https://feed.craftedsignal.io/tags/local-exploitation/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 19 Jun 2026 09:32:06 +0000https://feed.craftedsignal.io/briefs/2026-06-expat-multiple-vulnerabilities/Fri, 19 Jun 2026 09:32:06 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-06-expat-multiple-vulnerabilities/Multiple vulnerabilities have been discovered in the expat XML parser library that can be exploited by a local attacker, potentially leading to a Denial of Service condition or allowing for arbitrary code execution on the affected system.The German Federal Office for Information Security (BSI) has released an advisory regarding multiple vulnerabilities discovered in the expat XML parser library. These flaws can be exploited by a local attacker to achieve either a Denial of Service (DoS) condition, causing affected applications to crash or become unresponsive, or potentially lead to arbitrary code execution (RCE). expat is a widely used open-source XML parser, meaning numerous applications could be indirectly affected. While no specific CVEs were listed in this advisory, the vulnerabilities pose a significant risk, as a compromised local account or application could leverage them to escalate privileges or disrupt critical services. Defenders should prioritize updating systems and applications that incorporate the expat library to mitigate these risks.

Attack Chain

1. Initial Foothold: A local attacker gains initial access to a system, potentially through a low-privilege user account or by compromising another application.
2. Vulnerable Application Identification: The attacker identifies a local application that utilizes the expat XML parsing library and is susceptible to the identified vulnerabilities, often through parsing configuration files, data imports, or other XML-based inputs.
3. Malicious XML Crafting: The attacker crafts a specially malformed XML document designed to trigger the expat vulnerabilities. For Denial of Service, this might involve excessive recursive entities or large attribute values, while for RCE, specific memory corruption techniques are used.
4. XML Delivery/Input: The crafted malicious XML is provided as input to the vulnerable local application. This input could be delivered via a local file, a command-line argument, a named pipe, or an inter-process communication (IPC) channel.
5. Expat Parsing Trigger: The vulnerable local application processes the attacker-provided XML input, which then passes the malformed data to the expat library for parsing.
6. Vulnerability Activation: The expat library attempts to parse the malformed XML, leading to the activation of the underlying vulnerabilities (e.g., buffer overflow, memory exhaustion, infinite loop).
7. Impact Manifestation: The system experiences either a Denial of Service, where the application crashes, hangs, or consumes excessive system resources, or arbitrary code execution (RCE), where the attacker's payload is executed.
8. Post-Exploitation (if RCE): If RCE is successful, the attacker performs further actions such as privilege escalation, creating new user accounts, establishing persistence mechanisms (e.g., scheduled tasks, registry run keys), or deploying additional malware.

Impact

Successful exploitation of these expat vulnerabilities by a local attacker can result in significant disruption and potential compromise. A Denial of Service (DoS) attack would render critical applications or services unresponsive, leading to operational downtime and loss of productivity. If arbitrary code execution (RCE) is achieved, the local attacker could elevate privileges, gain full control over the affected system, steal sensitive data, deploy ransomware, or establish long-term persistence within the environment. The broad usage of expat means that various critical system components and third-party applications could be affected, broadening the potential blast radius.

Recommendation

• Prioritize patching or updating any software that bundles the expat library, as identified in the affected_products section of this brief, to the latest vendor-provided secure versions.
• Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious process creation or file activity indicative of successful exploitation.
• Implement robust monitoring for application crashes or excessive resource consumption (CPU/memory) on systems running applications known to process XML, as these could be signs of a Denial of Service attempt via expat vulnerabilities.

]]>mediumadvisoryvulnerabilitylibraryxmldenial-of-servicecode-executionlocal-exploitationhttps://feed.craftedsignal.io/briefs/2026-06-cve-2026-25865-punto-switcher/Thu, 18 Jun 2026 20:24:29 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-06-cve-2026-25865-punto-switcher/CVE-2026-25865 describes an unquoted search path element vulnerability in Yandex Punto Switcher through version 4.5.0.583, allowing local attackers to execute arbitrary code by placing a malicious `RunDll32.exe` earlier in the system's PATH to hijack the application's insecure `WinExec` call, leading to arbitrary code execution with affected user privileges.A critical local arbitrary code execution vulnerability, identified as CVE-2026-25865, affects Yandex Punto Switcher versions up to and including 4.5.0.583. This flaw stems from an unquoted search path element vulnerability where the application makes an insecure call to WinExec for RunDll32.exe without specifying a fully qualified path when invoking shell32.dll Control_RunDLL input.dll. This allows a local attacker, with minimal privileges, to craft and place a malicious executable named RunDll32.exe in a directory that is prioritized in the system's PATH environment variable. When Punto Switcher attempts to launch the legitimate RunDll32.exe, it instead executes the attacker-controlled binary, leading to arbitrary code execution in the context of the currently logged-in user. This vulnerability presents a significant risk for privilege escalation and persistent access on affected Windows systems.

Attack Chain

1. Initial Access: An attacker gains local access to a system with an unpatched Punto Switcher installation (e.g., via social engineering, a prior low-privilege exploit, or physical access).
2. Vulnerability Discovery: The attacker identifies the Punto Switcher process's insecure call to WinExec("RunDll32.exe shell32.dll Control_RunDLL input.dll").
3. Payload Creation: The attacker creates a malicious executable file and names it RunDll32.exe. This payload can perform actions such as establishing persistence, escalating privileges, or exfiltrating data.
4. Path Manipulation: The attacker places their malicious RunDll32.exe in a directory (e.g., a user-writable folder) that is listed before C:\Windows\System32 in the system's environment PATH variable.
5. Execution Trigger: The attacker waits for Punto Switcher to start or forces its execution, which causes Punto Switcher to attempt to call RunDll32.exe.
6. Hijacked Execution: Due to the unquoted search path vulnerability, the operating system's loader resolves RunDll32.exe to the attacker's malicious binary located earlier in the PATH, rather than the legitimate one in C:\Windows\System32.
7. Arbitrary Code Execution: The malicious RunDll32.exe is executed by Punto Switcher, allowing the attacker to run arbitrary code with the privileges of the affected user.
8. Impact: The attacker achieves local arbitrary code execution, enabling further actions like privilege escalation, data exfiltration, or system modification.

Impact

The successful exploitation of CVE-2026-25865 leads to local arbitrary code execution. This means an attacker, already having local access, can elevate their privileges or execute any code they choose on the affected system, potentially compromising the user's data and system integrity. Given the high CVSS base score of 7.8, the impact on confidentiality, integrity, and availability is considered high for the affected user's scope. This could lead to data theft, installation of additional malware, or complete system compromise within the user's context. There is no information available regarding specific victims or targeted sectors, but any Windows user running the vulnerable Punto Switcher software is at risk.

Recommendation

• Patch CVE-2026-25865 immediately: Update Yandex Punto Switcher to a version beyond 4.5.0.583 as soon as a patch is available from the vendor.
• Deploy the Sigma rule "Detects CVE-2026-25865 Exploitation - Malicious RunDll32.exe by Punto Switcher" to your SIEM: Monitor for Punto Switcher processes launching RunDll32.exe from non-standard system paths.
• Deploy the Sigma rule "Detects Unsigned RunDll32.exe Executing from Suspicious Paths" to your SIEM: Monitor for RunDll32.exe executing from non-standard paths, especially if the binary is unsigned, as a general defense against path interception.
• Enable Sysmon process-creation logging: Ensure detailed logging for process_creation events, including Image, CommandLine, ParentImage, and Hashes fields, to activate the rules above.
• Review system PATH environment variables: Regularly audit system and user PATH variables for inclusion of non-standard, user-writable directories before system directories like C:\Windows\System32.

]]>highadvisoryprivilege-escalationlocal-exploitationwindowssoftware-vulnerabilitypath-interception