local privilege escalation Archives

Winsage

May 13, 2026

Windows BitLocker zero-day gives access to protected drives, PoC released

A cybersecurity researcher known as Chaotic Eclipse has released proof-of-concept exploits for two unpatched vulnerabilities in Microsoft Windows: YellowKey, a BitLocker bypass, and GreenPlasma, a privilege-escalation flaw. The YellowKey vulnerability affects Windows 11 and Windows Server 2022/2025, allowing unauthorized access to BitLocker-protected volumes by exploiting the Windows Recovery Environment. The exploit can be executed using specially crafted 'FsTx' files on a USB drive or directly on the EFI partition. Independent researcher Kevin Beaumont has validated the exploit, which can bypass BitLocker protections even in a Trusted Platform Module (TPM) environment. The GreenPlasma vulnerability allows unprivileged users to create arbitrary memory-section objects, potentially leading to privilege escalation. Chaotic Eclipse has expressed dissatisfaction with Microsoft's handling of bug reports, prompting the public disclosure of these vulnerabilities. Microsoft has stated its commitment to investigating security issues and updating affected devices.

Winsage

May 10, 2026

Microsoft Confirms KB5083769 Breaks Macrium and Acronis Backups

Microsoft's April 2026 Windows security update, KB5083769, may disrupt image-mount operations for backup applications such as Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup due to the addition of the psmounterex.sys kernel driver to its Vulnerable Driver Blocklist. This action was taken to address a high-severity buffer overflow vulnerability, CVE-2023-43896. The inclusion of this driver in the blocklist has rendered several backup products inoperable, and Microsoft will not retract the block for security reasons. Administrators can use Event ID 3077 in the Code Integrity log to confirm that the blocklist is causing the failures. Microsoft advises updating backup applications to versions that include necessary driver protections instead of uninstalling or pausing the security patch. Additionally, the April updates have caused other issues, such as failures in Windows Server installations and devices booting into BitLocker recovery mode.

Winsage

April 25, 2026

New Windows RPC Vulnerability Lets Attackers Escalate Privileges Across All Windows Versions

PhantomRPC is a significant architectural vulnerability in the Windows Remote Procedure Call (RPC) framework that allows local privilege escalation to SYSTEM-level access across all Windows versions. Discovered by Kaspersky's Haidar Kabibo at Black Hat Asia 2026, this vulnerability stems from the RPC runtime's failure to verify the legitimacy of a responding server during calls to offline or disabled servers. Attackers can exploit this by setting up a malicious RPC server that impersonates a legitimate endpoint, using the RpcImpersonateClient API to escalate privileges from low-privileged accounts to SYSTEM or Administrator levels. Five distinct exploitation paths have been identified: 1. gpupdate.exe coercion: An attacker can intercept an RPC call made by the Group Policy Client service when executing gpupdate /force, granting SYSTEM-level access if TermService is disabled. 2. Microsoft Edge startup: Launching msedge.exe triggers an RPC call to TermService, allowing privilege escalation from Network Service to Administrator via a spoofed endpoint. 3. WDI background service: The Diagnostic System Host polls TermService regularly, enabling an attacker to exploit this without user interaction. 4. ipconfig.exe and DHCP Client: Running ipconfig.exe initiates an RPC call to the DHCP Client service, allowing a Local Service attacker to elevate privileges if DHCP is disabled and a fake server is present. 5. w32tm.exe and Windows Time: An attacker can expose a named pipe endpoint, allowing them to impersonate any privileged user executing the Windows Time executable. The vulnerability was reported to Microsoft on September 19, 2025, but Microsoft categorized it as moderate severity and closed the case without a patch, as the attack requires SeImpersonatePrivilege, which is granted by default to certain accounts. Organizations are advised to implement defensive measures such as enabling RPC monitoring, ensuring legitimate services are running, and restricting SeImpersonatePrivilege. Kaspersky has provided tools for auditing environments for exploitable RPC call patterns through the PhantomRPC GitHub repository.

Winsage

April 19, 2026

Windows Defender Security Flaws Actively Exploited by Hackers

Three vulnerabilities in Microsoft Defender, known as BlueHammer (CVE-2026-33825), RedSun, and UnDefend, are being actively exploited by hackers. BlueHammer has been patched, while RedSun and UnDefend remain unpatched. The public release of exploit code has accelerated real-world attacks, affecting Windows 10, Windows 11, and Windows Server systems. Attackers have begun exploiting these vulnerabilities, leading to concerns about privilege escalation, disruption of security updates, and the rapid spread of attacks.

Winsage

April 18, 2026

‘They mopped the floor with me and pulled every childish game they could’: Disgruntled researcher releases second major Windows zero-day — claims Microsoft ‘would ruin my life, and they did’

A new zero-day vulnerability in Microsoft Defender has been disclosed by a researcher known as "Chaotic Eclipse," who has created a proof-of-concept exploit called "RedSun." This vulnerability allows local privilege escalation to SYSTEM level on Windows 10, Windows 11, and Windows Server when Microsoft Defender is active. The vulnerability has attracted attention from antivirus vendors, with some detecting it on VirusTotal due to an embedded EIRCAR in the executable. Chaotic Eclipse previously disclosed another vulnerability named BlueHammer, which also allowed local attackers to gain SYSTEM or elevated permissions. The researcher expressed dissatisfaction with Microsoft's vulnerability disclosure process, recounting negative interactions with the company. A Microsoft spokesperson stated the company's commitment to investigating security issues and supporting coordinated vulnerability disclosure.

Winsage

April 18, 2026

‘They mopped the floor with me and pulled every childish game they could’: Disgruntled researcher releases second major Windows zero-day — claims Microsoft ‘would ruin my life, and they did’

A researcher known as “Chaotic Eclipse” has revealed a new zero-day vulnerability in Microsoft Defender, called “RedSun,” which allows local privilege escalation to SYSTEM privileges on Windows 10, Windows 11, and Windows Server when Microsoft Defender is enabled. The exploit has been confirmed to function correctly, and some antivirus vendors have begun detecting it. This follows another vulnerability disclosure by the same researcher, named BlueHammer, which also allows local attackers to elevate permissions. Chaotic Eclipse expressed dissatisfaction with Microsoft’s handling of vulnerability disclosures, claiming they were threatened and experienced frustration with the company’s response. A Microsoft spokesperson stated the company is committed to investigating reported security issues and supports coordinated vulnerability disclosure.