295t6d
Satnam Narang, sr. staff research engineer, Tenable
“Our CVE count for 2025 is already pushing us past the halfway mark of last year’s total of 1,009 patched CVEs. As this number continues to grow year over year, so does the pressure on cyber defenders to mitigate these issues effectively. Tenable Research Special Operations is here to help with informed intelligence.
“This month, there were only two zero-day vulnerabilities, one of which was exploited in the wild and the other publicly disclosed.
“One notable exploit in the wild zero day from this release is CVE-2025-33053, a remote code execution vulnerability in Web Distributed Authoring and Versioning or WebDAV, a protocol for extending HTTP protocol functionality for interacting with files. Check Point Research confirmed that Stealth Falcon launched a social engineering campaign to convince targets to open a malicious .url file, which would then exploit this vulnerability, giving them the ability to execute code. It is rare to hear of a zero-day reported during Patch Tuesday as being leveraged widely. We typically expect these types of zero-days to be used sparingly, with an intention to remain undetected for as long as possible. However, not all zero-days are used stealthily. The precedent set by groups like Cl0p with file transfer appliances shows that zero-days can rapidly become widespread when money is the motivator.
“This month, Microsoft did not patch BadSuccessor, a zero-day elevation of privilege vulnerability, despite its disclosure by researchers at Akamai on May 21 and the subsequent release of public proof-of-concepts, including a .NET implementation dubbed SharpSuccessor, and its inclusion in NetExec and BloodyAD. BadSuccesor only affects domains that have at least one Windows Server 2025 domain controller, a rare configuration that we’ve observed in just 0.7% of AD domains based on a subset of our telemetry data. Nonetheless, we know that Microsoft intends to fix the flaw, but not this month. Organizations that do have at least one Windows Server 2025 domain controller should review permissions for principals and limit those permissions as much as possible.
“Microsoft recently updated its advisory for CVE-2025-21204, an elevation of privilege vulnerability that was patched in April. As part of that release, Microsoft created a folder on systems under %systemdrive%\inetpub, noting that it was important to “increase protection.” Understandably, some s were concerned about the creation of a new folder on their systems, so many deleted it. In its latest update, Microsoft published a remediation script that will restore this folder with the correct permissions and update access control lists (ACLs). s are advised to run this script from Microsoft directly if they manually removed the folder.” – Satnam Narang, sr. staff research engineer, Tenable
Be the first to comment 6f1x34