WordPress RCE at 9.8 unauthed, Defender privesc unpatched, OpenSSL nonce fail

A local privilege escalation bug exists in the Microsoft Malware Protection Engine used by Microsoft Defender. An attacker who already has code running on a box could use this to escalate to SYSTEM. Microsoft has acknowledged the issue but hasn't shipped the fix yet, so keep an eye on Defender engine version updates.

Included because

local privilege escalation; CVSS 7.8; ubiquitous product; no patch available yet

Affected estate

All Windows systems running Microsoft Defender with the Microsoft Malware Protection Engine.

How to check

Run 'Get-MpComputerStatus | Select AMEngineVersion' in PowerShell to see your current engine version. Compare against the fixed version once Microsoft publishes it.

Action

Confirm that Defender engine auto-updates are enabled. Once Microsoft ships the fix, verify the updated engine version has been applied across your fleet.

Urgency

Monitor and patch

Why it matters

An attacker with local access could escalate to SYSTEM privileges, giving full control of the host.

Source

Microsoft advisory

OpenSSL has a bug where the initialization vector (IV) is ignored when using AES-OCB mode through the EVP_Cipher() code path. This means nonce reuse can happen silently, which breaks the confidentiality and authenticity guarantees of AES-OCB encryption. If your applications use AES-OCB via OpenSSL, encrypted data may not be as protected as you think.

Included because

cryptographic flaw; CVSS 7.5; widely used library; affects multiple downstream packages

Affected estate

Systems running OpenSSL 3.3.7-1 or earlier. On Azure Linux 3.0: openssl, nodejs 24.14.1-3, qemu 9.1.0-7, edk2 20240524git3e722403cd16-17, and cloud-hypervisor 51.1.56-1.

How to check

Run 'openssl version' to check the OpenSSL version. On Azure Linux, run 'tdnf list installed | grep -E "openssl|nodejs|qemu|edk2|cloud-hypervisor"' to check package versions.

Action

Update affected packages to the latest patched versions using your package manager (e.g., 'tdnf update openssl nodejs qemu edk2 cloud-hypervisor' on Azure Linux).

Urgency

Patch this week

Why it matters

Silent IV reuse in AES-OCB breaks both confidentiality and authentication of encrypted data, potentially exposing sensitive traffic or stored secrets.

Source

NVD

WordPress Ultimate Product Catalog version 3.8.6 lets any authenticated user (even contributors) upload arbitrary files, including PHP shells, through the custom file field on the Products tab. An attacker with even the lowest authenticated role can drop a webshell into the upcp-product-file-uploads directory and execute code on your server. This is a 2016-era bug that was only recently assigned a CVE.

Included because

authenticated but low-privilege; arbitrary file upload; internet-facing; CVSS 8.8

Affected estate

WordPress sites with Ultimate Product Catalog plugin version 3.8.6 or earlier.

How to check

Check the plugin version in the WordPress admin under Plugins. Also inspect the wp-content/upcp-product-file-uploads directory for any .php files that shouldn't be there.

Action

Update to a patched version of Ultimate Product Catalog. If none exists, deactivate the plugin. Check the upcp-product-file-uploads directory for webshells and remove any suspicious files.

Urgency

Patch immediately

Why it matters

Any authenticated user, even a contributor, can upload a PHP shell and get full code execution on your web server.

Source

NVD

GStreamer's librfb library (the RFB/VNC client component) has a heap buffer overflow because it checks rectangle area instead of checking width and height individually. A malicious VNC server can send an oversized rectangle that writes past the framebuffer boundary. An attacker who tricks a user into connecting to a rogue VNC server could get code execution or crash the application.

Included because

remote code execution; CVSS 8.8; requires user interaction (connecting to malicious server); common multimedia framework

Affected estate

Systems with GStreamer installed that include the librfb (RFB/VNC client) plugin.

How to check

Run 'gst-inspect-1.0 rfbsrc' to confirm the librfb plugin is installed. Check your GStreamer version with 'gst-launch-1.0 --version' and compare against the vendor's patched release.

Action

Update GStreamer and the librfb plugin to the latest fixed version via your system package manager.

Urgency

Patch this week

Why it matters

A rogue VNC server can trigger remote code execution on any client that connects using GStreamer's VNC support.

Source

NVD