اکنون در دسترس! پژوهش تلگرام ۲۰۲۵ — مهمترین بینشهای سال 
Vulnerability Management and more
رفتن به کانال در Telegram
Vulnerability assessment, IT compliance management, security automation. Russian channel: @avleonovrus Russial live news channel: @avleonovlive PM @leonov_av
نمایش بیشتر2 819
مشترکین
اطلاعاتی وجود ندارد24 ساعت
+37 روز
+130 روز
در حال بارگیری داده...
کانالهای مشابه
ابر برچسبها
اشارات ورودی و خروجی
---
---
---
---
---
---
جذب مشترکین
ژوئن '26
ژوئن '26
+13
در 0 کانالها
مه '26
+34
در 0 کانالها
Get PRO
آوریل '26
+36
در 0 کانالها
Get PRO
مارس '26
+33
در 1 کانالها
Get PRO
فوریه '26
+36
در 1 کانالها
Get PRO
ژانویه '26
+43
در 0 کانالها
Get PRO
دسامبر '25
+34
در 1 کانالها
Get PRO
نوامبر '25
+57
در 0 کانالها
Get PRO
اکتبر '25
+35
در 1 کانالها
Get PRO
سپتامبر '25
+15
در 0 کانالها
Get PRO
اوت '25
+19
در 0 کانالها
Get PRO
ژوئیه '25
+15
در 1 کانالها
Get PRO
ژوئن '25
+12
در 0 کانالها
Get PRO
مه '25
+17
در 0 کانالها
Get PRO
آوریل '25
+15
در 1 کانالها
Get PRO
مارس '25
+22
در 1 کانالها
Get PRO
فوریه '25
+33
در 0 کانالها
Get PRO
ژانویه '25
+38
در 1 کانالها
Get PRO
دسامبر '24
+14
در 2 کانالها
Get PRO
نوامبر '24
+45
در 1 کانالها
Get PRO
اکتبر '24
+46
در 1 کانالها
Get PRO
سپتامبر '24
+78
در 1 کانالها
Get PRO
اوت '24
+73
در 1 کانالها
Get PRO
ژوئیه '24
+121
در 1 کانالها
Get PRO
ژوئن '24
+100
در 0 کانالها
Get PRO
مه '24
+92
در 0 کانالها
Get PRO
آوریل '24
+93
در 1 کانالها
Get PRO
مارس '24
+92
در 1 کانالها
Get PRO
فوریه '24
+119
در 0 کانالها
Get PRO
ژانویه '24
+137
در 0 کانالها
Get PRO
دسامبر '23
+97
در 1 کانالها
Get PRO
نوامبر '23
+59
در 1 کانالها
Get PRO
اکتبر '23
+75
در 1 کانالها
Get PRO
سپتامبر '23
+83
در 0 کانالها
Get PRO
اوت '23
+59
در 0 کانالها
Get PRO
ژوئیه '23
+60
در 0 کانالها
Get PRO
ژوئن '23
+38
در 0 کانالها
Get PRO
مه '23
+48
در 0 کانالها
Get PRO
آوریل '23
+67
در 0 کانالها
Get PRO
مارس '23
+60
در 0 کانالها
Get PRO
فوریه '23
+60
در 0 کانالها
Get PRO
ژانویه '23
+60
در 0 کانالها
Get PRO
دسامبر '22
+65
در 0 کانالها
Get PRO
نوامبر '22
+52
در 0 کانالها
Get PRO
اکتبر '22
+61
در 0 کانالها
Get PRO
سپتامبر '22
+53
در 0 کانالها
Get PRO
اوت '22
+49
در 0 کانالها
Get PRO
ژوئیه '22
+43
در 0 کانالها
Get PRO
ژوئن '22
+20
در 0 کانالها
Get PRO
مه '22
+39
در 0 کانالها
Get PRO
آوریل '22
+19
در 0 کانالها
Get PRO
مارس '22
+63
در 0 کانالها
Get PRO
فوریه '22
+78
در 0 کانالها
Get PRO
ژانویه '22
+17
در 0 کانالها
Get PRO
دسامبر '21
+31
در 0 کانالها
Get PRO
نوامبر '21
+28
در 0 کانالها
Get PRO
اکتبر '21
+19
در 0 کانالها
Get PRO
سپتامبر '21
+15
در 0 کانالها
Get PRO
اوت '21
+13
در 0 کانالها
Get PRO
ژوئیه '21
+26
در 0 کانالها
Get PRO
ژوئن '21
+11
در 0 کانالها
Get PRO
مه '21
+22
در 0 کانالها
Get PRO
آوریل '21
+25
در 0 کانالها
Get PRO
مارس '21
+34
در 0 کانالها
Get PRO
فوریه '21
+9
در 0 کانالها
Get PRO
ژانویه '21
+24
در 0 کانالها
Get PRO
دسامبر '20
+1 157
در 0 کانالها
| تاریخ | رشد مشترکین | اشارات | کانالها | |
| 10 ژوئن | +1 | |||
| 09 ژوئن | +1 | |||
| 08 ژوئن | +1 | |||
| 07 ژوئن | +2 | |||
| 06 ژوئن | 0 | |||
| 05 ژوئن | +1 | |||
| 04 ژوئن | 0 | |||
| 03 ژوئن | +3 | |||
| 02 ژوئن | +4 | |||
| 01 ژوئن | 0 |
پستهای کانال
About Remote Code Execution - PAN-OS (CVE-2026-0300) vulnerability. PAN-OS is an operating system for Palo Alto Networks firewalls and security platforms. User-ID™ Authentication Portal (also known as Captive Portal) is a non-default PAN-OS feature used to map IP addresses to usernames. By exploiting a buffer overflow vulnerability (CWE-787), an unauthenticated remote attacker can send specially crafted packets to a device with the Authentication Portal enabled, achieving arbitrary code execution with root privileges on the affected device. No authentication or user interaction is required. If the vulnerability is successfully exploited, the attacker gains full control over network traffic: they can intercept, modify, or block connections, access sensitive data, bypass security policies, hide traces of compromise, install backdoors, and use the device as a foothold for attacks on internal infrastructure.
⚙️ The vendor security advisory was published on May 6. PA-Series and VM-Series firewalls are affected. Prisma Access, Cloud NGFW, and Panorama appliances are not impacted by this vulnerability. Security updates for affected devices became available on May 13. As a workaround, the vendor recommended restricting User-ID™ Authentication Portal access to only trusted internal zones or disabling the User-ID™ Authentication Portal entirely if it is not required.
👾 On the same day, May 6, researchers from Palo Alto Networks Unit 42 published a report on active exploitation of the vulnerability in the wild. Post-exploitation activity includes deployment of publicly available tunneling tools (EarthWorm, ReverseSocks5), Active Directory enumeration using credentials likely obtained from the firewall, and systematic destruction of logs and other evidence of compromise. On the same day, the vulnerability was added to the CISA KEV catalog.
🛠 A public exploit was also published on GitHub on May 6.
🌐 PAN-OS is among the most widely deployed enterprise firewall operating systems in the world. As of June 5, Shodan identifies approximately 135,755 internet-facing PAN-OS instances, representing a significant attack surface.
@avleonovcom #PaloAlto #PANOS #NGFW #Firewall #Exploit #CISAKEV #Shodan #PrismaAccess #CloudNGFW #Panorama
| 2 |  May Linux Patch Wednesday. A total of 1,638 vulnerabilities (474 in the Linux kernel). For comparison, in April there were 1,035 vulnerabilities (a record!). And this time it turns out to be a record again, more than one and a half times higher! The acceleration is both impressive and alarming. But we will see what happens next. At some point it should stabilize. Although the number of critical vulnerabilities is already so high that reviewing all of them becomes quite problematic. For 7 vulnerabilities there are signs of exploitation in the wild. And for another 264 there are public exploits.
[ Read the full post on avleonov.com ]
🗒 Full Vulristics report
@avleonovcom #LinuxPatchWednesday #Linux #LinuxKernel #CISAKEV #VulnCheckKEV #KEV #Exploit #Apache #ApacheHTTPServer #ApacheTomcat #ApacheActiveMQ #NGINX #ProFTPD #PgBouncer #Rclone #Postorius #GNUMailman #PostgreSQL #PHP #Composer #Django #Qualys #PackageKit #DirtyFrag #CopyFail #DirtyDecrypt #Fragnesia | 311 |
| 3 |  About Elevation of Privilege - Linux Kernel "Fragnesia" (CVE-2026-46300) vulnerability. The vulnerability was discovered by researcher William Bowling together with the V12 team. Fragnesia belongs to the class of Dirty Frag vulnerabilities. It is an error in the ESP/XFRM subsystem, distinct from Dirty Frag, which was addressed with a separate patch. It allows achieving arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition.🛠 Technical details and exploit code were published on May 15. The public exploit modifies the contents of /usr/bin/su in the kernel page cache, and then executes /usr/bin/su, resulting in the user obtaining a root shell. The on-disk binary is never modified. A reboot or cache flush restores normal system behavior.
[ Read the full post on avleonov.com ]
@avleonovcom #Linux #LinuxKernel #Fragnesia #V12 #DirtyFrag #Ubuntu #Kernel #EoP #LPE #xfrmESP | 373 |
| 4 |  May "In the Trend of VM" (#27): high-profile vulnerabilities in Linux, ActiveMQ, SharePoint, and Adobe Acrobat Reader. While the previous April edition featured only one vulnerability, this one includes four, covering different technologies and attack scenarios.
🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)
🔻 EoP - Linux Kernel "Copy Fail" (CVE-2026-31431). The vulnerability allows an attacker to gain root privileges.
🔻 RCE - Apache ActiveMQ (CVE-2026-34197). A vulnerability in a solution widely used in enterprise systems and integration platforms.
🔻 Spoofing - Microsoft SharePoint Server (CVE-2026-32201). A vulnerability in a Microsoft collaboration and document management platform widely used in enterprise systems and internal portals.
🔻 RCE - Adobe Reader (CVE-2026-34621). A vulnerability in a widely used PDF document viewer; actively exploited in phishing attacks.
🟥 The full list of trending vulnerabilities is available on the portal
@avleonovcom #PositiveTechnologies #TrendVulns | 426 |
| 5 |  About Remote Code Execution - Adobe Reader (CVE-2026-34621) vulnerability. Adobe Acrobat Reader (from 2003 to 2015, "Adobe Reader") is a free PDF viewer developed by Adobe. Versions are available for Windows, macOS, Android, and iOS. The remote code execution vulnerability in Adobe Acrobat for Windows and macOS is caused by improper handling of object prototype attributes (CWE-1321 - "Prototype Pollution"). Successful exploitation of the vulnerability allows an attacker to execute arbitrary code on the target system when the victim opens a specially crafted document.
👾 Researcher Haifei Li, the developer of EXPMON - a sandbox-based system designed to detect file-based zero-days and hard-to-detect exploits - reported the vulnerability and the existence of a working exploit on April 7.
[ Read the full post on avleonov.com ]
@avleonovcom #Adobe #AcrobatReader #PrototypePollution #EXPMON #HaifeiLi #VirusTotal #CISAKEV #utilReadFileIntoStream #RSSaddFeed | 388 |
| 6 | May Microsoft Patch Tuesday. A total of 119 vulnerabilities, approximately 1.5 times fewer than in April. There are currently no vulnerabilities marked as actively exploited in the wild. However, there is one vulnerability with a public exploit:
🔸 EoP - Windows Kernel (CVE-2026-40369). A detailed write-up and exploit for this vulnerability were published on May 14, two days after the May MSPT. The researcher describes exploitation of the vulnerability as follows: "A single syscall from any unprivileged process — including inside Chrome's renderer sandbox — can increment arbitrary kernel memory addresses. No race conditions. No heap spray. No special tokens. 100% deterministic privilege escalation to SYSTEM."
[ Read the full post on avleonov.com ]
🗒 Full Vulristics report
@avleonovcom #Vulristics #PatchTuesday #Microsoft #Windows #MSPT #MicrosoftOffice #MicrosoftWord #DNS #Netlogon #TCPIP #WindowsKernel #GDI #Dynamics365 #UseAfterFree #UAF #HeapSpray #ActiveDirectory #DomainController | 417 |
| 7 | April "In the Trend of VM" (#26): one Microsoft SharePoint vulnerability. Presenting the traditional monthly roundup of trending vulnerabilities by Positive Technologies. Once again, single-vendor, Microsoft-focused, and unusually compact. While the previous March edition had four trending vulnerabilities, this April edition has only one. In the upcoming May edition, we expect at least three trending vulnerabilities. 😉
🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)
This vulnerability is from the January Microsoft Patch Tuesday:
🔻 RCE - Microsoft SharePoint (CVE-2026-20963). The vulnerability was initially rated less critical due to an authentication requirement PR:L, but Microsoft later determined that no authentication is required PR:N. It was added to the CISA KEV, indicating active exploitation in the wild. No public exploits exist yet.
🟥 The full list of trending vulnerabilities is available on the portal
@avleonovcom #PositiveTechnologies #TrendVulns #Microsoft #SharePoint #CISA #CISAKEV | 395 |
| 8 |  About Remote Code Execution - Apache ActiveMQ (CVE-2026-34197) vulnerability. Apache ActiveMQ is a popular open-source message broker written in Java. Its main purpose is to send messages between different services, systems, and microservices without a direct connection between them.
This vulnerability is from the April Linux Patch Wednesday.Details about this vulnerability were published on April 7 in the HORIZON3.ai company blog. They claim that the Apache ActiveMQ Classic vulnerability has been hiding in plain sight for 13 years. An attacker can invoke a management operation through ActiveMQ's Jolokia API to trick the broker into fetching a remote configuration file and running arbitrary OS commands.
[ Read the full post on avleonov.com ]
@avleonovcom #Apache #ActiveMQ #FortiGuard #Shadowserver #HORIZON3 #Jolokia #JMX #CISAKEV | 451 |
| 9 |  About Spoofing - Microsoft SharePoint Server (CVE-2026-32201) vulnerability. A vulnerability from the April Microsoft Patch Tuesday. The description provided by Microsoft experts is extremely vague: "Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability)." Spoofing is an attack in which a threat actor forges data, an address, an identifier, or a trusted source in order to impersonate a legitimate user, service, or system.
What is actually hidden behind this description?
[ Read the full post on avleonov.com ]
@avleonovcom #Microsoft #SharePoint #XSS #ReflectedXSS #KEV #CISAKEV #ZDI | 383 |
| 10 |  About Elevation of Privilege vulnerability - Linux Kernel "Dirty Frag" (CVE-2026-43284, CVE-2026-43500) vulnerability. According to information from researcher Hyunwoo Kim (@v4bel), Dirty Frag is a vulnerability (a class of vulnerabilities) that allows a local unprivileged attacker to obtain root privileges on most Linux distributions by combining the xfrm-ESP Page-Cache Write vulnerability (CVE-2026-43284) and the RxRPC Page-Cache Write vulnerability (CVE-2026-43500).
[...]
As the researcher reports, the xfrm-ESP Page-Cache Write vulnerability in the Dirty Frag chain shares the same sink as Copy Fail. However, it is triggered regardless of whether the algif_aead module is available. Even on systems where the publicly known Copy Fail mitigation is applied, Linux remains vulnerable to Dirty Frag.
[ Read the full post on avleonov.com ]
@avleonovcom #DirtyFrag #HyunwooKim #v4bel #LinuxKernel #KernelExploit #xfrmESP #RxRPC #AppArmor #Linux #Ubuntu #RHEL #openSUSE #CentOSStream #AlmaLinux #Fedora | 458 |
| 11 | About Elevation of Privilege - Linux Kernel "Copy Fail" (CVE-2026-31431) vulnerability. A local privilege escalation vulnerability in the Linux kernel AF_ALG component, which is caused by a memory handling flaw, allows an unprivileged user to escalate privileges to root. By exploiting this vulnerability, an attacker can fully compromise the system: read and modify any files, including passwords and keys, replace system binaries, disable security controls and monitoring tools, stealthily install backdoors and maintain persistence, hide traces of their activity, and use the host as a foothold for attacks on other network assets.
⚙️🛠 On April 1, patches addressing the vulnerability were merged...
[ Read the full post on avleonov.com ]
@avleonovcom #LinuxKernel #AFALG #KernelExploit #ContainerEscape #Kubernetes #CopyFail #Exploit #PoC #DirtyCow #DirtyPipe #RaceCondition #Python #VFS #Ubuntu #Debian #Fedora #ArchLinux #CloudLinux #AmazonLinux #RHEL #SUSE #ROSALinux #ROSA #CISA #CISAKEV | 438 |
| 12 |  About Remote Code Execution - Microsoft SharePoint (CVE-2026-20963) vulnerability. This vulnerability was fixed in the January MSPT. At the time of the MSPT release on January 13, VM vendors did not highlight this vulnerability in their reviews, and Microsoft reported no evidence of exploitation in the wild. The CVSS vector was initially rated as CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8). The "PR:L" indicates that authentication was required to exploit the vulnerability. However, on March 17, Microsoft updated both the vulnerability description and its CVSS vector. The updated CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8). The "PR:N" indicates that authentication is not required for exploitation.
[ Read the full post on avleonov.com ]
@avleonovcom #SharePoint #Microsoft #VMProcess #Prioritization #CISA #CISAKEV | 548 |
| 13 | April Linux Patch Wednesday. In April, Linux vendors addressed 1,035 vulnerabilities - nearly twice as many as in March. One might assume that most of these would again be Linux Kernel vulnerabilities, but that's not the case! Linux Kernel vulnerabilities were relatively few - just 209. The remaining vulnerabilities are distributed across more than 200 affected products. Notably, two vulnerabilities show evidence of active exploitation in the wild:
🔻 RCE - Apache ActiveMQ (CVE-2026-34197). Remote code execution is possible via the Jolokia API (/api/jolokia/) with no authentication required. The vulnerability remained hidden in the codebase for 13 years before being discovered using AI. Listed in the CISA KEV since April 16. Numerous exploits are available on GitHub.
[ Read the full post on avleonov.com ]
🗒 Full Vulristics report
@avleonovcom #LinuxPatchWednesday #Vulristics #CISAKEV #Linux #LinuxKernel #Apache #ActiveMQ #Chromium #GoogleChrome #Cockpit #CUPS #KVMTool #tar | 0 |
| 14 |  April Microsoft Patch Tuesday. A total of 167 vulnerabilities, about twice as many as in March. There is one vulnerability already being exploited in the wild:
🔻 Spoofing - Microsoft SharePoint Server (CVE-2026-32201). ZDI experts say "Spoofing bugs in SharePoint often manifest as cross-site scripting (XSS) bugs". "An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability)". There is no info yet about how widely it is being used in attacks, but you should not delay patching, especially if SharePoint is exposed to the Internet.
[ Read the full overview on the avleonov.com website ]
@avleonovcom #Vulristics #PatchTuesday #Microsoft #Windows #SharePoint #MicrosoftDefender #ActiveDirectory #IKE #WindowsTCPIP #WindowsPushNotifications #RemoteDesktop #RPC #Winsock #IPv6 #IPSec #BlueHammer #ChaoticEclipse #Pwn2Own #NCSC | 0 |
| 15 |  March Linux Patch Wednesday. In March, Linux vendors began addressing 575 vulnerabilities, which is 57 fewer than in February. Of these, 93 are in the Linux Kernel (⬇️ a significant decrease - there were 305 in February). There are two vulnerabilities with signs of in-the-wild exploitation:
🔻 RCE - Chromium (CVE-2026-3909, CVE-2026-3910)
Additionally, for 130 (❗️) vulnerabilities, public exploits are available or there are indications of their existence. Notable ones include:
🔸 RCE - Caddy (CVE-2026-27590), NLTK (CVE-2025-14009), Rollup (CVE-2026-27606), GVfs (CVE-2026-28296), SPIP (CVE-2026-27475), OpenStack Vitrage (CVE-2026-28370)
🔸 AuthBypass - Curl (CVE-2026-3783), coTURN (CVE-2026-27624), Libsoup (CVE-2026-3099)
[ And a few more on the avleonov.com website ]
🗒 Full Vulristics report
@avleonovcom #LinuxPatchWednesday #Vulristics #Linux #Chromium #Caddy #NLTK #Rollup #GVfs #SPIP #OpenStack #Vitrage #Curl #coTURN #Libsoup #Glances #gSOAP #basicftp #Snapd #GNUInetutils #Keycloak #PyJWT #Authlib #lxml | 0 |
| 16 |  March "In the Trend of VM" (#25): once again, vulnerabilities are only in Microsoft products. I present the traditional monthly roundup of trending vulnerabilities according to Positive Technologies. As in February, it turned out to be quite compact and focused on a single vendor.
🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)
All four vulnerabilities are from the February Microsoft Patch Tuesday, and all are actively being exploited in the wild:
🔻 RCE - Windows Shell (CVE-2026-21510)
🔻 RCE - Microsoft Word (CVE-2026-21514)
💬 Microsoft classified the two vulnerabilities above as Security Feature Bypass, but in fact, they are Remote Code Execution.
🔻 EoP - Windows Remote Desktop Services (CVE-2026-21533)
🔻 EoP - Desktop Window Manager (CVE-2026-21519)
🟥 The full list of trending vulnerabilities can be found on the portal
На русском
@avleonovcom #PositiveTechnologies #TrendVulns #Microsoft #Windows #LNK #SmartScreen #WindowsShell #Office #OLE #RDP #RDS #DWM #CrowdStrike | 0 |
| 17 |  About Remote Code Execution Vulnerability - n8n (CVE-2025-68613). n8n is a workflow automation platform available under a fair-code license. Improper Control of Dynamically-Managed Code Resources (CWE-913) in the n8n workflow expression evaluation system allows a remote authenticated attacker without administrative privileges to execute arbitrary code.
⚙️ The vulnerability was fixed in late December 2025.
⚒️ Exploits on GitHub have been available since December 22, including those for combined exploitation with CVE-2026-21858 (Ni8mare).
👾 On December 26, a detailed write-up by Resecurity was published, reporting signs of exploitation in the wild. On February 27, Akamai reported exploitation of the vulnerability by Zerobot malware. On March 11, the vulnerability was added to the CISA KEV.
🌐 In January, CyberOK SKIPA recorded just under 9,000 active n8n instances in the Runet, ~70% of which were vulnerable.
На русском
@avleonovcom #CyberOK #SKIPA #n8n #Zerobot #Akamai #Ni8mare | 0 |
