PeopleSoft takeover exploited in the wild, plus a 9.1 CMS forgery bug in OpenSSL

A heap-based buffer overflow in the RevoDetector.sys kernel driver (used by Revo Uninstaller 2.5.x and 2.6.x) lets a local attacker escalate privileges through a crafted IOCTL call. Exploit code is publicly available. The attacker needs local access first, so this is a privilege escalation path, not a remote entry point.

Included because

public exploit available; local privilege escalation; kernel driver vulnerability

Affected estate

Windows systems with VS Revo Uninstaller versions 2.5.x or 2.6.x installed, specifically the RevoDetector.sys driver.

How to check

Search your software inventory or run 'Get-WmiObject Win32_Product | Where-Object { $_.Name -like "*Revo*" }' to find installed versions. Confirm the driver version of RevoDetector.sys in System32\drivers.

Action

Upgrade to Revo Uninstaller 2.7.0 or remove the software if it's not needed.

Urgency

Patch this week

Why it matters

A public exploit exists for local privilege escalation through this kernel driver, giving attackers a quick path from user to SYSTEM.

Source

NVD

A heap buffer overflow in SQLite's FTS5 full-text search engine (in the fts5ChunkIterate function) can be triggered when processing crafted FTS5 queries. This could lead to code execution in any application that embeds SQLite and allows user-supplied FTS5 queries. The fix landed in SQLite 3.53.2.

Included because

common embedded library; heap overflow with potential code execution; widely deployed

Affected estate

Any system or application using SQLite before 3.53.2 with FTS5 enabled. Azure Linux 3.0 sqlite package 3.44.0-3 is confirmed affected.

How to check

Run 'sqlite3 --version' on your hosts. For Azure Linux, run 'tdnf list installed sqlite' to check the package version.

Action

Update to SQLite 3.53.2 or the latest patched Azure Linux package.

Urgency

Patch this week

Why it matters

SQLite is embedded everywhere. If your app accepts user-driven FTS5 queries, this heap overflow is reachable and could lead to code execution.

Source

NVD

A flaw in CMS AuthEnvelopedData processing lets an attacker forge messages that appear valid. This affects OpenSSL, Node.js, QEMU, EDK2, and cloud-hypervisor on Azure Linux 3.0. With a CVSS of 9.1, a successful attack could break message authenticity and confidentiality for anything relying on CMS enveloped data.

Included because

CVSS 9.1; affects core crypto library (OpenSSL); multiple dependent packages; message forgery risk

Affected estate

Azure Linux 3.0 packages: openssl 3.3.5-5, nodejs 24.14.1-3, qemu 9.1.0-7, edk2 20240524git3e722403cd16-17, cloud-hypervisor 51.1.56-1. Also any system using an affected OpenSSL version with CMS support.

How to check

Run 'openssl version' and 'tdnf list installed openssl nodejs qemu edk2 cloud-hypervisor' on Azure Linux hosts. Check for the specific vulnerable package versions listed above.

Action

Run 'tdnf update openssl nodejs qemu edk2 cloud-hypervisor' on Azure Linux 3.0 hosts. For other distros, update OpenSSL to the patched release.

Urgency

Patch within 24 hours

Why it matters

Forged CMS messages can bypass authenticity checks, which undermines trust in signed or encrypted payloads across your infrastructure.

Source

NVD

Zoom Workplace on Android (before 7.0.4) and iOS (before 7.0.3) has an authorization bug in its custom URL scheme handler. An unauthenticated attacker on the network can trick a user into opening a crafted link, which escalates privileges within the Zoom app. This requires some user interaction (tapping a link), but no credentials are needed on the attacker's side.

Included because

unauthenticated; network-accessible; CVSS 8.1; privilege escalation on mobile; widely deployed app

Affected estate

Zoom Workplace app on Android devices before version 7.0.4 and iOS devices before version 7.0.3.

How to check

Query your MDM for Zoom Workplace app versions across managed devices, or check app version in Zoom > Settings > About on individual devices.

Action

Push Zoom Workplace 7.0.4 (Android) and 7.0.3 (iOS) or later through your MDM or app update policy.

Urgency

Patch this week

Why it matters

An attacker on the same network can use a crafted URL to escalate privileges on a user's device through the Zoom app, no login required.

Source

Zoom Security Bulletin