Mortem

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows PowerShell versions prior to December 17, 2025 **Description** The issue is a command injection flaw in Windows PowerShell that allows an unauthorized attacker to execute code locally. The flaw stems from improper neutralization of special elements during command execution. The vulnerability primarily impacts enterprise or IT-managed environments that utilize PowerShell scripts for automation. The vulnerability allows remote attackers to execute arbitrary code and affect the system. Microsoft PowerShell 5.1 now issues a security confirmation prompt when running the `Invoke-WebRequest` command to mitigate the risk. **API Endpoints:** `/api/v1/login` (example, not explicitly mentioned in the input) **Vulnerable Parameters or Variables:** `username`, `password` (examples, not explicitly mentioned in the input) **Function Names:** `Invoke-WebRequest` **Recommendations** Versions prior to December 17, 2025: Install the latest security updates released by Microsoft. Versions prior to December 17, 2025: Consider temporarily disabling or restricting the use of the `Invoke-WebRequest` function until a patch is applied.

Name of the Vulnerable Software and Affected Versions: content-security-policy-parser versions 0.5.0 and earlier Description: The content-security-policy-parser software parses content security policy directives. A prototype pollution vulnerability exists in versions 0.5.0 and earlier, where calling a policy name as ` proto ` allows overriding the Object prototype. This issue is addressed in version 0.6.0. A workaround involves disabling prototype method in NodeJS to neutralize prototype pollution attacks. Recommendations: content-security-policy-parser versions prior to 0.6.0: Update to version 0.6.0 or later. content-security-policy-parser versions prior to 0.6.0: Use either the `--disable-proto=delete` or `--disable-proto=throw` argument when running NodeJS.

**Name of the Vulnerable Software and Affected Versions** CrushFTP versions 10.0.0 through 10.8.3 CrushFTP versions 11.0.0 through 11.3.0 **Description** An authentication bypass exists in the HTTP component of the FTP server within the AWS4-HMAC (S3 compatible) authorization method. The issue stems from a race condition where the server verifies user existence via the `login user pass()` function without requiring a password, which can authenticate a session before user verification is re-checked. This can be further stabilized by sending a mangled AWS4-HMAC header containing only a username and a slash (/); this triggers an anypass authentication process but causes an index-out-of-bounds error when the server fails to find the `SignedHeaders` entry, preventing session cleanup. These flaws allow remote attackers to authenticate as any known or guessable user, such as `crushadmin`, leading to full system compromise and administrative access. The issue has been actively exploited since March 30, 2025, affecting sectors including retail, marketing, and semiconductors, with approximately 130,000 instances estimated to be exposed online. Observed attacks involved creating backdoor administrative accounts using the `setUserItem` function and deploying malware such as MeshCentral, AnyDesk, and Telegram-linked DLLs for persistence. **Recommendations** Update CrushFTP version 10 to 10.8.4. Update CrushFTP version 11 to 11.3.1. Use a DMZ proxy instance as a temporary buffer to mitigate the risk of authentication bypass.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.58 **Description** The issue is related to a race condition in the `move page tables()` function, specifically between `move normal pmd()` and `retract page tables()` in the THP code. This can lead to the creation of bogus PMD entries, potentially allowing for user-to-kernel privilege escalation on certain architectures, such as x86. The vulnerability can be exploited by creating shmem/file THP mappings and racing the `move normal pmd()` and `retract page tables()` functions. The `move page tables()` function looks at the type of the PMD entry and the specified address range to determine how to move the next chunk of page table entries. The `mmap lock` is held in write mode, but no rmap locks are held yet. For PMD entries that point to page tables and are fully covered by the source address range, `move pgt entry(NORMAL PMD, ...)` is called, which first takes rmap locks, then does `move normal pmd()`. The `move normal pmd()` function takes the necessary page table locks at source and destination, then moves an entire page table from the source to the destination. The problem is that the rmap locks, which protect against concurrent page table removal by `retract page tables()` in the THP code, are only taken after the PMD entry has been read and it has been decided how to move it. **Recommendations** To resolve the issue, upgrade the Linux kernel to version 6.6.58 or later. As a temporary workaround, consider restricting the use of shmem/file THP mappings to minimize the risk of exploitation. Avoid using the `mremap()` function with `move page tables()` until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** 7-Zip versions prior to 24.09 **Description** This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. The vulnerability has been exploited in real-world attacks, targeting Ukrainian organizations with SmokeLoader malware via spear-phishing and homoglyph attacks. **Recommendations** - Update 7-Zip to version 24.09 or later on all company devices immediately. As a temporary workaround, consider disabling the handling of archived files in 7-Zip until a patch is available. Restrict access to the 7-Zip File Manager to minimize the risk of exploitation. Avoid using 7-Zip to extract files from untrusted sources until the issue is resolved.