// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of June 12, 2023
Signal Brief · Archived

Week of June 12, 2023

2023-06-12 — 2023-06-18 · 5 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of June 12, 2023, ColdRecon logged 5 public endpoint-security events from open-source reporting — 4 vuln disclosures, 1 research poc. Vendors in the record this week: Zemana, Netskope, VIPRE.

The Week's Public Record

Events

2023-06-15
vuln disclosure
Zemana AntiMalware/AntiLogger Driver Vulnerabilities Allow Privilege Escalation and Arbitrary Disk AccessCVE-2023-36204, CVE-2023-36205
Researcher VoidSec disclosed two vulnerabilities in the Zemana AntiMalware and AntiLogger drivers (zamguard64.sys/zam64.sys). CVE-2023-36205 allows a non-privileged user to open a handle to any privileged process via IOCTL 0x8000204C, enabling code injection and privilege escalation to SYSTEM. CVE-2023-36204 grants unrestricted disk read/write through IOCTLs 0x80002014 and 0x80002018, allowing sensitive file disclosure or system compromise.
2023-06-15
vuln disclosure
Netskope Client Privilege Escalation Vulnerability CVE-2023-2270CVE-2023-2270
CVE-2023-2270 is a privilege escalation vulnerability in the Netskope client on Windows. The flaw allows a local attacker to write arbitrary files via path traversal, leading to code execution with NT\SYSTEM privileges. It affects Netskope Client versions prior to R100.
2023-06-14
vuln disclosure
VIPRE Antivirus Plus Path Traversal Local Privilege Escalation VulnerabilityCVE-2023-32176
A path traversal vulnerability in VIPRE Antivirus Plus allows local attackers to escalate privileges to SYSTEM. The flaw exists in the SetPrivateConfig method due to improper validation of user-supplied paths. VIPRE has released an update to address the issue.
2023-06-14
research poc
ScareCrow: Payload Creation Framework for EDR Bypass via Userland Hook RemovalScareCrow
ScareCrow is a payload creation framework that sideloads a DLL into a legitimate Windows process and removes EDR userland hooks from system DLLs in memory. It uses two unhooking methods (disk-based and KnownDLLs) and employs indirect syscalls to evade detection. The framework also generates fake code-signing certificates to blend in.
2023-06-13
vuln disclosure
VMware Tools Authentication Bypass Vulnerability (CVE-2023-20867)CVE-2023-20867
CVE-2023-20867 is an authentication bypass vulnerability in VMware Tools that allows a compromised ESXi host to force authentication failures in host-to-guest operations. This flaw impacts confidentiality and integrity of guest VMs, enabling attackers with hypervisor control to access guest systems without proper authentication. The vulnerability has been added to CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation.
VMware · Debian · Fedora ↗ www.sentinelone.com (2023-06-13)
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →