Tag Archives: Windows

About Elevation of Privilege - Microsoft Defender "RedSun" (CVE-2026-41091) vulnerability

Leave a reply

About Elevation of Privilege - Microsoft Defender RedSun (CVE-2026-41091) vulnerability

About Elevation of Privilege - Microsoft Defender "RedSun" (CVE-2026-41091) vulnerability. Microsoft Defender is a built-in security solution developed by Microsoft to protect the Windows operating system and user data from viruses, malware, and other cyber threats in real time. An improper link resolution vulnerability prior to file access ("link following", CWE-59) in Microsoft Defender, specifically within the Malware Protection Engine component, allows an authenticated local attacker to escalate privileges to SYSTEM level. As a result, an attacker could gain full control over the affected system, including unrestricted access to data, the ability to modify system settings, install software, manage user accounts, and disable security protections.

🛠 An exploit for the vulnerability was published on GitHub by security researcher Nightmare Eclipse on April 15, alongside exploits targeting other Windows component vulnerabilities. The account was later removed by GitHub administrators; however, this did not prevent the exploit code from spreading further.

⚙️ The security advisory and patches were released on May 19 outside Microsoft's regular Patch Tuesday schedule. Versions of Microsoft Malware Protection Engine from 1.1.26030.3008 through 1.1.26040.8 are affected. Systems with Microsoft Defender disabled are not vulnerable. By default, Microsoft Defender automatically updates Windows security components, antivirus definitions, and Microsoft Malware Protection Engine, so no additional user action is typically required. Malware Protection Engine is updated monthly or as new threats emerge, while antivirus definitions are updated several times per day. Update checks may run automatically anywhere from once to several times daily when an Internet connection is available. Manual update checks are also supported.

👾 According to Microsoft, the vulnerability is being exploited in the wild. The vulnerability was added to the CISA KEV catalog on May 20.

💡 Special attention should be paid to server and desktop Windows hosts where Microsoft Defender is not disabled, but Internet access is unavailable for regular updates.

May Microsoft Patch Tuesday

Leave a reply

May Microsoft Patch Tuesday

May Microsoft Patch Tuesday. A total of 119 vulnerabilities, approximately 1.5 times fewer than in April. There are currently no vulnerabilities marked as actively exploited in the wild. However, there is one vulnerability with a public exploit:

🔸 EoP - Windows Kernel (CVE-2026-40369). A detailed write-up and exploit for this vulnerability were published on May 14, two days after the May MSPT. The researcher describes exploitation of the vulnerability as follows: "A single syscall from any unprivileged process — including inside Chrome's renderer sandbox — can increment arbitrary kernel memory addresses. No race conditions. No heap spray. No special tokens. 100% deterministic privilege escalation to SYSTEM."

Among the remaining ones, the following stand out:

🔹 RCE - Windows DNS Client (CVE-2026-41096). A ZDI analyst commented on this vulnerability as follows: "This patch fixes a heap-based buffer overflow in the DNS Client triggered by a malicious DNS response. No authentication or user interaction needed, and since the DNS Client runs on virtually every Windows machine, the attack surface is enormous. An attacker with a position to influence DNS responses (MitM, rogue server) could achieve unauthenticated RCE across your enterprise."

🔹 RCE - Windows Netlogon (CVE-2026-41089). The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on a domain controller by sending a specially crafted network request. Exploitation does not require credentials or user interaction, which classifies this vulnerability as wormable. Compromise of a domain controller means full compromise of the organization's entire domain. A Rapid7 analyst added in their commentary: "No privileges or user interaction are required, and attack complexity is low, which suggests that creation of a reliable exploit might not be especially difficult for anyone with knowledge of the specific mechanism. Microsoft assesses exploitation as less likely, but since those exploitability assessments are provided without an accompanying explanation, it's not clear how much reassurance defenders should take. Anyone who remembers the much-discussed CVE-2020-1472 (aka ZeroLogon) back in 2020 will note that CVE-2026-41089 offers an attacker more immediate control of a domain controller. Patches are available for all versions of Windows Server from 2012 onwards."

🔹 RCE - Windows TCP/IP (CVE-2026-40415). Commentary from a ZDI analyst: "This bug in the TCP/IP stack results from a use-after-free (UAF) and could allow a remote, unauthenticated threat actor to execute code without user interaction. That makes this another wormable bug. However, this one is much less likely to be exploited. The target needs to be under sustained low-memory (memory pressure) conditions, which is pretty rare."

🔹 RCE - Microsoft Word (CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367). An attacker can exploit these vulnerabilities through social engineering by sending a malicious file to a targeted victim. Successful exploitation would grant the attacker arbitrary code execution. Microsoft researchers note that the Preview Pane is an attack vector for each of these vulnerabilities.

🔹 RCE - Microsoft Office (CVE-2026-40363, CVE-2026-42831). A heap-based buffer overflow vulnerability in Microsoft Office may allow an unauthorized attacker to remotely execute arbitrary code.

🔹 RCE - Windows GDI (CVE-2026-35421). A heap-based buffer overflow vulnerability in the Windows GDI component may allow an unauthorized attacker to remotely execute arbitrary code.

🔹 RCE - Microsoft Dynamics 365 On-Premises (CVE-2026-42898). Commentary from a ZDI analyst: "It allows any authenticated user to execute code with a scope change, meaning exploitation can break out and affect resources beyond the vulnerable component itself. Scope changes are pretty rare, so if you're running Dynamics 365 On-Prem, definitely test and deploy this patch quickly."

🔹 EoP - Windows Kernel (CVE-2026-33841, CVE-2026-35420, CVE-2026-40369). CVE-2026-33841 and CVE-2026-40369 are rated "Exploitation More Likely". A local attacker can use these vulnerabilities to elevate privileges to SYSTEM level. In the case of CVE-2026-33841, the attacker can elevate privileges to Medium/High integrity level.

🗒 Full Vulristics report

April Microsoft Patch Tuesday

Leave a reply

April Microsoft Patch Tuesday

April Microsoft Patch Tuesday. A total of 167 vulnerabilities, about twice as many as in March. There is one vulnerability already being exploited in the wild:

🔻 Spoofing - Microsoft SharePoint Server (CVE-2026-32201). ZDI experts say "Spoofing bugs in SharePoint often manifest as cross-site scripting (XSS) bugs". "An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability)". There is no info yet about how widely it is being used in attacks, but you should not delay patching, especially if SharePoint is exposed to the Internet.

Formally, there are no public exploits yet. However, there are strong indications that a public exploit may already exist for one vulnerability.

🔸 EoP - Microsoft Defender (CVE-2026-33825). "Insufficient granularity of access control" in Microsoft Defender allows a logged-in attacker to gain higher privileges on a local system. Tenable and ZDI say the bug looks similar to the BlueHammer zero-day, for which a public exploit was released on GitHub on April 3. The researcher who published it, Chaotic Eclipse, criticized Microsoft’s disclosure process. ZDI says the exploit is real, but exploitation is unstable and not always reliable.

Other important issues:

🔹 RCE - Windows Active Directory (CVE-2026-33826). To exploit this, the attacker must have an account. The attacker sends a specially crafted RPC request to a vulnerable server, which can lead to code execution. Microsoft says the attacker must be in the same restricted Active Directory domain as the target system.

🔹 RCE - Windows Internet Key Exchange (IKE) Service Extensions (CVE-2026-33824). ZDI says this vulnerability is wormable, meaning it could allow malware to spread automatically between systems. It affects systems with IKE enabled, which creates a large attack surface. Microsoft recommends blocking UDP ports 500 and 4500 at the network edge. However, attackers inside the network can still use it for lateral movement. Patch quickly if you use IKE.

🔹 RCE - Windows TCP/IP (CVE-2026-33827). ZDI also says this may be wormable, especially on systems using IPv6 and IPSec. A race condition makes it harder to exploit, but similar bugs are often exploited at Pwn2Own, so you should not rely on that difficulty. If you use IPv6, test and deploy the patch quickly before exploits appear.

🔹 EoP - Windows Push Notifications (CVE-2026-26167). This Patch Tuesday includes several sandbox escape vulnerabilities, including in Push Notifications, AFD for Winsock, Windows Management Services, and User Interface Core. CVE-2026-26167 (Push Notifications) is the most important because it is the only one with low attack complexity. The others require winning a race condition (AC:H).

🔹 Spoofing - Remote Desktop (CVE-2026-26151). Weak warnings in the Remote Desktop interface allow a network attacker to trick a user into opening a specially crafted file, leading to spoofing. The issue was found by the UK National Cyber Security Centre (NCSC).

🗒 Full Vulristics report

March "In the Trend of VM" (#25): once again, vulnerabilities are only in Microsoft products

Leave a reply

March In the Trend of VM (#25): once again, vulnerabilities are only in Microsoft products

March "In the Trend of VM" (#25): once again, vulnerabilities are only in Microsoft products. I present the traditional monthly roundup of trending vulnerabilities according to Positive Technologies. As in February, it turned out to be quite compact and focused on a single vendor.

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

All four vulnerabilities are from the February Microsoft Patch Tuesday, and all are actively being exploited in the wild:

🔻 RCE - Windows Shell (CVE-2026-21510)
🔻 RCE - Microsoft Word (CVE-2026-21514)

💬 Microsoft classified the two vulnerabilities above as Security Feature Bypass, but in fact, they are Remote Code Execution.

🔻 EoP - Windows Remote Desktop Services (CVE-2026-21533)
🔻 EoP - Desktop Window Manager (CVE-2026-21519)

🟥 The full list of trending vulnerabilities can be found on the portal

About Elevation of Privilege - Desktop Window Manager (CVE-2026-21519) vulnerability

Leave a reply

About Elevation of Privilege - Desktop Window Manager (CVE-2026-21519) vulnerability

About Elevation of Privilege - Desktop Window Manager (CVE-2026-21519) vulnerability. The vulnerability is from the February Microsoft Patch Tuesday. Desktop Window Manager is a compositing window manager included in Windows starting with Windows Vista. A Type Confusion error (CWE-843) in Desktop Window Manager allows an authorized attacker to locally elevate privileges to the SYSTEM level. By fixing this vulnerability, Microsoft most likely attempted to counter the same attacker who exploited the January Information Disclosure vulnerability (CVE-2026-20805) in the same component. It is possible that the original fix did not fully resolve the issue.

👾 Microsoft reports that the vulnerability has been exploited in the wild. The vulnerability has been in the CISA KEV since February 10.

🛠 No public exploits are available yet.

На русском

About Elevation of Privilege - Windows RDS (CVE-2026-21533) vulnerability

Leave a reply

About Elevation of Privilege - Windows RDS (CVE-2026-21533) vulnerability

About Elevation of Privilege - Windows RDS (CVE-2026-21533) vulnerability. The vulnerability is from the February Microsoft Patch Tuesday. Remote Desktop Services (RDS) is a component of Microsoft Windows that allows a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection using the Remote Desktop Protocol (RDP). Improper Privilege Management (CWE-269) in Windows Remote Desktop allows a local attacker to gain SYSTEM privileges. According to CrowdStrike, the exploit binary modifies a service configuration key, allowing the attacker to elevate privileges and "add a new user to the Administrator group".

👾 Microsoft reports exploitation of the vulnerability in the wild. The vulnerability has been listed in the CISA KEV since February 10.

🛠 No public exploits are available yet, but there are reports of the exploit being advertised for sale for $220,000 on a dark forum.

На русском

March Microsoft Patch Tuesday

Leave a reply

March Microsoft Patch Tuesday

March Microsoft Patch Tuesday. A total of 79 vulnerabilities, about one and a half times more than in February. What's truly unusual is that this time there were no vulnerabilities with signs of exploitation in the wild or a public exploit! 🤔 At least not yet. 😏

The following vulnerabilities can be highlighted:

🔹 RCE - Print Spooler (CVE-2026-23669), Office (CVE-2026-26110, CVE-2026-26113), Excel (CVE-2026-26107, CVE-2026-26108, CVE-2026-26109, CVE-2026-26112), SharePoint Server (CVE-2026-26106, CVE-2026-26114)
🔹 EoP - SQL Server (CVE-2026-21262, CVE-2026-26115, CVE-2026-26116), Windows Kernel (CVE-2026-24287, CVE-2026-24289, CVE-2026-26132), Windows Win32k (CVE-2026-24285), SMB Server (CVE-2026-24294, CVE-2026-26128), Windows Graphics Component (CVE-2026-23668), .NET (CVE-2026-26131)
🔹 DoS - .NET (CVE-2026-26127)

🗒 Full Vulristics report

На русском