NewApp Digest
search bot

remote execution

Patching required for exploited Windows vulnerability
Winsage
October 22, 2025

Patching required for exploited Windows vulnerability

Microsoft is facing a significant security vulnerability in the Windows Server Message Block (SMB) client, which has been added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. Despite a patch being released, the flaw, designated as CVE-2025-33073 and rated with a CVSS score of 8.8, remains a target for exploitation. The vulnerability allows attackers to connect a Windows system to a malicious SMB server, enabling remote execution of plans with elevated access privileges. CISA has mandated that all federal agencies must install the update by November 10, 2025, and encourages private organizations to assess their patch status and consider temporary measures if immediate updates are not possible.
APT Hackers Exploited WebDAV 0-Day RCE Vulnerability in the Wild to Deploy Malware
Winsage
June 10, 2025

APT Hackers Exploited WebDAV 0-Day RCE Vulnerability in the Wild to Deploy Malware

A cyberattack campaign by the advanced persistent threat group Stealth Falcon targeted a prominent Turkish defense company using a zero-day vulnerability identified as CVE-2025-33053. This vulnerability allowed attackers to manipulate the working directory of legitimate Windows tools to execute malware from their WebDAV servers. The attack was initiated through a spear-phishing email containing a malicious .url file that directed the system to a legitimate Internet Explorer utility, which was then exploited to execute malicious files. The attackers employed process hollowing to bypass traditional defenses. Stealth Falcon, also known as FruityArmor, has been conducting cyber espionage since at least 2012, targeting government and defense sectors in Turkey, Qatar, Egypt, and Yemen. The attack involved a multi-stage infection chain leading to the deployment of "Horus Agent," a custom implant designed for advanced reconnaissance and equipped with anti-analysis techniques. Researchers identified additional custom tools used by Stealth Falcon, including a DC Credential Dumper and a custom keylogger. The group utilizes repurposed legitimate domains to blend their infrastructure with legitimate traffic, complicating detection efforts.
Microsoft Scripting Engine 0-Day Vulnerability Enables Remote Code Execution Over Network
Winsage
May 14, 2025

Microsoft Scripting Engine 0-Day Vulnerability Enables Remote Code Execution Over Network

Microsoft has identified a memory corruption vulnerability in its Scripting Engine, designated as CVE-2025-30397. This vulnerability allows unauthorized remote code execution and is classified as “Important” under CWE-843 (Type Confusion). It was disclosed in the May 2025 Patch Tuesday updates and arises from improper handling of resource types. Exploitation occurs when a user clicks a specially crafted URL in Microsoft Edge's Internet Explorer Mode, potentially compromising system confidentiality, integrity, and availability. Although the attack complexity is high, successful exploitation has been confirmed in the wild. Microsoft has issued patches for all supported Windows versions, and users are advised to apply these updates and consider disabling Internet Explorer Mode to reduce risk.
Critical Vulnerability in Microsoft Windows Exposed: State-Sponsored Hackers Exploit Link Files for Espionage
Winsage
March 24, 2025

Critical Vulnerability in Microsoft Windows Exposed: State-Sponsored Hackers Exploit Link Files for Espionage

A vulnerability in Microsoft Windows' handling of link files (.lnk) has been exploited by state-sponsored hackers from North Korea, Russia, Iran, and China for espionage and data theft. This flaw allows malicious payloads to be embedded in seemingly harmless links, enabling remote execution of arbitrary code and unauthorized access to compromised systems. Nearly 1,000 malicious .lnk files have been identified, with around 70% of attacks focused on espionage and information theft, particularly targeting government and financial institutions. The malicious commands are difficult to detect, complicating protection efforts for organizations. ZDI recommends increased awareness and the use of endpoint and network protection tools to mitigate the threat.
Don't ignore Microsoft's February Patch Tuesday - it's a big one for all Windows 11 users
Winsage
February 13, 2025

Don’t ignore Microsoft’s February Patch Tuesday – it’s a big one for all Windows 11 users

Microsoft's February Patch Tuesday updates, released on February 11, include KB5051987 for Windows 11 24H2 and KB5051989 for Windows 11 23H2. The updates introduce enhancements to the Taskbar and File Explorer, including improved previews and animations for Taskbar icons, a new icon in the System Tray for Windows Studio Effects, and a new simplified Chinese font named Simsun-ExtG. A feature allowing certain applications to automatically restart after signing back in has also been added. File Explorer now includes a "New Folder" command in the context menu and can restore previously open tabs at logon. The updates fix various bugs, including issues with Auto HDR in games, playback interruptions for USB audio devices, and problems with USB audio drivers. They also address issues from the January 2025 security update, such as USB camera recognition and slower shutdown processes with connected controllers. On the security side, the update resolves 56 vulnerabilities, three of which are critical. Notable vulnerabilities include CVE-2025-21391 (file deletion), CVE-2025-21418 (remote code execution), CVE-2025-21377 (authentication spoofing), and CVE-2025-21376 (malicious code execution). The updates are set to install automatically, but users can check for updates manually through Windows Update.
В qBittorrent 5.0.1 разработчики исправили баг с неправильной валидацией TLS-сертификатов, который был в проекте 14 лет
TrendTechie
November 22, 2024

В qBittorrent 5.0.1 разработчики исправили баг с неправильной валидацией TLS-сертификатов, который был в проекте 14 лет

In late October 2024, the qBittorrent project released version 5.0.1, which addressed a 14-year-long issue of improper validation of SSL/TLS certificates, mitigating a vulnerability that exposed users to man-in-the-middle (MitM) attacks. The vulnerability allowed for remote code execution due to the application’s failure to verify SSL/TLS certificates in the DownloadManager component, first documented in a commit from April 6, 2010. Since then, qBittorrent had accepted any certificate, enabling malicious actors to manipulate network traffic. The default behavior was changed to enforce verification on October 12, 2024. Sharp Security identified four primary risks associated with this vulnerability: 1. An attacker could intercept a request for a Python installer and substitute it with a malicious version. 2. An attacker could replace the update link with a malicious one during the update check. 3. Attackers could modify RSS feed content, inserting malicious URLs. 4. Exploitation through potential buffer overflow vulnerabilities when downloading a GeoIP database from a counterfeit server. An example of exploitation included remote execution of the system application "Calculator." The qBittorrent 5.0 client was released in late September 2024, developed using the Qt toolkit, with source code available on GitHub under the GPLv2+ license.
Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild
Winsage
October 9, 2024

Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild

Microsoft has released updates addressing a total of 118 vulnerabilities, including two that are actively exploited in the wild. The vulnerabilities are categorized as follows: 3 critical, 113 important, and 2 moderate. Among the 118 flaws, five are publicly known, with two classified as zero-day vulnerabilities: - CVE-2024-43572 (CVSS score: 7.8) - Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected) - CVE-2024-43573 (CVSS score: 6.5) - Windows MSHTML Platform Spoofing Vulnerability (Exploitation Detected) Additionally, CVE-2024-43468 is a critical remote execution flaw in Microsoft Configuration Manager with a CVSS score of 9.8, allowing unauthenticated actors to execute arbitrary commands. Other critical vulnerabilities include: - CVE-2024-43488 (CVSS score: 8.8) - Visual Studio Code extension for Arduino - CVE-2024-43582 (CVSS score: 8.1) - Remote Desktop Protocol (RDP) Server The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-43572 and CVE-2024-43573 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply fixes by October 29, 2024.
PoC Released for 0-click RCE Flaw Impacting Windows Server - MadLicense
Winsage
August 9, 2024

PoC Released for 0-click RCE Flaw Impacting Windows Server – MadLicense

A critical zero-click remote code execution (RCE) vulnerability, identified as CVE-2024-38077, affects various Windows Server versions from 2000 to the 2025 preview. The flaw is located in the Windows Remote Desktop Licensing Service and allows attackers to execute arbitrary code without user interaction. The vulnerability is due to a heap overflow issue in the CDataCoding::DecodeData function, which mishandles user-controlled input. A proof-of-concept exploit demonstrates how this vulnerability can bypass security measures in Windows Server 2025. Over 170,000 Remote Desktop Licensing Services are exposed to the public internet, increasing the risk of exploitation. Microsoft has been informed about the vulnerability and has released a patch, urging users to apply it to mitigate risks. Security researchers recommend additional security measures like network segmentation and access controls.
Search