mitigation Archives

AppWizard

May 15, 2026

Android 16 VPN Bypass Lets Apps Reveal Users’ Real IP Address

A security vulnerability in Android 16 allows malicious applications to expose a user's real IP address, even with "Always-On VPN" and "Block connections without VPN" features activated. Discovered by security researcher 0x33c0unt and disclosed on April 30, 2026, the flaw exploits the registerQuicConnectionClosePayload feature, which lacks permission checks. This vulnerability has been verified on a Pixel 8 with Proton VPN active. Google has not released a patch, but users can disable the feature via ADB commands.

AppWizard

May 14, 2026

‘Won’t Fix’—All VPN Apps Affected As Google Android 16 Leaks Info

A significant vulnerability in Android 16 undermines VPN protections across all applications, allowing user traffic to leak outside the secure VPN tunnel. The “Always-On VPN” and “Block connections without VPN” settings are ineffective, potentially exposing users' real IP addresses. The issue was highlighted by security researcher Yusef, who noted that Google dismissed the problem as “Won’t Fix.” Mullvad VPN also reported the vulnerability, which affects all VPN applications on Android 16. The flaw involves a Binder method on ConnectivityManager that allows an attacker app to leak the user's real IP address without proper permission checks. Current mitigation options are limited and not advisable for average users, with a suggestion to switch to Graphene OS, which has addressed the vulnerability.

Winsage

May 13, 2026

Disgruntled researcher releases two more Microsoft zero-days

An anonymous researcher known as Nightmare-Eclipse has revealed two new vulnerabilities affecting Windows systems, named YellowKey and GreenPlasma, shortly after Microsoft's latest Patch Tuesday update. YellowKey is a "BitLocker bypass" that allows attackers with physical access to gain unrestricted shell access to protected machines. Experts have expressed concerns about YellowKey's potential to transform laptop theft into a serious breach notification scenario, and suggested mitigations such as implementing a BitLocker PIN and a BIOS password lock. Nightmare-Eclipse has also hinted that YellowKey could function as a backdoor allegedly introduced by Microsoft, although this claim remains unsubstantiated. GreenPlasma is a privilege escalation flaw for which partial exploit code has been released, but it currently triggers a User Account Control (UAC) consent prompt, requiring attackers to invest time in weaponizing it. There is no known mitigation for GreenPlasma, making it crucial for organizations to patch their systems promptly once Microsoft addresses the issue. Nightmare-Eclipse has previously disclosed five zero-day vulnerabilities this year, including BlueHammer, and has characterized their actions as a response to a perceived violation of trust. The researcher has indicated the existence of a "dead man's switch," suggesting that more disclosures could follow if their demands are not met.

Winsage

May 13, 2026

Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilities

Microsoft's May 2026 security update addresses 137 vulnerabilities, with 31 classified as critical. None of these critical vulnerabilities are currently being exploited in active attacks. Sixteen of the critical vulnerabilities involve remote code execution (RCE) issues in Microsoft products, including Microsoft Office, Microsoft Word, and Azure. Specific vulnerabilities include: - CVE-2026-32161: A use-after-free vulnerability in the Windows Native WiFi Miniport Driver. - CVE-2026-40358: A use-after-free vulnerability in Microsoft Office. - CVE-2026-41089: A stack-based buffer overflow in Windows Netlogon. Additional important vulnerabilities flagged include: - CVE-2026-33835: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability. - CVE-2026-33837: Windows TCP/IP Local Elevation of Privilege Vulnerability. - CVE-2026-35416: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability. Talos is releasing a new Snort ruleset to detect attempts to exploit these vulnerabilities, and users are advised to update their Cisco Security Firewalls and acquire the latest rule pack via Snort.org.

Tech Optimizer

May 4, 2026

Wiz ZeroDay.Cloud Event Reveals 20-Year-Old PostgreSQL Vulnerabilities

Cybersecurity researchers at Wiz’s ZeroDay.Cloud event in London exploited two significant vulnerabilities in PostgreSQL, tracked as CVE-2026-2005 and CVE-2026-2006, which were disclosed on May 4, 2026. The vulnerabilities were found in the pgcrypto extension, affecting public-key decryption and symmetric decryption functions. CVE-2026-2005 allows privilege escalation via a buffer overflow during public-key decryption, while CVE-2026-2006 enables attackers to corrupt memory through inadequate checks in symmetric decryption. PostgreSQL has released patches for these vulnerabilities across versions 14.21 to 18.2, and MariaDB addressed a related issue in versions 11.4.10 and 11.8.6. Database administrators are advised to apply updates and audit logs for suspicious activity.

Winsage

April 28, 2026

‘Unlimited Attack Vectors’—All Windows Versions At Risk From New Flaw

Microsoft is facing a significant security vulnerability in its Windows operating system known as PhantomRPC, which allows for privilege escalation. Cybersecurity experts have expressed concern over the company's delayed response in issuing a patch for this flaw. The vulnerability resides within the Windows Remote Procedure Call (RPC) architecture and enables processes with impersonation privileges to elevate their permissions to SYSTEM level. Researcher Haidar Kabibo identified five distinct paths for exploitation, which require user interaction, coercion, or compromise of background services. Despite disclosing the vulnerability to Microsoft in September 2025, the company categorized it as moderately severe and did not issue a patch or a Common Vulnerabilities and Exposures (CVE) listing. Microsoft stated that the technique requires an already-compromised machine and emphasized the importance of following security best practices. Experts have criticized Microsoft's lack of action, arguing that it is operationally negligent and places the burden of risk management on users. In the absence of a patch, security professionals recommend focusing on access control and environmental hygiene to mitigate the risks associated with the vulnerability.

Winsage

April 20, 2026

“The vault is solid, the delivery truck is not” — strong key storage, shaky transfer: why this Windows Recall feature raises new security questions

Windows Recall, an AI-driven tool by Microsoft designed to capture and analyze users' screen content, was initially unveiled in 2024 but faced a delayed rollout due to significant security concerns. It launched in April 2025 with enhanced security features, including isolation within a "VBS Enclave" to protect against third-party access and filtering out sensitive information. However, security researcher Alexander Hagenah identified a flaw where data is transmitted to a less secure process, d AIXHost.exe, allowing tools like TotalRecall Reloaded to access sensitive data without administrative privileges. Despite reporting this vulnerability, Microsoft deemed it "not a vulnerability" and has not planned significant fixes. In response to user backlash, Microsoft is reassessing its AI initiatives, including Windows Recall, while privacy-focused organizations have introduced features to block the tool. Experts are calling for improved security protocols and user opt-out options.

Winsage

April 18, 2026

RedSun: Windows 0day when Defender becomes the attacker

A vulnerability has been discovered in Windows Defender that allows standard users to exploit a logic error in the file remediation process, enabling code execution with elevated privileges without administrative access. This flaw, identified by security researcher Chaotic Eclipse, occurs because Windows Defender does not verify if the restoration location of flagged files has been altered through a junction point. The exploit, named RedSun, takes advantage of a missing validation in the MpSvc.dll file, allowing attackers to redirect file restoration to the C:WindowsSystem32 directory. RedSun operates by chaining together four legitimate Windows features: Opportunistic Locks (OPLOCKs), Cloud Files API, Volume Shadow Copy Service (VSS), and Junction Points. The execution of the exploit involves monitoring shadow copies, triggering Defender's detection, synchronizing OPLOCKs, and ultimately writing malicious binaries to the System32 directory. The root cause is the lack of reparse point validation in the restoration process, and currently, no patch or CVE has been assigned for this vulnerability. It affects Windows 10, Windows 11, and Windows Server 2019 and later, and organizations are advised to implement behavioral detection strategies until a fix is available.

Winsage

April 17, 2026

Microsoft’s April patch puts Windows domain controllers into reboot loops — third known issue from KB5082063 is affecting Windows Server 2016 through 2025

Microsoft has acknowledged that the April 2026 security update for Windows Server, patch KB5082063, has caused significant disruptions for some enterprise domain controllers, leading to continuous reboot cycles in non-Global Catalog domain controllers used in Privileged Access Management (PAM) deployments. This has resulted in the unavailability of Active Directory authentication and directory services on affected servers. Additionally, the installation of KB5082063 may fail on some Windows Server 2025 systems. This issue marks the third consecutive year that April security updates have caused problems for Windows Server domain controllers. In previous years, Microsoft issued emergency fixes for similar issues, including crashes and complications with NTLM authentication. Administrators currently have limited options, including delaying the update, isolating a test domain controller, or engaging with Microsoft Support for tailored mitigation steps.

Tech Optimizer

April 11, 2026

Antivirus protection built into Windows

Windows 11 includes Microsoft Defender Antivirus, which is active from the moment the device is powered on and integrated into the operating system. It continuously updates to protect against various threats, including malicious files and unsafe links. Microsoft Defender SmartScreen evaluates the safety of websites and downloads, providing warnings for dubious content. Smart App Control prevents untrusted applications from executing, while Controlled folder access protects personal files from unauthorized modifications. Users can verify the operational status of Microsoft Defender Antivirus through Windows Security settings. Best practices for maintaining security include keeping the antivirus updated, using a single real-time antivirus engine, and enhancing security habits. Microsoft Defender Antivirus is generally sufficient for everyday risks, but additional third-party antivirus solutions may be considered based on individual needs.