Tag Archives: Microsoft

About Elevation of Privilege - Microsoft Defender "RedSun" (CVE-2026-41091) vulnerability

Leave a reply

About Elevation of Privilege - Microsoft Defender RedSun (CVE-2026-41091) vulnerability

About Elevation of Privilege - Microsoft Defender "RedSun" (CVE-2026-41091) vulnerability. Microsoft Defender is a built-in security solution developed by Microsoft to protect the Windows operating system and user data from viruses, malware, and other cyber threats in real time. An improper link resolution vulnerability prior to file access ("link following", CWE-59) in Microsoft Defender, specifically within the Malware Protection Engine component, allows an authenticated local attacker to escalate privileges to SYSTEM level. As a result, an attacker could gain full control over the affected system, including unrestricted access to data, the ability to modify system settings, install software, manage user accounts, and disable security protections.

🛠 An exploit for the vulnerability was published on GitHub by security researcher Nightmare Eclipse on April 15, alongside exploits targeting other Windows component vulnerabilities. The account was later removed by GitHub administrators; however, this did not prevent the exploit code from spreading further.

⚙️ The security advisory and patches were released on May 19 outside Microsoft's regular Patch Tuesday schedule. Versions of Microsoft Malware Protection Engine from 1.1.26030.3008 through 1.1.26040.8 are affected. Systems with Microsoft Defender disabled are not vulnerable. By default, Microsoft Defender automatically updates Windows security components, antivirus definitions, and Microsoft Malware Protection Engine, so no additional user action is typically required. Malware Protection Engine is updated monthly or as new threats emerge, while antivirus definitions are updated several times per day. Update checks may run automatically anywhere from once to several times daily when an Internet connection is available. Manual update checks are also supported.

👾 According to Microsoft, the vulnerability is being exploited in the wild. The vulnerability was added to the CISA KEV catalog on May 20.

💡 Special attention should be paid to server and desktop Windows hosts where Microsoft Defender is not disabled, but Internet access is unavailable for regular updates.

May "In the Trend of VM" (#27): high-profile vulnerabilities in Linux, ActiveMQ, SharePoint, and Adobe Acrobat Reader

Leave a reply

May In the Trend of VM (#27): high-profile vulnerabilities in Linux, ActiveMQ, SharePoint, and Adobe Acrobat Reader

May "In the Trend of VM" (#27): high-profile vulnerabilities in Linux, ActiveMQ, SharePoint, and Adobe Acrobat Reader. Presenting the traditional monthly roundup of trending vulnerabilities according to Positive Technologies. While the previous April edition featured only one vulnerability, this one includes four, covering different technologies and attack scenarios.

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

🔻 EoP - Linux Kernel "Copy Fail" (CVE-2026-31431). The vulnerability allows an attacker to gain root privileges.

🔻 RCE - Apache ActiveMQ (CVE-2026-34197). A vulnerability in a solution widely used in enterprise systems and integration platforms.

🔻 Spoofing - Microsoft SharePoint Server (CVE-2026-32201). A vulnerability in a Microsoft solution widely used in enterprise systems for collaboration, document management, and internal portal development.

🔻 RCE - Adobe Reader (CVE-2026-34621). A vulnerability in a widely used PDF document viewer; actively exploited in phishing attacks.

🟥 The full list of trending vulnerabilities is available on the portal

May Microsoft Patch Tuesday

Leave a reply

May Microsoft Patch Tuesday

May Microsoft Patch Tuesday. A total of 119 vulnerabilities, approximately 1.5 times fewer than in April. There are currently no vulnerabilities marked as actively exploited in the wild. However, there is one vulnerability with a public exploit:

🔸 EoP - Windows Kernel (CVE-2026-40369). A detailed write-up and exploit for this vulnerability were published on May 14, two days after the May MSPT. The researcher describes exploitation of the vulnerability as follows: "A single syscall from any unprivileged process — including inside Chrome's renderer sandbox — can increment arbitrary kernel memory addresses. No race conditions. No heap spray. No special tokens. 100% deterministic privilege escalation to SYSTEM."

Among the remaining ones, the following stand out:

🔹 RCE - Windows DNS Client (CVE-2026-41096). A ZDI analyst commented on this vulnerability as follows: "This patch fixes a heap-based buffer overflow in the DNS Client triggered by a malicious DNS response. No authentication or user interaction needed, and since the DNS Client runs on virtually every Windows machine, the attack surface is enormous. An attacker with a position to influence DNS responses (MitM, rogue server) could achieve unauthenticated RCE across your enterprise."

🔹 RCE - Windows Netlogon (CVE-2026-41089). The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on a domain controller by sending a specially crafted network request. Exploitation does not require credentials or user interaction, which classifies this vulnerability as wormable. Compromise of a domain controller means full compromise of the organization's entire domain. A Rapid7 analyst added in their commentary: "No privileges or user interaction are required, and attack complexity is low, which suggests that creation of a reliable exploit might not be especially difficult for anyone with knowledge of the specific mechanism. Microsoft assesses exploitation as less likely, but since those exploitability assessments are provided without an accompanying explanation, it's not clear how much reassurance defenders should take. Anyone who remembers the much-discussed CVE-2020-1472 (aka ZeroLogon) back in 2020 will note that CVE-2026-41089 offers an attacker more immediate control of a domain controller. Patches are available for all versions of Windows Server from 2012 onwards."

🔹 RCE - Windows TCP/IP (CVE-2026-40415). Commentary from a ZDI analyst: "This bug in the TCP/IP stack results from a use-after-free (UAF) and could allow a remote, unauthenticated threat actor to execute code without user interaction. That makes this another wormable bug. However, this one is much less likely to be exploited. The target needs to be under sustained low-memory (memory pressure) conditions, which is pretty rare."

🔹 RCE - Microsoft Word (CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367). An attacker can exploit these vulnerabilities through social engineering by sending a malicious file to a targeted victim. Successful exploitation would grant the attacker arbitrary code execution. Microsoft researchers note that the Preview Pane is an attack vector for each of these vulnerabilities.

🔹 RCE - Microsoft Office (CVE-2026-40363, CVE-2026-42831). A heap-based buffer overflow vulnerability in Microsoft Office may allow an unauthorized attacker to remotely execute arbitrary code.

🔹 RCE - Windows GDI (CVE-2026-35421). A heap-based buffer overflow vulnerability in the Windows GDI component may allow an unauthorized attacker to remotely execute arbitrary code.

🔹 RCE - Microsoft Dynamics 365 On-Premises (CVE-2026-42898). Commentary from a ZDI analyst: "It allows any authenticated user to execute code with a scope change, meaning exploitation can break out and affect resources beyond the vulnerable component itself. Scope changes are pretty rare, so if you're running Dynamics 365 On-Prem, definitely test and deploy this patch quickly."

🔹 EoP - Windows Kernel (CVE-2026-33841, CVE-2026-35420, CVE-2026-40369). CVE-2026-33841 and CVE-2026-40369 are rated "Exploitation More Likely". A local attacker can use these vulnerabilities to elevate privileges to SYSTEM level. In the case of CVE-2026-33841, the attacker can elevate privileges to Medium/High integrity level.

🗒 Full Vulristics report

Про уязвимость Spoofing - Microsoft SharePoint Server (CVE-2026-32201)

Leave a reply

Про уязвимость Spoofing - Microsoft SharePoint Server (CVE-2026-32201)

About Spoofing - Microsoft SharePoint Server (CVE-2026-32201) vulnerability. A vulnerability from the April Microsoft Patch Tuesday. The description provided by Microsoft experts is extremely vague: "Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability)." Spoofing is an attack in which a threat actor forges data, an address, an identifier, or a trusted source in order to impersonate a legitimate user, service, or system.

What is actually hidden behind this description? In the April review on MSPT, a ZDI expert noted that vulnerabilities of this kind in SharePoint are often associated with XSS attacks.

🛠 On April 23, an exploit was published on GitHub, whose author claims that the vulnerability can be summarized as follows: "An unauthenticated attacker can send a specially crafted HTTP request to inject malicious JavaScript (reflected XSS), which executes in the security context of the SharePoint site."

In other words, the attacker sends a specially crafted request to the SharePoint server, causing SharePoint to generate a malicious link on behalf of a trusted source. The attacker then passes this link to the user. When the user opens such a link, the injected malicious JavaScript executes in the context of SharePoint, which can be used to steal data from the current session, intercept authentication tokens, as well as perform actions on behalf of the user through the user's active session.

👾 Microsoft experts noted the vulnerability as being exploited in the wild on the day of publication of the April Microsoft Patch Tuesday, April 14. The vulnerability was added to the CISA KEV. On the same day, researchers from Defused reported coordinated reconnaissance activity targeting vulnerable SharePoint servers, which was carried out from four IP addresses between April 1 and April 11.

⚙️ Updates are available for Microsoft SharePoint Server 2016, 2019, and Subscription Edition.

April "In the Trend of VM" (#26): one Microsoft SharePoint vulnerability

Leave a reply

April In the Trend of VM (#26): one Microsoft SharePoint vulnerability

April "In the Trend of VM" (#26): one Microsoft SharePoint vulnerability. Presenting the traditional monthly roundup of trending vulnerabilities according to Positive Technologies. Once again, it is single-vendor, Microsoft-related, and this time it could not be more compact. While the previous March edition had four trending vulnerabilities, this April edition has only one. In the upcoming May edition, we expect at least three trending vulnerabilities. 😉

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

This vulnerability is from the January Microsoft Patch Tuesday:

🔻 RCE - Microsoft SharePoint (CVE-2026-20963). The vulnerability was initially considered less critical due to an authentication requirement PR:L, but after Microsoft’s reassessment it turned out that authentication is not required for exploitation PR:N. The vulnerability has been added to the CISA KEV, meaning attackers are already exploiting it in the wild. There are no public exploits yet.

🟥 The full list of trending vulnerabilities is available on the portal

April Microsoft Patch Tuesday

Leave a reply

April Microsoft Patch Tuesday

April Microsoft Patch Tuesday. A total of 167 vulnerabilities, about twice as many as in March. There is one vulnerability already being exploited in the wild:

🔻 Spoofing - Microsoft SharePoint Server (CVE-2026-32201). ZDI experts say "Spoofing bugs in SharePoint often manifest as cross-site scripting (XSS) bugs". "An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability)". There is no info yet about how widely it is being used in attacks, but you should not delay patching, especially if SharePoint is exposed to the Internet.

Formally, there are no public exploits yet. However, there are strong indications that a public exploit may already exist for one vulnerability.

🔸 EoP - Microsoft Defender (CVE-2026-33825). "Insufficient granularity of access control" in Microsoft Defender allows a logged-in attacker to gain higher privileges on a local system. Tenable and ZDI say the bug looks similar to the BlueHammer zero-day, for which a public exploit was released on GitHub on April 3. The researcher who published it, Chaotic Eclipse, criticized Microsoft’s disclosure process. ZDI says the exploit is real, but exploitation is unstable and not always reliable.

Other important issues:

🔹 RCE - Windows Active Directory (CVE-2026-33826). To exploit this, the attacker must have an account. The attacker sends a specially crafted RPC request to a vulnerable server, which can lead to code execution. Microsoft says the attacker must be in the same restricted Active Directory domain as the target system.

🔹 RCE - Windows Internet Key Exchange (IKE) Service Extensions (CVE-2026-33824). ZDI says this vulnerability is wormable, meaning it could allow malware to spread automatically between systems. It affects systems with IKE enabled, which creates a large attack surface. Microsoft recommends blocking UDP ports 500 and 4500 at the network edge. However, attackers inside the network can still use it for lateral movement. Patch quickly if you use IKE.

🔹 RCE - Windows TCP/IP (CVE-2026-33827). ZDI also says this may be wormable, especially on systems using IPv6 and IPSec. A race condition makes it harder to exploit, but similar bugs are often exploited at Pwn2Own, so you should not rely on that difficulty. If you use IPv6, test and deploy the patch quickly before exploits appear.

🔹 EoP - Windows Push Notifications (CVE-2026-26167). This Patch Tuesday includes several sandbox escape vulnerabilities, including in Push Notifications, AFD for Winsock, Windows Management Services, and User Interface Core. CVE-2026-26167 (Push Notifications) is the most important because it is the only one with low attack complexity. The others require winning a race condition (AC:H).

🔹 Spoofing - Remote Desktop (CVE-2026-26151). Weak warnings in the Remote Desktop interface allow a network attacker to trick a user into opening a specially crafted file, leading to spoofing. The issue was found by the UK National Cyber Security Centre (NCSC).

🗒 Full Vulristics report

About Remote Code Execution - Microsoft SharePoint (CVE-2026-20963) vulnerability

Leave a reply

About Remote Code Execution - Microsoft SharePoint (CVE-2026-20963) vulnerability

About Remote Code Execution - Microsoft SharePoint (CVE-2026-20963) vulnerability. This vulnerability was fixed in the January MSPT. At the time of the MSPT release on January 13, VM vendors did not highlight this vulnerability in their reviews, and Microsoft reported no evidence of exploitation in the wild. The CVSS vector was initially rated as CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8). The "PR:L" indicates that authentication was required to exploit the vulnerability. However, on March 17, Microsoft updated both the vulnerability description and its CVSS vector. The updated CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8). The "PR:N" indicates that authentication is not required for exploitation.

Current vulnerability description:

"Deserialization of untrusted data (CWE-502) in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network. In a network-based attack, an unauthenticated attacker could write arbitrary code to inject and execute code remotely on the SharePoint Server."

👾 On March 18, the vulnerability was added to the CISA KEV catalog. No detailed information about exploitation is available yet, and there are currently no public exploits. However, in terms of potential impact, this vulnerability may be comparable to last year's RCE "ToolShell" (CVE-2025-49704).

The situation surrounding this vulnerability demonstrates that the criticality of any vulnerability cannot be determined once and for all. Indicators of exploitation in the wild or public exploits may emerge at any time, and the vendor may also revise the vulnerability description and CVSS metrics for various reasons. Therefore, all vulnerabilities detected within an infrastructure must be continuously monitored (either internally or via a VM vendor), with their criticality regularly reassessed and remediation deadlines adjusted accordingly.

Given that the status of any specific vulnerability may change at any time, it is not advisable to dismiss vulnerabilities as definitively non-critical or non-exploitable. A responsible approach assumes that all detected vulnerabilities require remediation, prioritized according to their continuously updated risk levels.