code execution Archives

Winsage

April 30, 2026

CISA, Microsoft warn of active exploitation of Windows Shell vulnerability (CVE-2026-32202)

Attackers are exploiting CVE-2026-32202, a zero-click vulnerability in Windows Shell, allowing authentication of victims' systems without user interaction. This vulnerability stems from an incomplete patch for CVE-2026-21510 and has been used by the APT28 group with weaponized LNK files to bypass Windows security. Although Microsoft addressed these vulnerabilities in February 2026, the risk remains as opening a folder with a malicious LNK file can still connect victims' machines to the attacker's server, initiating an NTLM authentication handshake that exposes the victim’s Net-NTLMv2 hash. This affects various versions of Windows 10, 11, and Windows Server. Microsoft released a patch for CVE-2026-32202 on April 14, 2026, but did not label it as actively exploited until more than two weeks later, leaving security teams unaware of its urgency. Organizations are advised to apply the patch and consider blocking outbound SMB traffic to mitigate risks.

Winsage

April 28, 2026

Incomplete Windows Patch Creates New Zero-Click Attack Risk

A new vulnerability in Microsoft Windows, designated as CVE-2026-32202, has been discovered due to an incomplete security patch for a previous flaw (CVE-2026-21510). This new vulnerability allows attackers to execute zero-click attacks by processing specially crafted shortcut files, enabling automatic authentication requests without user interaction. The vulnerabilities are linked to another flaw (CVE-2026-21513) in Microsoft’s MSHTML framework, and cybercriminals, specifically the APT28 group, have exploited these issues in attacks against Ukraine and the European Union. Microsoft has released a fix for the new vulnerability in its April 2026 security updates.

Winsage

April 18, 2026

RedSun: Windows 0day when Defender becomes the attacker

A vulnerability has been discovered in Windows Defender that allows standard users to exploit a logic error in the file remediation process, enabling code execution with elevated privileges without administrative access. This flaw, identified by security researcher Chaotic Eclipse, occurs because Windows Defender does not verify if the restoration location of flagged files has been altered through a junction point. The exploit, named RedSun, takes advantage of a missing validation in the MpSvc.dll file, allowing attackers to redirect file restoration to the C:WindowsSystem32 directory. RedSun operates by chaining together four legitimate Windows features: Opportunistic Locks (OPLOCKs), Cloud Files API, Volume Shadow Copy Service (VSS), and Junction Points. The execution of the exploit involves monitoring shadow copies, triggering Defender's detection, synchronizing OPLOCKs, and ultimately writing malicious binaries to the System32 directory. The root cause is the lack of reparse point validation in the restoration process, and currently, no patch or CVE has been assigned for this vulnerability. It affects Windows 10, Windows 11, and Windows Server 2019 and later, and organizations are advised to implement behavioral detection strategies until a fix is available.

Tech Optimizer

April 8, 2026

AI malware threatens Windows 11 security. Traditional antivirus can’t keep up

AI-powered fileless malware poses a significant challenge to Windows 11 security, as traditional antivirus solutions struggle to detect these advanced threats. This type of malware operates without traditional files and can execute malicious actions directly in memory, bypassing conventional detection methods. Vulnerabilities in applications like Excel and Outlook have been exploited, allowing harmful code execution through simple actions like opening a preview pane. The integration of AI features, such as Microsoft's Copilot, has also created new risks, leading to potential data leaks. To combat these threats, a multi-layered security approach that includes behavioral analysis and real-time monitoring is essential. Upgrading from Windows 11 Home to Windows 11 Pro provides additional security features to enhance defenses against malware.

Winsage

April 7, 2026

Disgruntled researcher drops “BlueHammer” Windows zero-day LPE exploit

A security researcher, known as "Nightmare-Eclipse," released proof-of-concept exploit code for a Windows zero-day vulnerability called "BlueHammer," which allows local privilege escalation (LPE). The exploit has been validated by another researcher, Will Dormann, who confirmed it can escalate privileges on Windows systems, allowing non-administrative users to gain SYSTEM-level access. The exploit's reliability varies across different Windows versions, with inconsistent success rates reported. Microsoft has not acknowledged the vulnerability or provided a patch, raising concerns about potential exploitation by threat actors. Users are advised to restrict local user access, monitor for suspicious activity, and enable advanced endpoint protection.

Tech Optimizer

April 6, 2026

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that impersonate Strapi CMS plugins. These packages exploit Redis and PostgreSQL, deploy reverse shells, harvest credentials, and establish persistent implants. Each package consists of three files—package.json, index.js, and postinstall.js—without descriptions or repositories, and all use version 3.6.8 to mimic legitimate Strapi plugins. The malicious packages follow a naming convention starting with "strapi-plugin-" and were uploaded by four accounts within 13 hours. The identified packages include names like strapi-plugin-cron, strapi-plugin-database, and strapi-plugin-server. The malicious code is embedded in the postinstall script, executing automatically upon installation with the same privileges as the user. The payloads evolve from exploiting Redis for remote code execution to attempting direct PostgreSQL database exploitation and deploying persistent implants for remote access. The campaign appears to target cryptocurrency platforms, as indicated by the focus on credential theft and digital assets. Users of these packages are advised to assume compromise and rotate credentials. This incident reflects a broader trend of supply chain attacks in the open-source ecosystem, with recent examples including credential exfiltration payloads in GitHub repositories and compromised GitHub Actions workflows. Group-IB reported that software supply chain attacks are increasingly reshaping the cyber threat landscape, targeting trusted vendors and open-source software to gain access to downstream organizations.

Winsage

April 1, 2026

WhatsApp on Windows users targeted in new campaign, warns Microsoft

Microsoft researchers have identified a campaign that exploits WhatsApp attachments to infiltrate Windows machines, allowing attackers remote control. The attack uses social engineering tactics, where users receive a seemingly benign .vbs (Visual Basic Script) file that can be executed on Windows. This method does not rely on software vulnerabilities but on persuading victims to execute the malicious file. Attackers manipulate built-in Windows tools to download further malware, employing a technique known as living off the land (LOTL) to avoid detection. The malware seeks to elevate its privileges to administrator status, modifying User Account Control (UAC) prompts and registry settings for persistence. An unsigned MSI (Microsoft Installer) is deployed to establish remote-access software, granting continuous access to the compromised machine.

Winsage

March 30, 2026

Microsoft’s March Security Update of High-Risk Vulnerability Notice for Multiple Products

On March 11, NSFOCUS CERT reported the release of Microsoft’s March Security Update, addressing 83 security vulnerabilities in products like Windows, Microsoft Office, Microsoft SQL Server, and Azure. The update includes eight critical vulnerabilities and 75 important ones, with risks such as privilege escalation and remote code execution. Key vulnerabilities include: - CVE-2026-26110: Microsoft Office Remote Code Execution Vulnerability (CVSS score: 8.4) - CVE-2026-26113: Microsoft Office Remote Code Execution Vulnerability (CVSS score: 8.4) - CVE-2026-26144: Microsoft Excel Information Disclosure Vulnerability (CVSS score: 7.5) - CVE-2026-23669: Windows Print Spooler Remote Code Execution Vulnerability (CVSS score: 8.8) - CVE-2026-24294: Windows SMB Server Privilege Escalation Vulnerability (CVSS score: 7.8) - CVE-2026-23668: Windows Graphics Component Privilege Escalation Vulnerability (CVSS score: 7.0) Affected product versions include various editions of Microsoft Office, Windows Server 2012 R2, Windows Server 2016, Windows 10, and Windows 11. Microsoft has released security patches for these vulnerabilities, and users are encouraged to install them promptly.

Winsage

March 17, 2026

Microsoft to Block Windows 11 and Server 2025 Automated Installation After Critical RCE Vulnerability

Microsoft is implementing a two-phase initiative to disable the hands-free deployment feature in Windows Deployment Services (WDS) due to a critical remote code execution vulnerability (CVE-2026-0386) identified on January 13, 2026. This vulnerability arises from improper access control related to the Unattend.xml file, which is transmitted over an unauthenticated RPC channel, allowing attackers on the same network segment to exploit it. Successful exploitation could grant SYSTEM-level privileges and compromise OS deployment images. The initiative includes: - Phase 1 (January 13, 2026): The hands-free deployment feature will remain operational but can be disabled. New Event Log alerts and registry key controls will be introduced to enforce secure practices. - Phase 2 (April 2026): The hands-free deployment feature will be completely disabled by default for administrators who have not modified registry settings. Administrators can temporarily re-enable the feature by setting AllowHandsFreeFunctionality = 1, but this is not secure. Recommendations include reviewing WDS configurations, applying security updates, setting registry keys for secure behavior, monitoring Event Viewer for alerts, and considering alternative deployment methods. Microsoft’s KB article 5074952 provides further guidance for impacted organizations.

Winsage

March 15, 2026

Microsoft Releases Emergency Windows 11 Hotpatch to Fix Remote Code Execution Flaw

Microsoft has released an out-of-band hotpatch update, KB5084597, to address three critical remote code execution vulnerabilities (CVE-2026-25172, CVE-2026-25173, CVE-2026-26111) in the Windows Routing and Remote Access Service (RRAS) management tool. This update is specifically for Windows 11 Enterprise devices in the hotpatch program that did not receive fixes during the March 2026 Patch Tuesday. The vulnerabilities can be exploited by an authenticated attacker within the domain, potentially leading to remote code execution. Hotpatch updates apply fixes through in-memory patching without requiring a device reboot, making them suitable for mission-critical devices. The update is applicable to Windows 11 versions 24H2, 25H2, and Windows 11 Enterprise LTSC 2024, and will be automatically installed on enrolled devices without a restart. Non-enrolled devices received the fix via the standard March 10 Patch Tuesday update.