advisory Archives

Winsage

June 15, 2026

Microsoft released the Windows 11 Secure Boot update for all PCs, how to verify yours

Microsoft has expanded the rollout of the Secure Boot 2023 certificate update to more Windows 11 and Windows 10 devices with the June 2026 Patch Tuesday update (KB5094126). This update aims to ensure that most supported consumer PCs are classified as high confidence, meaning necessary certificates are either installed or will be applied automatically. Secure Boot is a firmware security feature that verifies the software attempting to load during the startup process, blocking unauthorized software. The certificates supporting Secure Boot, issued in 2011, are expiring in stages starting June 24, 2026, prompting Microsoft to deploy replacement certificates. Most home users do not need to take manual action as the updates will occur automatically via Windows Update. Users can check their Secure Boot certificate status in the Windows Security app. A yellow warning indicates pending compatibility data, while a red alert suggests a firmware incompatibility requiring a BIOS update. Multiple reboots during the update process are normal, and a new SecureBoot folder in Windows is for staging cryptographic files. Older PCs may experience longer update times, and some may not receive updates due to firmware issues. HP users should check for BIOS updates if encountering BitLocker recovery loops. IT administrators should monitor device classifications and manually initiate updates for devices not in the high confidence category. Devices with Secure Boot disabled cannot receive updates, leaving them vulnerable. The expiration of the Microsoft Corporation KEK CA 2011 certificate on June 24 does not immediately affect device functionality, but it limits Microsoft's ability to sign new bootkit blacklist updates.

Tech Optimizer

June 13, 2026

Why Use App-Level Auth When Every Database Has Auth? (Splunk Enterprise CVE-2026-20253 Pre-Auth RCE)

On June 10th, Splunk released an advisory for CVE-2026-20253, a high-severity vulnerability with a CVSS score of 9.8 that requires no authentication. The vulnerability is associated with the PostgreSQL Sidecar Service Endpoint and affects Splunk Enterprise versions 10 and above. In default installations, the service is not installed on Windows but is installed and enabled by default on AWS. The vulnerability allows unauthorized users to create and truncate arbitrary files through an API that lacks authentication controls. Additionally, it enables the execution of SQL commands via a backup and restore mechanism, potentially leading to remote code execution (RCE). A Detection Artefact Generator has been developed to help organizations assess their vulnerability to this issue.

Winsage

June 9, 2026

Dell, HP PCs ran into endless reboot, BitLocker recovery loops but Windows 11 isn’t to blame

Dell confirmed that a bug in version 5.5.16.0 of its SupportAssist Remediation software is causing blue screen errors and system restarts. The issue is linked to the SupportAssist Remediation service, which operates independently from the main SupportAssist application. Dell has released an updated version, 5.5.16.1, to fix the problem. Affected users should check for version 5.5.16.0 in the Installed Apps section of Windows Settings and update their SupportAssist OS Recovery Tools. Users are advised to back up data and keep their systems powered during the update process. HP is facing issues related to Windows Secure Boot updates, causing boot problems and BitLocker recovery loops on affected devices. This occurs when new UEFI Secure Boot CA 2023 certificates fail to apply correctly. HP recommends updating to the latest BIOS version and configuring Secure Boot certificates before installing Windows 11 Patch Tuesday updates. For systems already experiencing issues, BIOS configuration changes may be necessary.

Winsage

June 3, 2026

Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes

Cybersecurity researchers have identified an unpatched vulnerability that could expose NTLMv2 hashes to attackers, linked to the "search:" URI handler. This issue is similar to CVE-2026-33829, which involved a spoofing vulnerability in the Windows Snipping Tool's ms-screensketch: URI handler. The flaw allows attackers to trick users into connecting to their SMB servers, disclosing NTLMv2 hashes for authentication exploitation. The new vulnerability operates using "search:" and "crumb=location:" parameters, resulting in a similar Net-NTLMv2 leak. Microsoft has chosen not to address this issue, stating only vulnerabilities classified as Important or Critical would be fixed. Recommendations to mitigate risks include blocking outbound SMB traffic, enforcing SMB signing, and disabling NTLM authentication where possible.

Winsage

June 1, 2026

Critical Windows Netlogon RCE flaw now exploited in attacks

The Centre for Cybersecurity Belgium (CCB) has warned about the exploitation of a critical vulnerability in Windows Netlogon, identified as CVE-2026-41089, which allows remote code execution on domain controllers without prior access or authentication. This vulnerability, characterized as a stack-based buffer overflow, was patched by Microsoft during the May 2026 Patch Tuesday. The CCB emphasized the urgency of patching vulnerable servers, noting that the vulnerability is actively being exploited. The CVSS score for this vulnerability is 9.8. Further details on the ongoing attacks have not been disclosed, and Microsoft has not updated its advisory on the vulnerability.

Winsage

May 28, 2026

“I have proof for every single word”: This security researcher’s GitHub and Microsoft accounts were deleted after claiming a Windows 11 exploit in BitLocker is by design

A zero-day exploit named YellowKey was revealed by a researcher known as "Chaotic Eclipse" or Nightmare-Eclipse, which allows access to BitLocker-protected drives on Windows 11 using a USB key. Microsoft acknowledged the vulnerability, tracked as CVE-2026-45585, and provided mitigation strategies. The researcher expressed frustration over Microsoft's handling of the situation, including the banning of their GitHub account and lack of communication regarding unpaid bounties from Microsoft's MSRC program, which offers rewards for reporting vulnerabilities. Nightmare-Eclipse hinted at having evidence to support their claims and indicated plans to release documents related to the issue.

AppWizard

May 28, 2026

Fake ‘Cockroach Janta Party’ Android app flagged as critical malware threat, report warns

A cybersecurity report released on May 22, 2026, identifies a counterfeit Android application posing as the official app of the Cockroach Janta Party as a significant malware threat. The malicious app, known as Cockroach.Janta.Party, functions as a Remote Access Trojan (RAT) and can infiltrate Android devices, steal sensitive information, intercept communications, and control infected smartphones. The genuine Cockroach Janta Party has no affiliation with this app and is a victim of brand impersonation. The app is distributed through WhatsApp, Telegram, and misleading websites, particularly a rogue domain, cockroachjantaparty[.]org. It targets Android devices running versions 8.0 to 14 and requests elevated permissions, including access to camera, SMS, call logs, and contacts, while misusing the Android Accessibility Service to read on-screen content and grant itself additional permissions. The app contains multiple malicious modules for data exfiltration and uses a Command and Control infrastructure based on the Telegram Bot API. Users are advised to uninstall the app, disable Accessibility permissions, reset banking credentials, enable two-factor authentication, and conduct a full mobile security scan. The legitimate Cockroach Janta Party is encouraged to issue a formal clarification regarding the impersonation.

Tech Optimizer

May 23, 2026

CVE-2026-9082: Critical Drupal Core SQLi Flaw

Drupal has issued critical security updates for a vulnerability in Drupal Core, identified as CVE-2026-9082, which affects sites using PostgreSQL databases. This flaw allows anonymous attackers to exploit the system through arbitrary SQL injection, posing risks such as sensitive information disclosure, privilege escalation, and remote code execution. The vulnerability is rated 20 out of 25 by Drupal and 6.5 out of 10 by CVE.org. It specifically impacts the database abstraction API, which fails to properly sanitize queries. The fixed versions include 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10, with best-effort patches available for unsupported versions 9.5 and 8.9. Organizations are advised to inventory their Drupal installations, verify PostgreSQL usage, and prioritize patching for public-facing sites.

Tech Optimizer

May 22, 2026

Microsoft confirms two major Defender security issues — so update now or face possible attack

Microsoft has addressed two critical zero-day vulnerabilities in its Defender antivirus software: CVE-2026-41091 (privilege escalation) and CVE-2026-45498 (denial of service). The patches were delivered through Malware Protection Engine version 1.1.26040.8 and Antimalware Platform version 4.18.26040.7. Users are advised to verify their software versions to ensure they have the latest updates. Both vulnerabilities have been included in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog, requiring federal agencies to patch them or stop using the affected software by June 3.

Tech Optimizer

May 21, 2026

CVE-2024-55638: Highly Critical Drupal Core Vulnerability Threatens PostgreSQL Sites with Remote Code Execution (RCE)

A critical vulnerability, CVE-2024-55638, has been identified in Drupal Core, affecting installations using PostgreSQL as their backend database. This vulnerability involves PHP Object Injection, which can lead to full Remote Code Execution (RCE) when combined with another deserialization flaw. It cannot be exploited independently but increases the risk for Drupal installations that use third-party modules or custom code that improperly employs the unserialize() function. The affected versions include Drupal Core 7.x prior to 7.102, 8.0.0 and above prior to 10.2.11, and 10.3.0 prior to 10.3.9, with patched versions being 7.102, 10.2.11, and 10.3.9. The vulnerability is particularly relevant for sites using PostgreSQL, and organizations are urged to upgrade to the patched versions and audit their code for unsafe unserialize() usage. Currently, there are no confirmed reports of exploitation in the wild, but the risk remains high due to insecure deserialization bugs in third-party modules. The EPSS score for this vulnerability is 9.93%, indicating a significant likelihood of exploitation in the near future.