Autonomous IT

Ryan Braunstein:
Happy Patch Tuesday, everybody. We've done it again. We're here. We've survived. It's Patch Forward. If any of you are in the Daylight Savings Time era of your year here, I like to celebrate privately.
We've got some juicy CVEs this month, and we're really excited to sit down and talk about them personally. I'm here joined, as usual, by Henry and Seth, who are just very regulars on our podcast. I'll just jump right into it. We've got a bunch of Chromium-based vulnerabilities around Edge Chromium in general. So definitely make sure you're getting your browsers updated this week. Organizations that leverage patching software and update servers will probably have an easier time jumping on these ones—these eight, in fact. But for those who don't, I would say if you can't get a patching software or a Windows Update server, have a browser standard that you can easily patch or update on individual devices.
Some of the bigger ones in this batch have use-after-free vulnerabilities in profiles. That right there just lets attackers escape the sandbox of the browser in general and exploit those vulnerabilities to exfiltrate data, among other things. Honestly, since identity is so key in this day and age, I'm always more worried about the spoofing vulnerabilities because they easily trick users to bypass technical defenses like your EDRs. It just looks like normal behavior, and they've got the identity of that user who accidentally clicked some UI element in the browser. Those ones always stick out to me when it comes to a browser vulnerability. Henry, Seth—anything on that one? It's pretty, pretty standard.
Henry Smith:
I'm curious, Ryan, what's your opinion on storing passwords in the browser?
Ryan Braunstein:
I hate it. I absolutely hate it. At this point, I don't understand why people don't invest more in a password manager. And not just any password manager—do the research, understand the infrastructure that carries those keys across between each manager. If you're using a cloud-based one or an on-prem solution, definitely make sure you have good controls in place. I don't like browser password storage because it's so easy to just dump them. If somebody gets admin control over the computer itself, or escapes the sandbox situation, it freaks me out. I haven't used browser password storage in probably like a decade at this point. So, yeah, it might be a hot take, but I think it's the right take.
Henry Smith:
Good call out. Typical manager over here.
Ryan Braunstein:
Yeah, yeah, I agree. And speaking of manager, Seth, you've got a management console one.
Seth Hoyt:
Yeah, this one is pretty interesting as it has been exploited in the wild. This is CVE 2025-26633, a Microsoft Management Console (MMC) Remote Code Execution Vulnerability. The summary for this one is improper neutralization of Microsoft Management Console. MMC allows an unauthorized attacker to execute code over a network. Sounds juicy.
So what is MMC? It's a Windows tool that lets users manage and monitor their computers, hardware, software, and network. This is baked into pretty much all versions of Windows 10, 11, and all the various server versions—so it is everywhere.
Ryan Braunstein:
Scary.
Seth Hoyt:
With MMC, you can create and save administrative tools called consoles, and it accesses other tools like Device Manager, Performance Monitor, and Event Viewer. For the attack, an attacker would need to convince a user to open a file—bringing us back into phishing territory—where they have attachments or links to fake websites hosting a malicious MMC file (I believe it uses the .msc extension). You can also see USB drops for some of the bigger targets in the enterprise.
With that file, the attacker would need to create a malicious .msc file for someone to open, which then exploits the vulnerability in MMC, triggering remote code execution (RCE). Once the file is open, the attacker can gain control over the system in a few different ways, such as executing a PowerShell script to install malware, creating a reverse shell, potentially deploying ransomware, or injecting a backdoor for persistent access. If the victim is a standard user, the attacker could attempt privilege escalation to gain admin access. And if the victim is already an admin, you're in trouble because they could control all group policy settings, disable security tools, and move laterally across the network.
This vulnerability can lead to data exfiltration, system disruption from rebooting servers, persistence via rootkits, ransomware deployment, and even compliance violations with potential fines in case of a data breach. It's dangerous because it exploits human weakness—it only requires one user to download this file. In a blast phishing campaign across the company, you're likely to have someone click on it if security training isn't up to par. Depending on how the file is crafted, it could bypass traditional security, especially if heuristics don't pick it up as a zero-day.
For mitigation, keep security patches updated, limit MMC usage if you're an admin, and avoid having local admin accounts on systems. Keep your endpoint protection up to date, and continue with awareness training to ensure people aren’t clicking on suspicious files. That's about it for this one—it could be deadly.
Ryan Braunstein:
Yeah, I agree. That’s the kind of thing where culture is such a big part of staying on top of vulnerabilities. Having an open-door policy with your security team, getting your users to engage and report oddities, rather than just dismissing a suspicious email, is key. We do that really well here, and I'm always grateful that our end users send us alerts if something seems off. Combined with proper training, it really helps keep everything locked down.
Henry Smith:
Yeah, the MMC, yes. The MMC one in particular—I can totally see someone posing as IT to trick another sysadmin into executing that MMC, leading to remote code execution. That could be nasty.
Ryan Braunstein:
Yeah, exactly.
Seth Hoyt:
Yes.
Ryan Braunstein:
You get that perfect person. I think of incidents like the MGM Grand ransomware attack, where an admin user was tricked into granting access using a similar vector, leading to equal devastation.
So, Henry, you want to bring us home with yours?
Henry Smith:
Oh gosh, so it seems the theme this month is file system vulnerabilities. In particular, don't trust VHD files from untrustworthy locations. That's probably the theme of this one. I've got about one, two, three, four, five vulnerabilities this month, all triggered by mounting a crafted VHD. One in particular, CVE-2025-24993, is a Windows NTFS remote code execution vulnerability. It's a heap-based buffer overflow in Windows NTFS that allows someone to execute code locally. With this one, an attacker could trick a local user on a vulnerable system into mounting a specially crafted VHD that triggers the vulnerability, and this one is actively being exploited. So my advice is to patch, but also, as I said earlier, don't trust VHDs from untrustworthy locations.
Thinking back to my time working in IT, there have been several occasions when I downloaded a VHD—usually with certain pre-built applications—and mounted them without a second thought. Especially early in my career, I never imagined that could be used as an attack vector. Ryan, didn't you mention you've seen something like this before?
Ryan Braunstein:
Yeah, I did. A few years back when Windows 10 was just coming out—I won't say which one—someone on the IT team had a great VHD file that we could push out to workstations at a law firm. They mounted it, and suddenly all the computers were maxing out their CPU the first night after re-imaging. I was up at midnight wondering what was happening, thinking there might be a crypto miner on the host system. It turned out to be this de-bloated VHD that was pushed out with a coin miner embedded in it. The IT team spent three straight days cleaning that mess up. Not a great time, and definitely not something we promote—only patching here.
Seth Hoyt:
Gotta respect the side hustle.
Henry Smith:
Yes. Beyond that one, there are a few more CVEs triggered by mounting a specially crafted VHD. So if you're doing anything this month, be very careful about where you're downloading VHDs.
Ryan Braunstein:
Yeah, maybe build your own golden images or invest in secure base images—even though those can get pretty costly quickly. Better off building your own.
Seth Hoyt:
Yeah.
Ryan Braunstein:
Well, cool. I think that about does it for us this month. I only said this week, but no matter—Seth, Henry, thank you as always for being here, and thank you to everyone who listens. We will see you next month.
Henry Smith:
Thank you.
Seth Hoyt:
Thank you. See ya!
Henry Smith:
See ya!