Windows

vulnerabilities 2026-05-21
Two More Defender Zero-Days in the Wild: CVE-2026-41091 Link-Resolution Bug Lands SYSTEM, Added to CISA KEV
Microsoft confirms two Defender flaws — an LPE to SYSTEM and a DoS — are publicly disclosed and exploited in the wild. A third RCE ships in the same engine update. CISA gives federal agencies until June 3.
windows microsoft-defender privilege-escalation zero-day cisa-kev malware-protection-engine
vulnerabilities 2026-05-18
MiniPlasma: Public PoC Hands SYSTEM on Fully Patched Windows 11 via cldflt.sys
Chaotic Eclipse published a working PoC for MiniPlasma, a Cloud Filter driver LPE that abuses CfAbortHydration to forge .DEFAULT-hive registry keys — the same bug Microsoft was told about in 2020 and claimed to have fixed.
windows zero-day privilege-escalation lpe cldflt cve-2020-17103 poc
Vulnerabilities 2026-05-17
YellowKey and GreenPlasma: Same Researcher Drops Two More Windows Zero-Days, BitLocker Bypass via WinRE USB
The anonymous researcher behind BlueHammer is back with YellowKey, a BitLocker bypass that drops a CMD shell on protected drives via crafted FsTx files in WinRE, plus GreenPlasma, a CTFMON privilege escalation. No CVE, no patch.
windows bitlocker zero-day winre privilege-escalation ctfmon endpoint-security
2026-05-17
NTLM Coercion's Quiet Resurgence: Why 2026's Zero-Click Attacks Look Like 2021
Two unrelated bugs in the last month — an incomplete APT28 patch and an unpatched RPC defect — both hand attackers a 1990s-era credential primitive. The fact that NTLM coercion still works in 2026 is not a series of accidents. It is the model.
ntlm coercion windows active-directory relay kerberos rpc trend-analysis opinion
vulnerability 2026-05-14
Every Windows Endpoint is a Target: CVE-2026-41096 Heap Overflow in DNS Client Enables Remote Code Execution
CVE-2026-41096 is a CVSS 9.8 heap overflow in the Windows DNS Client. A single malicious DNS response can yield code execution on any Windows host — no auth, no user click, no document opened. The blast radius is every Windows endpoint that resolves a name.
windows dns rce patch-tuesday heap-overflow mitm endpoint-security cvss-9.8
vulnerabilities 2026-05-13
Windows Netlogon CVE-2026-41089: Unauthenticated RCE on Every Domain Controller
May Patch Tuesday's marquee bug is a stack-based buffer overflow in MS-NRPC that hands SYSTEM on any domain controller reachable over the network. Patch DCs first, before anything else.
CVE-2026-41089 windows netlogon active-directory domain-controller patch-tuesday rce
supply-chain 2026-05-07
DAEMON Tools Supply Chain Compromise: Signed Installers Backdoored Since April 8, Chinese Actor Suspected
Trojanized DAEMON Tools Lite installers signed with the legitimate vendor certificate distributed a multi-protocol backdoor for nearly a month. Kaspersky telemetry shows infection attempts in 100+ countries, with a second-stage implant on government and scientific targets in Russia, Belarus, and Thailand.
supply-chain backdoor windows code-signing china kaspersky
malware 2026-05-03
DEEP#DOOR: Python Backdoor Hides C2 Behind bore.pub Tunneling Service to Steal Cloud and Browser Credentials
Securonix details DEEP#DOOR, a Python backdoor that uses the public bore.pub TCP tunneling service for C2, disables Defender/SmartScreen via batch loader, and harvests browser-stored cloud credentials from compromised hosts.
backdoor credential-theft tunneling python windows cloud-security tradecraft
vulnerabilities 2026-05-01
Windows Shell CVE-2026-32202: Incomplete APT28 Patch Reopens Zero-Click NTLM Coercion
Microsoft confirms in-the-wild exploitation of CVE-2026-32202, a zero-click Windows Shell flaw born from an incomplete patch of an APT28 zero-day. Browsing a folder with a malicious LNK leaks Net-NTLMv2 hashes.
windows cve-2026-32202 apt28 ntlm zero-click lnk akamai cisa-kev incomplete-patch
vulnerability 2026-04-26
PhantomRPC: Five Endpoint-Spoofing Paths to SYSTEM on Every Windows Build, No Patch Coming
Kaspersky disclosed PhantomRPC at Black Hat Asia 2026 — an architectural flaw in rpcrt4.dll that lets a low-priv process register a rogue RPC endpoint and hijack SYSTEM-level callers. Microsoft declined to patch.
windows rpc privilege-escalation kaspersky black-hat no-patch endpoint-mapper epm lpe
vulnerabilities 2026-04-18
RedSun and UnDefend: Two More Defender Zero-Days Dropped, All Three Now Exploited in the Wild
The same disgruntled researcher who dropped BlueHammer has now released RedSun and UnDefend. Huntress confirms all three Windows Defender zero-days are now being weaponized in hands-on-keyboard intrusions. Two remain unpatched.
windows zero-day privilege-escalation windows-defender redsun undefend bluehammer huntress
vulnerabilities 2026-04-14
Microsoft April 2026 Patch Tuesday Fixes 167 Flaws Including Actively Exploited SharePoint Zero-Day
Microsoft's second-largest Patch Tuesday ever addresses 167 vulnerabilities, including an actively exploited SharePoint XSS flaw and a critical CVSS 9.8 Windows IKE remote code execution bug.
microsoft patch-tuesday zero-day sharepoint windows CVE-2026-32201 CVE-2026-33825 CVE-2026-33824
Supply Chain 2026-04-12
CPUID Website Compromised to Deliver STX RAT via CPU-Z and HWMonitor Downloads
Attackers compromised CPUID's download infrastructure for ~19 hours, replacing CPU-Z and HWMonitor installers with trojanized builds that sideload STX RAT via a malicious CRYPTBASE.dll.
supply-chain rat dll-sideloading watering-hole windows malware
Vulnerabilities 2026-04-08
BlueHammer: Unpatched Windows Defender Zero-Day Turns Definition Updates Into SYSTEM Shells
A disgruntled researcher leaked BlueHammer, a Windows Defender LPE zero-day that chains TOCTOU race conditions with Cloud Files oplocks to dump SAM hives and escalate to SYSTEM. No patch available.
windows zero-day privilege-escalation windows-defender TOCTOU