Kevin Beaumont Archives

Winsage

May 29, 2026

Microsoft 0-day feud escalates as researcher threatens another Windows exploit dump

The conflict between Microsoft and security researcher Nightmare Eclipse has intensified, with Nightmare threatening to release vulnerabilities on July 14. Nightmare has disclosed six zero-day vulnerabilities affecting Windows, including BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma. Microsoft responded by stating that these vulnerabilities were not reported through official channels before their disclosure. Following the release of exploit code for three vulnerabilities, attackers began exploiting them, raising concerns about YellowKey (CVE-2026-45585), which remains unfixed. Nightmare accused Microsoft of silencing them by deleting their MSRC account, leading to frustration over their treatment. The cybersecurity community has noted the significant damage caused by Nightmare, with comparisons to advanced persistent threat groups. Experts criticized Microsoft's handling of the situation, emphasizing the need for better communication and collaboration with researchers. They pointed out that the responsibility for vulnerabilities lies with Microsoft as the code's creator and highlighted the challenges in vulnerability disclosure practices within the industry.

Winsage

May 15, 2026

Zero-day exploit completely defeats default Windows 11 BitLocker protections

A zero-day exploit named YellowKey allows individuals with physical access to Windows 11 systems to bypass BitLocker encryption protections. Discovered by researcher Nightmare-Eclipse, this vulnerability enables unauthorized users to access encrypted drives quickly. The exploit involves transferring a custom FsTx folder to a USB drive, connecting it to a BitLocker-protected device, and entering recovery mode to gain command prompt access without needing a BitLocker recovery key. Esteemed researchers Kevin Beaumont and Will Dormann have confirmed the exploit's functionality, although the specific mechanism within the FsTx folder that enables the bypass is not fully understood.

Winsage

May 13, 2026

Windows BitLocker zero-day gives access to protected drives, PoC released

A cybersecurity researcher known as Chaotic Eclipse has released proof-of-concept exploits for two unpatched vulnerabilities in Microsoft Windows: YellowKey, a BitLocker bypass, and GreenPlasma, a privilege-escalation flaw. The YellowKey vulnerability affects Windows 11 and Windows Server 2022/2025, allowing unauthorized access to BitLocker-protected volumes by exploiting the Windows Recovery Environment. The exploit can be executed using specially crafted 'FsTx' files on a USB drive or directly on the EFI partition. Independent researcher Kevin Beaumont has validated the exploit, which can bypass BitLocker protections even in a Trusted Platform Module (TPM) environment. The GreenPlasma vulnerability allows unprivileged users to create arbitrary memory-section objects, potentially leading to privilege escalation. Chaotic Eclipse has expressed dissatisfaction with Microsoft's handling of bug reports, prompting the public disclosure of these vulnerabilities. Microsoft has stated its commitment to investigating security issues and updating affected devices.

Winsage

January 5, 2026

Microsoft’s Windows AI Features Lack Official Disable Options, Forcing Users To Third-Party Tools

Microsoft's latest Windows 25H2 builds have introduced AI features, but users cannot easily disable them through the interface, leading many to use third-party tools like the RemoveWindowsAI PowerShell script to eliminate components such as Copilot, Recall, and Input Insights. Windows Recall captures screenshots for AI-driven searches, raising privacy concerns due to the creation of a local database of full screenshots. Microsoft has also disabled phone activation for Windows 11, requiring internet connectivity for activation. The RemoveWindowsAI tool removes appx packages associated with AI, ensuring they cannot be reinstalled. Microsoft has announced the discontinuation of support for Windows 11 SE by October 13, 2026, impacting schools that rely on this version. Virtualization, such as using Proxmox, is recommended for users wary of telemetry practices. The RemoveWindowsAI project is evolving to enhance its capabilities in response to Microsoft's AI feature additions. Enterprise deployments are advised to test removal strategies in controlled environments, though some antivirus programs may flag the tool as malicious. Privacy advocates are concerned about the implications of Microsoft's changes on user control and data collection.

Winsage

October 25, 2025

Windows Server WSUS bug exploits underway, Microsoft’s mum

A critical vulnerability in Microsoft Windows Server Update Services (WSUS), identified as CVE-2025-59287, has a CVSS score of 9.8 out of 10 and affects Windows Server versions from 2012 to 2025. The vulnerability arises from the insecure deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary code on compromised systems. Servers without the WSUS role enabled are unaffected. Microsoft issued a patch on October 14, which did not fully resolve the issue, leading to an emergency update. Security researcher Kevin Beaumont reported that he could manipulate the second patch, raising concerns about the delivery of malicious updates. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-59287 to its Known Exploited Vulnerabilities catalog, while the Dutch National Cybersecurity Center issued alerts about ongoing exploitation activities. Private security firms, including Huntress and watchTowr, reported targeted attacks on WSUS instances, with fewer than 25 susceptible hosts identified. WatchTowr's CEO warned that any unpatched WSUS instance online is likely compromised, urging organizations to reassess their security posture.

Winsage

June 9, 2025

Microsoft: Remedy for security vulnerability due to deleted “inetpub” folder

A recent Microsoft security update has created a new folder named "inetpub" on Windows systems, which is essential for system security. If users delete this folder, it can lead to significant vulnerabilities. Microsoft has released a Powershell script, Set-InetpubFolderAcl.ps1, to restore the "inetpub" folder and set the correct permissions. Systems that installed the April security update (KB5055528) must take immediate action if the "inetpub" directory is missing. The script also updates access rights for the "DeviceHealthAttestation" directory, if it exists. Administrative rights are required to run the script. This issue was highlighted by IT security researcher Kevin Beaumont, who noted that deleting the "inetpub" folder could disrupt the installation of future security updates.

Winsage

June 6, 2025

Microsoft shares script to restore inetpub folder you shouldn’t delete

Microsoft has released a PowerShell script to help restore the C:Inetpub folder, which is crucial for addressing a high-severity privilege escalation vulnerability associated with Windows Process Activation. The folder's unexpected appearance after the April 2025 Windows security updates led some users to delete it, inadvertently exposing their systems to vulnerabilities. Microsoft emphasizes that the folder should not be deleted, as it is integral to the security framework, regardless of whether Internet Information Services (IIS) is active. The script allows administrators to recreate the folder with the correct permissions and access control settings.

AppWizard

May 22, 2025

Signal resorts to “weird trick” to block Windows Recall in Desktop app

Microsoft's Recall feature indexes a wide range of personal data, including Zoom meetings, emails, photos, medical conditions, and conversations on Signal, affecting both users and their contacts without consent. Researcher Kevin Beaumont found that the feature captures sensitive information like payment card details and can decrypt its database using a fingerprint scan or PIN. Developers, such as those at Signal, lack tools to prevent their content from being indexed by Recall, leading Signal to utilize a Digital Rights Management API to protect privacy. This workaround may help, but it depends on all chat participants using the Windows Desktop version with default settings. Microsoft has not addressed concerns regarding developer control over Recall.

Winsage

May 14, 2025

Microsoft Confirms Windows Upgrade Choice—You Must Now Decide

Microsoft has released a mandatory update for Windows 11, identified as “KB5058411,” which includes essential security fixes and introduces a new feature called Recall. Recall uses artificial intelligence to capture snapshots of the user's screen at regular intervals, creating a photographic memory of digital interactions. Users will be prompted to enable Recall during the installation of the May 2025 Windows 11 24H2 update, and opting in for the first time simplifies future re-enabling. However, enabling Recall raises privacy concerns, as it records activities and communications from secure messaging platforms like WhatsApp and Signal, potentially exposing sensitive information. A user reported that someone was able to access his entire PC history, including deleted messages, highlighting the vulnerabilities associated with the feature. Users are advised to carefully consider the implications of opting into Recall.

Winsage

May 2, 2025

Windows Recall Is Back (but Should You Use It?)

Windows Recall, an AI-driven feature by Microsoft, was initially launched in July but withdrawn due to security and privacy concerns. It has since returned with modifications aimed at improving user experience, although concerns about its functionality persist. Recall captures and analyzes screenshots of user activities to aid in retrieving past documents or messages. Users must have a Copilot+ PC to access Recall, which is not activated by default. Security enhancements include encrypted data storage and mandatory Windows Hello authentication for access. However, issues remain, such as potential access via a computer PIN, inconsistent filtering of sensitive data, and the risk of data being captured from shared devices. Users can exempt specific sites and apps from being captured, but the process is cumbersome.