{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/local-exploitation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["expat"],"_cs_severities":["medium"],"_cs_tags":["vulnerability","library","xml","denial-of-service","code-execution","local-exploitation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe German Federal Office for Information Security (BSI) has released an advisory regarding multiple vulnerabilities discovered in the \u003ccode\u003eexpat\u003c/code\u003e XML parser library. These flaws can be exploited by a local attacker to achieve either a Denial of Service (DoS) condition, causing affected applications to crash or become unresponsive, or potentially lead to arbitrary code execution (RCE). \u003ccode\u003eexpat\u003c/code\u003e is a widely used open-source XML parser, meaning numerous applications could be indirectly affected. While no specific CVEs were listed in this advisory, the vulnerabilities pose a significant risk, as a compromised local account or application could leverage them to escalate privileges or disrupt critical services. Defenders should prioritize updating systems and applications that incorporate the \u003ccode\u003eexpat\u003c/code\u003e library to mitigate these risks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Foothold\u003c/strong\u003e: A local attacker gains initial access to a system, potentially through a low-privilege user account or by compromising another application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Application Identification\u003c/strong\u003e: The attacker identifies a local application that utilizes the \u003ccode\u003eexpat\u003c/code\u003e XML parsing library and is susceptible to the identified vulnerabilities, often through parsing configuration files, data imports, or other XML-based inputs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious XML Crafting\u003c/strong\u003e: The attacker crafts a specially malformed XML document designed to trigger the \u003ccode\u003eexpat\u003c/code\u003e vulnerabilities. For Denial of Service, this might involve excessive recursive entities or large attribute values, while for RCE, specific memory corruption techniques are used.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eXML Delivery/Input\u003c/strong\u003e: The crafted malicious XML is provided as input to the vulnerable local application. This input could be delivered via a local file, a command-line argument, a named pipe, or an inter-process communication (IPC) channel.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExpat Parsing Trigger\u003c/strong\u003e: The vulnerable local application processes the attacker-provided XML input, which then passes the malformed data to the \u003ccode\u003eexpat\u003c/code\u003e library for parsing.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Activation\u003c/strong\u003e: The \u003ccode\u003eexpat\u003c/code\u003e library attempts to parse the malformed XML, leading to the activation of the underlying vulnerabilities (e.g., buffer overflow, memory exhaustion, infinite loop).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact Manifestation\u003c/strong\u003e: The system experiences either a Denial of Service, where the application crashes, hangs, or consumes excessive system resources, or arbitrary code execution (RCE), where the attacker's payload is executed.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePost-Exploitation (if RCE)\u003c/strong\u003e: If RCE is successful, the attacker performs further actions such as privilege escalation, creating new user accounts, establishing persistence mechanisms (e.g., scheduled tasks, registry run keys), or deploying additional malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these \u003ccode\u003eexpat\u003c/code\u003e vulnerabilities by a local attacker can result in significant disruption and potential compromise. A Denial of Service (DoS) attack would render critical applications or services unresponsive, leading to operational downtime and loss of productivity. If arbitrary code execution (RCE) is achieved, the local attacker could elevate privileges, gain full control over the affected system, steal sensitive data, deploy ransomware, or establish long-term persistence within the environment. The broad usage of \u003ccode\u003eexpat\u003c/code\u003e means that various critical system components and third-party applications could be affected, broadening the potential blast radius.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize patching or updating any software that bundles the \u003ccode\u003eexpat\u003c/code\u003e library, as identified in the \u003ccode\u003eaffected_products\u003c/code\u003e section of this brief, to the latest vendor-provided secure versions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious process creation or file activity indicative of successful exploitation.\u003c/li\u003e\n\u003cli\u003eImplement robust monitoring for application crashes or excessive resource consumption (CPU/memory) on systems running applications known to process XML, as these could be signs of a Denial of Service attempt via \u003ccode\u003eexpat\u003c/code\u003e vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T09:32:06Z","date_published":"2026-06-19T09:32:06Z","id":"https://feed.craftedsignal.io/briefs/2026-06-expat-multiple-vulnerabilities/","summary":"Multiple vulnerabilities have been discovered in the expat XML parser library that can be exploited by a local attacker, potentially leading to a Denial of Service condition or allowing for arbitrary code execution on the affected system.","title":"Multiple Vulnerabilities in expat XML Parser Library","url":"https://feed.craftedsignal.io/briefs/2026-06-expat-multiple-vulnerabilities/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Punto Switcher (through 4.5.0.583)"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","local-exploitation","windows","software-vulnerability","path-interception"],"_cs_type":"advisory","_cs_vendors":["Yandex"],"content_html":"\u003cp\u003eA critical local arbitrary code execution vulnerability, identified as CVE-2026-25865, affects Yandex Punto Switcher versions up to and including 4.5.0.583. This flaw stems from an unquoted search path element vulnerability where the application makes an insecure call to \u003ccode\u003eWinExec\u003c/code\u003e for \u003ccode\u003eRunDll32.exe\u003c/code\u003e without specifying a fully qualified path when invoking \u003ccode\u003eshell32.dll Control_RunDLL input.dll\u003c/code\u003e. This allows a local attacker, with minimal privileges, to craft and place a malicious executable named \u003ccode\u003eRunDll32.exe\u003c/code\u003e in a directory that is prioritized in the system's PATH environment variable. When Punto Switcher attempts to launch the legitimate \u003ccode\u003eRunDll32.exe\u003c/code\u003e, it instead executes the attacker-controlled binary, leading to arbitrary code execution in the context of the currently logged-in user. This vulnerability presents a significant risk for privilege escalation and persistent access on affected Windows systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains local access to a system with an unpatched Punto Switcher installation (e.g., via social engineering, a prior low-privilege exploit, or physical access).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Discovery:\u003c/strong\u003e The attacker identifies the Punto Switcher process's insecure call to \u003ccode\u003eWinExec(\u0026quot;RunDll32.exe shell32.dll Control_RunDLL input.dll\u0026quot;)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Creation:\u003c/strong\u003e The attacker creates a malicious executable file and names it \u003ccode\u003eRunDll32.exe\u003c/code\u003e. This payload can perform actions such as establishing persistence, escalating privileges, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePath Manipulation:\u003c/strong\u003e The attacker places their malicious \u003ccode\u003eRunDll32.exe\u003c/code\u003e in a directory (e.g., a user-writable folder) that is listed \u003cem\u003ebefore\u003c/em\u003e \u003ccode\u003eC:\\Windows\\System32\u003c/code\u003e in the system's environment \u003ccode\u003ePATH\u003c/code\u003e variable.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution Trigger:\u003c/strong\u003e The attacker waits for Punto Switcher to start or forces its execution, which causes Punto Switcher to attempt to call \u003ccode\u003eRunDll32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHijacked Execution:\u003c/strong\u003e Due to the unquoted search path vulnerability, the operating system's loader resolves \u003ccode\u003eRunDll32.exe\u003c/code\u003e to the attacker's malicious binary located earlier in the PATH, rather than the legitimate one in \u003ccode\u003eC:\\Windows\\System32\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Code Execution:\u003c/strong\u003e The malicious \u003ccode\u003eRunDll32.exe\u003c/code\u003e is executed by Punto Switcher, allowing the attacker to run arbitrary code with the privileges of the affected user.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves local arbitrary code execution, enabling further actions like privilege escalation, data exfiltration, or system modification.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-25865 leads to local arbitrary code execution. This means an attacker, already having local access, can elevate their privileges or execute any code they choose on the affected system, potentially compromising the user's data and system integrity. Given the high CVSS base score of 7.8, the impact on confidentiality, integrity, and availability is considered high for the affected user's scope. This could lead to data theft, installation of additional malware, or complete system compromise within the user's context. There is no information available regarding specific victims or targeted sectors, but any Windows user running the vulnerable Punto Switcher software is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-25865 immediately\u003c/strong\u003e: Update Yandex Punto Switcher to a version beyond 4.5.0.583 as soon as a patch is available from the vendor.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-25865 Exploitation - Malicious RunDll32.exe by Punto Switcher\u0026quot; to your SIEM\u003c/strong\u003e: Monitor for Punto Switcher processes launching \u003ccode\u003eRunDll32.exe\u003c/code\u003e from non-standard system paths.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rule \u0026quot;Detects Unsigned RunDll32.exe Executing from Suspicious Paths\u0026quot; to your SIEM\u003c/strong\u003e: Monitor for \u003ccode\u003eRunDll32.exe\u003c/code\u003e executing from non-standard paths, especially if the binary is unsigned, as a general defense against path interception.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable Sysmon process-creation logging\u003c/strong\u003e: Ensure detailed logging for \u003ccode\u003eprocess_creation\u003c/code\u003e events, including \u003ccode\u003eImage\u003c/code\u003e, \u003ccode\u003eCommandLine\u003c/code\u003e, \u003ccode\u003eParentImage\u003c/code\u003e, and \u003ccode\u003eHashes\u003c/code\u003e fields, to activate the rules above.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview system PATH environment variables\u003c/strong\u003e: Regularly audit system and user \u003ccode\u003ePATH\u003c/code\u003e variables for inclusion of non-standard, user-writable directories before system directories like \u003ccode\u003eC:\\Windows\\System32\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T20:24:29Z","date_published":"2026-06-18T20:24:29Z","id":"https://feed.craftedsignal.io/briefs/2026-06-cve-2026-25865-punto-switcher/","summary":"CVE-2026-25865 describes an unquoted search path element vulnerability in Yandex Punto Switcher through version 4.5.0.583, allowing local attackers to execute arbitrary code by placing a malicious `RunDll32.exe` earlier in the system's PATH to hijack the application's insecure `WinExec` call, leading to arbitrary code execution with affected user privileges.","title":"CVE-2026-25865: Punto Switcher Unquoted Search Path Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-06-cve-2026-25865-punto-switcher/"}],"language":"en","title":"CraftedSignal Threat Feed - Local-Exploitation","version":"https://jsonfeed.org/version/1.1"}