// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of May 27, 2024
Signal Brief · Archived

Week of May 27, 2024

2024-05-27 — 2024-06-02 · 7 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of May 27, 2024, ColdRecon logged 7 public endpoint-security events from open-source reporting — 4 research pocs, 3 vuln disclosures. Vendors in the record this week: Microsoft, Check Point, Avast.

The Week's Public Record

Events

2024-05-30
vuln disclosure
Check Point Quantum Security Gateway Zero-Day Path Traversal Vulnerability Exploited in the WildCVE-2024-24919
A zero-day path-traversal vulnerability in Check Point Quantum network security devices was actively exploited starting around April 30, 2024, allowing remote attackers to obtain sensitive credentials and gain network access. The flaw is described as 'extremely easy' to exploit and affects the very devices designed to protect corporate networks. Check Point has released patches and urged customers to apply them.
2024-05-29
research poc
Proof-of-Concept Tool 'No Defender' Disables Microsoft Defender via WSC API AbuseNo Defender
A GitHub project named 'No Defender' demonstrates a method to disable Microsoft Defender and firewall by abusing the undocumented Windows Security Center (WSC) API. The tool repurposes a signed Avast component to register a null antivirus product, causing Defender to deactivate. It requires administrative privileges and has implications for both legitimate security testing and potential malicious use.
Microsoft · Avast ↗ cybernoz.com (2024-05-29)
2024-05-29
research poc
SharpC2 .NET Drone Evades Microsoft Defender Using ConfuserEx2 ObfuscationSharpC2 Defender Bypass via ConfuserEx2
Security researchers at dotSec documented a practical method to bypass Microsoft Defender detection for the SharpC2 .NET drone executable. By applying rename-only obfuscation with ConfuserEx2 to the drone.dll and excluding reflection-dependent classes, they achieved a functional bypass of static signatures like BluntC2 and Wacatac ML. The technique highlights the importance of entropy management and minimal evasive features when testing endpoint detection.
2024-05-29
vuln disclosure
Ivanti Endpoint Manager Local Privilege Escalation via Buffer OverflowCVE-2024-22058
A buffer overflow vulnerability in Ivanti Endpoint Manager (EPM) up to version 2021.1 SU5 allows local privilege escalation. The flaw resides in the issuser.exe component, where a user-controlled size field in a network packet leads to an unbounded strncpy into a fixed-size buffer in the .data segment. Exploitation can overwrite a function pointer used by the C++ exception handler, enabling arbitrary code execution.
2024-05-27
research poc
Dsebler: Reimplementation of KExecDD DSE Bypass TechniqueDsebler
Dsebler is a reimplementation of the KExecDD technique to bypass Driver Signature Enforcement (DSE) on Windows by exploiting the KsecDD kernel module. It allows arbitrary kernel memory write via IOCTL 0x39006f, disabling DSE to load unsigned drivers. This demonstrates a method to undermine a key Windows security feature.
2024-05-27
research poc
Token Protection in Entra ID Conditional Access Bypassed Using Spoofed Device TypeToken Protection Bypass via Device Code Phishing with OS/2 Warp Agent
A security researcher demonstrated a bypass of Microsoft Entra ID's token protection conditional access policy by spoofing the device type during a device code phishing attack. The technique allows an attacker to obtain a valid bearer token and access cloud resources like email, despite token protection being enabled. The bypass highlights that token protection alone is insufficient against external token theft.
2024-05-27
vuln disclosure
Local Privilege Escalation in Zscaler Client Connector via RPC Cache CollisionCVE-2023-41973
A local privilege escalation vulnerability in Zscaler Client Connector allows a standard user to execute arbitrary commands as NT AUTHORITY\SYSTEM by bypassing RPC caller validation. The issue stems from a cache that stores allowed process IDs without pruning, enabling an attacker to brute-force a cached PID and make unauthorized RPC calls. This was chained with other bugs to achieve zero-interaction privilege escalation.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →