exploitation Archives

Tech Optimizer

June 13, 2026

Why Use App-Level Auth When Every Database Has Auth? (Splunk Enterprise CVE-2026-20253 Pre-Auth RCE)

On June 10th, Splunk released an advisory for CVE-2026-20253, a high-severity vulnerability with a CVSS score of 9.8 that requires no authentication. The vulnerability is associated with the PostgreSQL Sidecar Service Endpoint and affects Splunk Enterprise versions 10 and above. In default installations, the service is not installed on Windows but is installed and enabled by default on AWS. The vulnerability allows unauthorized users to create and truncate arbitrary files through an API that lacks authentication controls. Additionally, it enables the execution of SQL commands via a backup and restore mechanism, potentially leading to remote code execution (RCE). A Detection Artefact Generator has been developed to help organizations assess their vulnerability to this issue.

Winsage

June 12, 2026

Hackers Use Fake Windows Update Installers to Deliver OnyxC2 Credential Stealer

OnyxC2 is a sophisticated credential stealer available for a subscription fee of 0 per month, distributed through disguised lures such as fake Windows updates and legitimate software installers. It functions as a commercial product with features like an automated payload builder, tiered licensing, and a centralized web dashboard. The malware boasts a 99% detection-evasion rate, successfully evading major antivirus solutions during tests. It is developed in C++, utilizing direct system calls and mutating with each build to avoid detection. OnyxC2 collects data from around 210 applications, targeting 45 web browsers, password managers, cryptocurrency wallets, and FTP clients. The malware is delivered using DLL sideloading, where a password-protected archive contains a legitimate application and a malicious DLL. The attacker's DLL is disguised by inflating its size and is loaded by a trusted binary. The malicious code remains encrypted on disk and decrypts in memory to evade analysis. OnyxC2 communicates with a Cloudflare-fronted command-and-control server to manage infected hosts and execute commands like hardware registration and cookie uploads. The threat extends to business environments, targeting FTP and email clients, with stolen session cookies allowing ongoing access to corporate infrastructure. Implementing anti-data exfiltration controls is recommended as a mitigation strategy.

Winsage

June 11, 2026

Microsoft patches a record 206 flaws—and one is already being exploited

Microsoft patched 206 vulnerabilities during June's Patch Tuesday, surpassing the previous record of 175 vulnerabilities patched in October 2025. Among the patched vulnerabilities, 118 are related to different versions of Windows, including Windows 10, Windows 11, and Windows Server. One critical vulnerability, CVE-2026-41091, in Microsoft Defender is actively being exploited, prompting an update to the Malware Protection Engine. Microsoft also addressed ten vulnerabilities in the Security Feature Bypass category due to the expiration of old Secure Boot certificates. Of the 118 Windows vulnerabilities, 19 are classified as critical Remote Code Execution (RCE) vulnerabilities, including CVE-2026-47288 and CVE-2026-47291. In Microsoft Office, 54 vulnerabilities were patched, including 25 RCE vulnerabilities, with nine classified as critical. Microsoft patched eight vulnerabilities in Exchange Server, including CVE-2026-45583, which can be exploited in a man-in-the-middle scenario. Additionally, the update for Edge addressed 74 Chromium vulnerabilities, including a zero-day vulnerability (CVE-2026-11645).

Winsage

June 11, 2026

Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs

Microsoft announced an update addressing 206 security vulnerabilities, including 39 classified as Critical and 167 as Important. The vulnerabilities include 63 privilege escalation, 56 remote code execution, 30 information disclosure, 27 spoofing, 20 security feature bypass, 7 denial-of-service, and 3 tampering vulnerabilities. Notable critical flaws include CVE-2026-45657 (use-after-free in Windows Kernel, CVSS score 9.8), CVE-2026-47291 (integer overflow in Windows HTTP.sys, CVSS score 9.8), and CVE-2026-44815 (stack-based buffer overflow in Windows DHCP Client, CVSS score 9.8). Microsoft also addressed vulnerabilities related to BitLocker bypass (CVE-2026-45585 and CVE-2026-50507) and introduced a new registry setting to mitigate risks associated with CVE-2026-49160 (denial-of-service vulnerability). The increase in patches is attributed to the use of artificial intelligence in vulnerability discovery, with the current year's reported vulnerabilities surpassing the total from all of 2018.

Winsage

June 10, 2026

Windows BitLocker 0-Day Vulnerability Allows Attackers to Bypass Security Feature

On June 9, 2026, Microsoft announced a vulnerability in Windows BitLocker, identified as CVE-2026-50507, which allows unauthorized attackers with physical access to bypass BitLocker Device Encryption. The flaw is categorized under CWE‑306, indicating a missing authentication check for a critical function, and has a CVSS v3.1 base score of 6.8. It affects various versions of Windows 10, Windows 11, and Windows Server from 2012 R2 to 2025. Microsoft released security updates to address the vulnerability, and it was classified as “Exploitation More Likely.” Although there is no evidence of active exploitation, proof-of-concept code exists. Organizations are advised to implement multi-factor configurations and reassess device handling and security protocols.

Winsage

June 3, 2026

Windows Netlogon CVE-2026-41089 exploited: Priority patch needed

Microsoft has addressed a critical vulnerability identified as CVE-2026-41089, which could allow unauthorized access to sensitive data. This vulnerability primarily affects specific Microsoft software and has been classified with a high severity rating. If unaddressed, it could lead to data breaches and unauthorized access. Microsoft recommends users apply the latest security patches and updates. The cybersecurity community emphasizes the importance of prioritizing cybersecurity strategies and collaboration among industry stakeholders to mitigate risks associated with such vulnerabilities.

Winsage

June 3, 2026

Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes

Cybersecurity researchers have identified an unpatched vulnerability that could expose NTLMv2 hashes to attackers, linked to the "search:" URI handler. This issue is similar to CVE-2026-33829, which involved a spoofing vulnerability in the Windows Snipping Tool's ms-screensketch: URI handler. The flaw allows attackers to trick users into connecting to their SMB servers, disclosing NTLMv2 hashes for authentication exploitation. The new vulnerability operates using "search:" and "crumb=location:" parameters, resulting in a similar Net-NTLMv2 leak. Microsoft has chosen not to address this issue, stating only vulnerabilities classified as Important or Critical would be fixed. Recommendations to mitigate risks include blocking outbound SMB traffic, enforcing SMB signing, and disabling NTLM authentication where possible.

AppWizard

June 3, 2026

Fake ‘Minecraft’ Mods Bring Malware to as Many as 116,000 Players

The "Minecraft" community is facing a cybersecurity threat from a malware operation called WeedHack, which disguises itself as fake mods to lure players into downloading it. This operation, run by a teenager, has affected over 116,000 players and uses social engineering tactics to distribute malicious mods, cheats, and clients. WeedHack spreads through trusted channels, including YouTube, and employs search engine optimization poisoning to mislead users. The malware operates by disseminating malicious Java Archive files that appear legitimate, compromising devices to extract sensitive information such as session IDs, browser cookies, and cryptocurrency wallet data. It can also steal credentials for applications like Discord, Steam, and Telegram, and includes remote control features for surveillance and keylogging. Approximately 2,000 new infections occur daily, primarily affecting users in the United States, Germany, India, the United Kingdom, and Italy. The low cost of access to this malware has led to its use by teenagers for online bullying and harassment.

AppWizard

June 2, 2026

Exclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at Risk

A significant security vulnerability has been found in six Microsoft 365 Android applications, including Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote, due to an active debug flag left in the production code. This oversight allowed untrusted apps to request and receive access tokens, compromising user account security. An attacker could exploit this vulnerability by embedding malicious code in a widely distributed app, enabling unauthorized access to sensitive information such as emails, documents, and communications. Microsoft confirmed the issues and issued CVE numbers CVE-2026-41100, -41101, and -41102, releasing patches through their Patch Tuesday mechanism and a specific patched build on the Google Play Store. Users are advised to update their applications to mitigate the risk.

Winsage

June 2, 2026

PHANTOMPULSE RAT Uses UAC Bypass to Hijack Windows Systems

PHANTOMPULSE is a remote access trojan (RAT) used as a final payload in multi-stage attacks targeting Windows environments. It employs advanced post-exploitation techniques, including process injection, User Account Control (UAC) bypass, and a decentralized blockchain-based command-and-control (C2) mechanism. The malware utilizes three process injection techniques: module stomping, manual DLL mapping, and debug-driven execution. It avoids detection by using direct system calls instead of standard Windows APIs and incorporates a hardware breakpoint mechanism to disable security protections like AMSI and ETW. PHANTOMPULSE retrieves its C2 server address from Ethereum-based transaction data but has a vulnerability that allows defenders to hijack communication. It achieves persistence through scheduled tasks and supports self-healing capabilities. Privilege escalation is done using the "schuac" UAC bypass technique. The malware conducts system reconnaissance focusing on cryptocurrency wallets and messaging apps but does not directly steal credentials. It shows signs of AI-assisted development and shares tactics with DPRK-aligned threat groups, particularly in targeting cryptocurrency platforms.