (CVE-2025-62492, CVE-2025-62493)
🔸 SFB - BIND (CVE-2025-40778)
🔸 AuthBypass - Webmin (CVE-2025-61541)
🔸 MemCor - Suricata (CVE-2025-59150)
🗒 Full Vulristics report
На русском
@avleonovcom #LinuxPatchWednesday #Vulristics #Linux #Samba #ApacheTomcat #NVIDIACTK #Lasso #QuickJS #Keras #Django #Webmin #Squid #BIND #Suricata
About SQL Injection - Django (CVE-2025-64459) vulnerability. Django is a free and open-source high-level Python web framework. The vulnerability allows attackers to manipulate database query logic by injecting internal query parameters (_connector and _negated) when applications pass user-controlled input directly into filter(), exclude(), or get() calls. Exploiting this SQL injection may lead to unauthorized access to data, authentication bypass, or privilege escalation.
⚙️ The vulnerability was patched in Django versions 5.2.8, 5.1.14, and 4.2.26, released on November 5, 2025. Earlier unsupported versions of Django (such as 5.0.x, 4.1.x, and 3.2.x) were not tested and may be vulnerable.
🛠 A public exploit for the vulnerability appeared on November 6.
👾 No active exploitation has been reported so far.
🌐 According to 6sense, Django holds 32% of the web framework market share and is used by more than 42,000 companies. Ful.io tracks over 2.9 million websites running Django.
На русском
@avleonovcom #Django
⚙️ The vulnerability was patched in Django versions 5.2.8, 5.1.14, and 4.2.26, released on November 5, 2025. Earlier unsupported versions of Django (such as 5.0.x, 4.1.x, and 3.2.x) were not tested and may be vulnerable.
🛠 A public exploit for the vulnerability appeared on November 6.
👾 No active exploitation has been reported so far.
🌐 According to 6sense, Django holds 32% of the web framework market share and is used by more than 42,000 companies. Ful.io tracks over 2.9 million websites running Django.
На русском
@avleonovcom #Django
About Elevation of Privilege - Windows Kernel (CVE-2025-62215) vulnerability. The vulnerability was addressed in the November Microsoft Patch Tuesday. Exploitation of this vulnerability allows a local attacker to gain SYSTEM privileges. The root cause of the vulnerability is a Race Condition (CWE-362) and a Double Free (CWE-415).
⚙️ Updates are available for Windows 10/11 and Windows Server 2019/2022/2025.
👾 Microsoft reported active exploitation of the vulnerability in attacks on November 11 as part of MSPT, and the following day the vulnerability was added to the CISA KEV catalog. No details about the attacks have been disclosed so far.
🛠 Public exploits have been available on GitHub since November 18.
На русском
@avleonovcom #Microsoft #Windows
⚙️ Updates are available for Windows 10/11 and Windows Server 2019/2022/2025.
👾 Microsoft reported active exploitation of the vulnerability in attacks on November 11 as part of MSPT, and the following day the vulnerability was added to the CISA KEV catalog. No details about the attacks have been disclosed so far.
🛠 Public exploits have been available on GitHub since November 18.
На русском
@avleonovcom #Microsoft #Windows
December Microsoft Patch Tuesday. A total of 56 vulnerabilities were fixed - 9 fewer than in November. There is one vulnerability with confirmed in-the-wild exploitation:
🔻 EoP - Windows Cloud Files Mini Filter Driver (CVE-2025-62221)
There are currently no vulnerabilities with publicly available exploits. Among the remaining vulnerabilities, the following stand out:
🔹 RCE - Microsoft Office (CVE-2025-62554, CVE-2025-62557), Microsoft PowerShell (CVE-2025-54100), Microsoft Outlook (CVE-2025-62562), GitHub Copilot for JetBrains (CVE-2025-64671)
🔹 EoP - Windows Win32k (CVE-2025-62458), Windows Cloud Files Mini Filter Driver (CVE-2025-62454, CVE-2025-62457), Windows Common Log File System Driver (CVE-2025-62470), Windows Remote Access Connection Manager (CVE-2025-62472), Windows Storage (CVE-2025-59516)
🗒 Full Vulristics report
На русском
@avleonovcom #Vulristics #PatchTuesday #Microsoft #Windows #Office #PowerShell #Outlook #JetBrains #Win32k #cldflt #CLFS #RASMan #WindowsStorage
🔻 EoP - Windows Cloud Files Mini Filter Driver (CVE-2025-62221)
There are currently no vulnerabilities with publicly available exploits. Among the remaining vulnerabilities, the following stand out:
🔹 RCE - Microsoft Office (CVE-2025-62554, CVE-2025-62557), Microsoft PowerShell (CVE-2025-54100), Microsoft Outlook (CVE-2025-62562), GitHub Copilot for JetBrains (CVE-2025-64671)
🔹 EoP - Windows Win32k (CVE-2025-62458), Windows Cloud Files Mini Filter Driver (CVE-2025-62454, CVE-2025-62457), Windows Common Log File System Driver (CVE-2025-62470), Windows Remote Access Connection Manager (CVE-2025-62472), Windows Storage (CVE-2025-59516)
🗒 Full Vulristics report
На русском
@avleonovcom #Vulristics #PatchTuesday #Microsoft #Windows #Office #PowerShell #Outlook #JetBrains #Win32k #cldflt #CLFS #RASMan #WindowsStorage
About Remote Code Execution - expr-eval (CVE-2025-12735) vulnerability. expr-eval is a JavaScript library for parsing and evaluating mathematical expressions, providing safe handling of user-supplied variables. It is used in online calculators, educational programs, modeling tools, financial applications, AI systems, and natural language processing (NLP). Insufficient input validation may allow arbitrary JavaScript code execution in the application's context.
🛠 The vulnerability was discovered on November 5. A PoC has been on GitHub since November 11.
⚙️ The vulnerability is still in the process of being fixed in the main (effectively abandoned 🤷♂️) expr-eval project and is not fully fixed in its fork, expr-eval-fork. Secure versions are expected to appear in the corresponding GHSA.
🌐 The library is popular: expr-eval has 800k weekly downloads on npm, and expr-eval-fork has 88k.
👾 No in-the-wild exploitation has been observed so far.
На русском
@avleonovcom #expreval #JavaScript #npm
🛠 The vulnerability was discovered on November 5. A PoC has been on GitHub since November 11.
⚙️ The vulnerability is still in the process of being fixed in the main (effectively abandoned 🤷♂️) expr-eval project and is not fully fixed in its fork, expr-eval-fork. Secure versions are expected to appear in the corresponding GHSA.
🌐 The library is popular: expr-eval has 800k weekly downloads on npm, and expr-eval-fork has 88k.
👾 No in-the-wild exploitation has been observed so far.
На русском
@avleonovcom #expreval #JavaScript #npm
About Remote Code Execution - Control Web Panel (CVE-2025-48703) vulnerability. Control Web Panel (CWP) is a free web-hosting control panel for RPM-based distributions. This web application provides a convenient interface for configuring and managing web servers (Apache, NGINX), databases (MySQL, MariaDB), mail systems (Postfix, Dovecot, Roundcube), DNS (BIND), and security tools (CSF, ModSecurity).
💡 Essence of the vulnerability: in the changePerm request of the filemanager module, there is a parameter called t_total, and its value is used as an argument to the system command chmod without sufficient validation. 🤷♂️ This allows an unauthenticated attacker to execute arbitrary shell commands on the CWP server. 😏
⚙️ Fixed in version 0.9.8.1205 on June 18, 2025.
🛠 On June 22, a detailed write-up appeared, followed soon by GitHub exploits.
👾 On November 4, the vulnerability was added to CISA KEV.
🌐 Shodan detects about 220,000 CWP installations online.
На русском
@avleonovcom #CWP
💡 Essence of the vulnerability: in the changePerm request of the filemanager module, there is a parameter called t_total, and its value is used as an argument to the system command chmod without sufficient validation. 🤷♂️ This allows an unauthenticated attacker to execute arbitrary shell commands on the CWP server. 😏
⚙️ Fixed in version 0.9.8.1205 on June 18, 2025.
🛠 On June 22, a detailed write-up appeared, followed soon by GitHub exploits.
👾 On November 4, the vulnerability was added to CISA KEV.
🌐 Shodan detects about 220,000 CWP installations online.
На русском
@avleonovcom #CWP
December "In the Trend of VM" (#22): vulnerabilities in Windows, the expr-eval library, Control Web Panel, and Django. A traditional monthly roundup of trending vulnerabilities - this time, a fairly compact one. 💽
🗞 Post on Habr (rus)
🗞 Post on SecurityLab (rus)
🗒 Digest on the PT website (rus)
Four vulnerabilities in total:
🔻 EoP - Windows Kernel (CVE-2025-62215)
🔻 RCE - expr-eval (CVE-2025-12735)
🔻 RCE - Control Web Panel (CVE-2025-48703)
🔻 SQLi - Django (CVE-2025-64459)
🟥 Trending Vulnerabilities Portal
На русском
@avleonovcom #TrendVulns #PositiveTechnologies #Microsoft #Windows #expreval #JavaScript #npm #CWP #Django
🗞 Post on Habr (rus)
🗞 Post on SecurityLab (rus)
🗒 Digest on the PT website (rus)
Four vulnerabilities in total:
🔻 EoP - Windows Kernel (CVE-2025-62215)
🔻 RCE - expr-eval (CVE-2025-12735)
🔻 RCE - Control Web Panel (CVE-2025-48703)
🔻 SQLi - Django (CVE-2025-64459)
🟥 Trending Vulnerabilities Portal
На русском
@avleonovcom #TrendVulns #PositiveTechnologies #Microsoft #Windows #expreval #JavaScript #npm #CWP #Django
December Linux Patch Wednesday. In December, Linux vendors began fixing 650 vulnerabilities, roughly the same as in November. Of these, 399 are in the Linux Kernel. No vulnerabilities with signs of in-the-wild exploitation were detected.
For 29 vulnerabilities, public exploits are available or there are indications of their existence. The following can be highlighted:
🔸 RCE - JupyterLab Extension Template (CVE-2024-39700), fontTools (CVE-2025-66034), Cacti (CVE-2025-66399), CUPS (CVE-2025-64524)
🔸 XXE - Apache Tika (CVE-2025-66516)
🔸 SQLi - phpPgAdmin (CVE-2025-60797, CVE-2025-60798)
🔸 AuthBypass - cpp-httplib (CVE-2025-66570)
🔸 OpenRedirect - Chromium (CVE-2024-13983)
🗒 Full Vulristics report
На русском
@avleonovcom #LinuxPatchWednesday #Vulristics #Linux #JupyterLab #fontTools #Cacti #CUPS #ApacheTika #phpPgAdmin #cpphttplib #Chromium
For 29 vulnerabilities, public exploits are available or there are indications of their existence. The following can be highlighted:
🔸 RCE - JupyterLab Extension Template (CVE-2024-39700), fontTools (CVE-2025-66034), Cacti (CVE-2025-66399), CUPS (CVE-2025-64524)
🔸 XXE - Apache Tika (CVE-2025-66516)
🔸 SQLi - phpPgAdmin (CVE-2025-60797, CVE-2025-60798)
🔸 AuthBypass - cpp-httplib (CVE-2025-66570)
🔸 OpenRedirect - Chromium (CVE-2024-13983)
🗒 Full Vulristics report
На русском
@avleonovcom #LinuxPatchWednesday #Vulristics #Linux #JupyterLab #fontTools #Cacti #CUPS #ApacheTika #phpPgAdmin #cpphttplib #Chromium
About Remote Code Execution - React Server Components "React2Shell" (CVE-2025-55182) vulnerability. React is a popular open-source JavaScript framework; to improve application performance, it allows part of the logic to be executed on the server via React Server Components (RSC). By exploiting insecure deserialization in RSC, an unauthenticated attacker can achieve server-side code execution via a crafted HTTP request.
⚙️ React fixes were released on December 3. Other frameworks that embed React are also vulnerable, including Next.js, React Router, Expo, Redwood SDK, Waku, and others.
🛠 Public exploits have been available since December 3; by December 19, GitHub hosted 250+ exploit and scanner projects. 😮
👾 Attacks are widespread and have been observed since December 5; listed in CISA KEV Dec 9.
🌐 Shadowserver reports 100k+ vulnerable hosts; RuNet estimates range from 10k to 40k+. 🤔
На русском
@avleonovcom #React2Shell #RSC #React
⚙️ React fixes were released on December 3. Other frameworks that embed React are also vulnerable, including Next.js, React Router, Expo, Redwood SDK, Waku, and others.
🛠 Public exploits have been available since December 3; by December 19, GitHub hosted 250+ exploit and scanner projects. 😮
👾 Attacks are widespread and have been observed since December 5; listed in CISA KEV Dec 9.
🌐 Shadowserver reports 100k+ vulnerable hosts; RuNet estimates range from 10k to 40k+. 🤔
На русском
@avleonovcom #React2Shell #RSC #React
January Microsoft Patch Tuesday. A total of 114 vulnerabilities, twice as many as in December. There is one vulnerability with evidence of in-the-wild exploitation:
🔻 InfDisc - Desktop Window Manager (CVE-2026-20805)
There are also two vulnerabilities with public exploits:
🔸 RCE - Windows Deployment Services (CVE-2026-0386)
🔸 EoP - Windows Agere Soft Modem Driver (CVE-2023-31096)
Other notable vulnerabilities include:
🔹 RCE - Microsoft Office (CVE-2026-20952, CVE-2026-20953), Windows NTFS (CVE-2026-20840, CVE-2026-20922)
🔹 EoP - Desktop Windows Manager (CVE-2026-20871), Windows Virtualization-Based Security (VBS) Enclave (CVE-2026-20876)
🔹 SFB - Secure Boot Certificate Expiration (CVE-2026-21265)
Also noteworthy, reported by Positive Technologies:
🟥 EoP - Windows Telephony Service (CVE-2026-20931)
🗒 Full Vulristics report
На русском
@avleonovcom #Vulristics #PositiveTechnologies #PatchTuesday #Microsoft #Windows #Office #NTFS #DWM #VBSEnclave #SecureBoot #TelephonyService
🔻 InfDisc - Desktop Window Manager (CVE-2026-20805)
There are also two vulnerabilities with public exploits:
🔸 RCE - Windows Deployment Services (CVE-2026-0386)
🔸 EoP - Windows Agere Soft Modem Driver (CVE-2023-31096)
Other notable vulnerabilities include:
🔹 RCE - Microsoft Office (CVE-2026-20952, CVE-2026-20953), Windows NTFS (CVE-2026-20840, CVE-2026-20922)
🔹 EoP - Desktop Windows Manager (CVE-2026-20871), Windows Virtualization-Based Security (VBS) Enclave (CVE-2026-20876)
🔹 SFB - Secure Boot Certificate Expiration (CVE-2026-21265)
Also noteworthy, reported by Positive Technologies:
🟥 EoP - Windows Telephony Service (CVE-2026-20931)
🗒 Full Vulristics report
На русском
@avleonovcom #Vulristics #PositiveTechnologies #PatchTuesday #Microsoft #Windows #Office #NTFS #DWM #VBSEnclave #SecureBoot #TelephonyService
About Elevation of Privilege - Windows Cloud Files Mini Filter Driver (CVE-2025-62221) vulnerability. cldflt.sys is the Windows Cloud Files Mini Filter driver whose purpose is to present files and folders stored in the cloud as if they were located on the local computer. A vulnerability in this driver, fixed as part of Microsoft's December Patch Tuesday, allows a local attacker to obtain SYSTEM privileges. The root cause of the vulnerability is a Use After Free issue (CWE-416).
⚙️ The vulnerability was discovered by Microsoft researchers (from MSTIC and MSRC). Updates are available for Windows 10/11 and Windows Server 2019/2022/2025.
👾 The vulnerability has been exploited in the wild and added to the CISA KEV catalog. No attack details are available yet.
🛠 Since December 10, alleged exploit repositories briefly appeared on GitHub and were later removed; exploit sale offers have also been observed (possibly fraudulent).
На русском
@avleonovcom #Microsoft #Windows #cldflt
⚙️ The vulnerability was discovered by Microsoft researchers (from MSTIC and MSRC). Updates are available for Windows 10/11 and Windows Server 2019/2022/2025.
👾 The vulnerability has been exploited in the wild and added to the CISA KEV catalog. No attack details are available yet.
🛠 Since December 10, alleged exploit repositories briefly appeared on GitHub and were later removed; exploit sale offers have also been observed (possibly fraudulent).
На русском
@avleonovcom #Microsoft #Windows #cldflt
About Information Disclosure - MongoDB "MongoBleed" (CVE-2025-14847) vulnerability. MongoDB is a popular NoSQL database that stores data as JSON-like documents with an optional schema. The project is licensed under the SSPL. A flaw in MongoDB’s handling of the data length parameter during zlib compression allows a remote, unauthenticated attacker to access uninitialized memory and, consequently, sensitive data (credentials, keys, customer data, etc.).
⚙️ "Critical fix" was released on December 19. The vulnerability is fixed in versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.
🛠👾 A public exploit appeared on GitHub on December 26. Exploiting it only requires specifying a host, port, and memory read offsets. Immediately after the exploit was published, mass exploitation began, according to Wiz. The vulnerability was added to the CISA KEV on December 29.
🌐 Censys reports ~86k vulnerable servers online, including ~2k in Russia.
На русском
@avleonovcom #MongoDB #MongoBleed #Wiz #Censys
⚙️ "Critical fix" was released on December 19. The vulnerability is fixed in versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.
🛠👾 A public exploit appeared on GitHub on December 26. Exploiting it only requires specifying a host, port, and memory read offsets. Immediately after the exploit was published, mass exploitation began, according to Wiz. The vulnerability was added to the CISA KEV on December 29.
🌐 Censys reports ~86k vulnerable servers online, including ~2k in Russia.
На русском
@avleonovcom #MongoDB #MongoBleed #Wiz #Censys
About Authentication Bypass - GNU Inetutils (CVE-2026-24061) vulnerability. GNU Inetutils is a collection of common network programs, including, among other things, a Telnet server (telnetd). A vulnerability in GNU Inetutils telnetd allows a remote attacker to obtain a root shell on the host without any credentials by sending a crafted USER environment variable containing the value "-f root".
⚙️ A patch fixing the vulnerability was released on January 20. Versions 1.9.3–2.7 are vulnerable; the issue went undisclosed for 10+ years. 🤷♂️
🛠 A detailed write-up and exploit were published by SafeBreach on January 22.
👾 Exploitation in the wild has been observed by GreyNoise since January 21.
🌐 Shodan estimates ~212,396 Telnet servers online in total. How many of them use GNU Inetutils and are vulnerable is still unclear. CyberOK discovered around 500 potentially vulnerable Telnet servers in the Russian Internet segment.
На русском
@avleonovcom #Inetutils #Telnet #SafeBreach #CyberOK #Shodan #telnetd
⚙️ A patch fixing the vulnerability was released on January 20. Versions 1.9.3–2.7 are vulnerable; the issue went undisclosed for 10+ years. 🤷♂️
🛠 A detailed write-up and exploit were published by SafeBreach on January 22.
👾 Exploitation in the wild has been observed by GreyNoise since January 21.
🌐 Shodan estimates ~212,396 Telnet servers online in total. How many of them use GNU Inetutils and are vulnerable is still unclear. CyberOK discovered around 500 potentially vulnerable Telnet servers in the Russian Internet segment.
На русском
@avleonovcom #Inetutils #Telnet #SafeBreach #CyberOK #Shodan #telnetd
About Information Disclosure - Desktop Window Manager (CVE-2026-20805) vulnerability. Desktop Window Manager is a compositing window manager that has been part of Windows since Windows Vista. Exploitation of the vulnerability, which was addressed in the January Microsoft Patch Tuesday, allows a local attacker to disclose the "section address from a remote ALPC port which is user-mode memory".
👾 Microsoft noted that this vulnerability is being exploited in attacks. The vulnerability was added to CISA’s KEV catalog on January 13. There are no public details about the attacks yet, but Rapid7 experts suggest that the disclosed memory address can be used to bypass ASLR, "increasing the chance of developing a stable elevation of privilege exploit for DWM".
🛠 Public exploit PoCs have been available on GitHub since January 14.
На русском
@avleonovcom #Microsoft #Windows #DWM #ALPC #ASLR
👾 Microsoft noted that this vulnerability is being exploited in attacks. The vulnerability was added to CISA’s KEV catalog on January 13. There are no public details about the attacks yet, but Rapid7 experts suggest that the disclosed memory address can be used to bypass ASLR, "increasing the chance of developing a stable elevation of privilege exploit for DWM".
🛠 Public exploit PoCs have been available on GitHub since January 14.
На русском
@avleonovcom #Microsoft #Windows #DWM #ALPC #ASLR
Our PR team awarded me the “The Best Positive Speaker 2025” metal pin for public speaking, articles, and media commentary. Huge thanks to my colleagues for this! I’m very pleased. 😇 The collection is growing. 😉
This time, the pin is styled like the Friends sitcom logo. It’s made of metal, coated with colored enamel, quite hefty, measures 5×2 cm, and fastens with two butterfly clasps. Very nice. 👍
PS: I hope there wasn’t any hidden hint in the pin’s style. 😉
So no one told you life was going to be this way. 👏👏
Your job's a joke, you're broke, your love life's DOA. 😅
На русском
@avleonovcom #PositiveTechnologies #PR #Award #present #TBPS2025
This time, the pin is styled like the Friends sitcom logo. It’s made of metal, coated with colored enamel, quite hefty, measures 5×2 cm, and fastens with two butterfly clasps. Very nice. 👍
PS: I hope there wasn’t any hidden hint in the pin’s style. 😉
So no one told you life was going to be this way. 👏👏
Your job's a joke, you're broke, your love life's DOA. 😅
На русском
@avleonovcom #PositiveTechnologies #PR #Award #present #TBPS2025
January Linux Patch Wednesday. In January, Linux vendors started fixing 918 vulnerabilities, one and a half times more than in December. Of these, 616 are in the Linux Kernel. Three show signs of exploitation in the wild:
🔻 AuthBypass - GNU Inetutils (telnetd) (CVE-2026-24061)
🔻 RCE - Safari (CVE-2025-43529); fixed in Linux distributions in webkit packages
🔻 MemCor - Chromium (CVE-2025-14174)
Another 97 vulnerabilities have public exploits or signs of their existence. Key examples:
🔸 MemCor - libpng (CVE-2026-22695)
🔸 XSS - Roundcube (CVE-2025-68461)
🔸 RCE - expr-eval (CVE-2025-13204)
🔸 ComInj - cpp-httplib (CVE-2026-21428), httparty (CVE-2025-68696), Miniflux (CVE-2026-21885)
🔸 SQLi - parsl (CVE-2026-21892)
🔸 SFB - OWASP CRS (CVE-2026-21876), Authlib (CVE-2025-68158)
🔸 AFW - node-tar (CVE-2026-23745)
🔸 PathTrav - GNU Wget2 (CVE-2025-69194), Tar (CVE-2025-45582)
🗒 Full Vulristics Report
На русском
@avleonovcom #LinuxPatchWednesday #Vulristics #Linux #telnetd #Inetutils #Safari #webkit #Chromium #libpng
🔻 AuthBypass - GNU Inetutils (telnetd) (CVE-2026-24061)
🔻 RCE - Safari (CVE-2025-43529); fixed in Linux distributions in webkit packages
🔻 MemCor - Chromium (CVE-2025-14174)
Another 97 vulnerabilities have public exploits or signs of their existence. Key examples:
🔸 MemCor - libpng (CVE-2026-22695)
🔸 XSS - Roundcube (CVE-2025-68461)
🔸 RCE - expr-eval (CVE-2025-13204)
🔸 ComInj - cpp-httplib (CVE-2026-21428), httparty (CVE-2025-68696), Miniflux (CVE-2026-21885)
🔸 SQLi - parsl (CVE-2026-21892)
🔸 SFB - OWASP CRS (CVE-2026-21876), Authlib (CVE-2025-68158)
🔸 AFW - node-tar (CVE-2026-23745)
🔸 PathTrav - GNU Wget2 (CVE-2025-69194), Tar (CVE-2025-45582)
🗒 Full Vulristics Report
На русском
@avleonovcom #LinuxPatchWednesday #Vulristics #Linux #telnetd #Inetutils #Safari #webkit #Chromium #libpng
January "In the Trend of VM" (#23): vulnerabilities in Windows, React and MongoDB. Traditional monthly roundup of trending vulnerabilities. Launching the 2026 season. 🙂
🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)
In total, three vulnerabilities:
🔻 EoP - Windows Cloud Files Mini Filter Driver (CVE-2025-62221)
🔻 RCE - React Server Components "React2Shell" (CVE-2025-55182)
🔻 InfDisc - MongoDB "MongoBleed" (CVE-2025-14847)
🟥 Trending Vulnerabilities Portal
На русском
@avleonovcom #TrendVulns #PositiveTechnologies #Microsoft #Windows #cldflt #React2Shell #RSC #React #MongoDB #MongoBleed #Wiz #Censys
🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)
In total, three vulnerabilities:
🔻 EoP - Windows Cloud Files Mini Filter Driver (CVE-2025-62221)
🔻 RCE - React Server Components "React2Shell" (CVE-2025-55182)
🔻 InfDisc - MongoDB "MongoBleed" (CVE-2025-14847)
🟥 Trending Vulnerabilities Portal
На русском
@avleonovcom #TrendVulns #PositiveTechnologies #Microsoft #Windows #cldflt #React2Shell #RSC #React #MongoDB #MongoBleed #Wiz #Censys
About Remote Code Execution - Microsoft Office (CVE-2026-21509) vulnerability. The vulnerability was urgently fixed on January 26, outside the regular Microsoft Patch Tuesday. Microsoft classified it as a Security Feature Bypass, but in fact, it is more of a Remote Code Execution. The vulnerability involves bypassing OLE (Object Linking and Embedding) security features in Microsoft 365 and Microsoft Office. It is exploited when opening malicious Office files (Preview Pane is safe).
⚙️ In Office 2021+, protection is enabled automatically via server-side changes after restarting the applications. For Office 2016/2019, updates must be installed or registry changes applied.
👾 Microsoft reports that the vulnerability is being exploited in the wild.
🛠 No public exploits are available yet.
На русском
@avleonovcom #Microsoft #Office #OLE
⚙️ In Office 2021+, protection is enabled automatically via server-side changes after restarting the applications. For Office 2016/2019, updates must be installed or registry changes applied.
👾 Microsoft reports that the vulnerability is being exploited in the wild.
🛠 No public exploits are available yet.
На русском
@avleonovcom #Microsoft #Office #OLE