A vulnerability in the update service of Microsoft Windows Disk Cleanup Tool could allow an authenticated local attacker, to execute a crafted dll with SYSTEM user privileges. The steps performed by the exploit are: First It creates 3 folders: C:\$Windows.~WS, C:\ESD\Windows, C:\ESD\Download, inserts dummy .txt files and pauses. Create a thread to run first stage of executable FolderOrFileDeleteToSystem to set up the Config.msi. Create a second thread to run the second executable FolderContentsDeleteToFolderDelete to redirect content cleanup from C:\ESD\Windows to C:/Config.msi. It creates a task named SilentCleanup to trigger content cleanup and delete Config.msi. After deletion it creates a third thread to run second stage of FolderOrFileDeleteToSystem to drop HID.dll. Run osk.exe, then in another thread run mmc.exe.
An attacker can exploit this vulnerability to run remote commands on the target, achieving code execution. The vulnerability stems from how the WingFTP server usernames are processed, allowing attackers to execute arbitrary commands. When the server does not allow anonymous access, successful exploitation of this vulnerability requires valid user credentials (username and password). This exploit performs the following steps: Sends a POST request to loginok.html with the malicious command in the username field. Extracts the session cookie (UID). The server responds with a UID cookie in Set-Cookie. Uses the extracted UID cookie to access dir.html. Requests and execute the necessary files to install an agent.
A critical vulnerability (CVE-2025-32463) was discovered in Sudo versions 1.9.14 through 1.9.17. The vulnerability allows local users to obtain root access by exploiting the --chroot option, where /etc/nsswitch.conf from a user-controlled directory is used. This exploit creates a temporary directory structure that mimics a normal root environment, uploads a malicious /etc/nsswitch.conf which in turn calls a shared object that escalates privileges, the exploit is triggered when executing sudo with the -R flag pointing to the user controlled directory.
This vulnerability (CVE-2024-28987) is caused by the presence of hardcoded credentials in the application, allowing unauthenticated attackers to remotely read and modify all help desk ticket details. It enables authentication with a predefined account (helpdeskIntegrationUser/dev-C4F8025E7) Affected versions include SolarWinds Web Help Desk 12.8.3 Hotfix 1 and all previous versions. An attacker exploiting this vulnerability can: - Access the REST API without requiring valid credentials. - Retrieve sensitive information from support tickets. - Read private ticket details, including internal comments. - Access confidential data, such as shared account credentials or passwords from reset requests. - Modify existing tickets, altering their content or status. - Create new tickets with false or malicious information. This exploit leverages hardcoded credentials to authenticate via Basic Authentication and interact with the SolarWinds Web Help Desk API. Steps performed by the exploit: 1 Authentication to the API - Sends a Basic Authentication request to the /OrionTickets endpoint. - If the request returns ticket data, the target is confirmed to be vulnerable. 2 Retrieving help desk tickets - Fetches all available tickets from the system. 3 Creating a new ticket (optional) - If specified as a parameter, the exploit creates a new ticket in the system. - The ticket is generated with user-defined subject and details. 4 Saving tickets to a file (optional) - The retrieved tickets can be saved to a file if a path is provided. 5 Fetching additional ticket details (optional) - The exploit can request detailed information for each ticket.
An authentication bypass vulnerability in Progress OpenEdge allows unauthenticated remote attackers to authenticate in the target application as NT AUTHORITY/SYSTEM. The vulnerability is present in the native system library auth.dll, and is reached via the authorizeUser function. This module performs the vulnerability verification by creating an instance of the com.progress.chimera.adminserver.AdminContext class via the com.progress.chimera.adminserver.IAdminServer interface. All requests to target will be made using Java RMI requests.
An unmarshal reflection vulnerability in GlobalProtect feature of Palo Alto Networks PAN-OS software allows unauthenticated remote attackers to create empty arbitrary directories and files in the operating system. If device telemetry is enabled, then remote OS command injection is possible via the dt_curl python module. This module performs the vulnerability verification in three steps. The first step, does a control check using a random filename against the /images directory. Since this file shouldn't exist in the target webapp, the webserver will return a 404 HTTP code. The second step consists in using the vulnerability to try to create the file in the given location. The final step performs the first step again. If the file exists, then a 403 HTTP code is returned, proving that the file was created with the vulnerability. Any other HTTP code will be taken as the target system being not vulnerable.
Subscribe to Impact