privilege Archives

Winsage

June 2, 2026

PHANTOMPULSE RAT Uses UAC Bypass to Hijack Windows Systems

PHANTOMPULSE is a remote access trojan (RAT) used as a final payload in multi-stage attacks targeting Windows environments. It employs advanced post-exploitation techniques, including process injection, User Account Control (UAC) bypass, and a decentralized blockchain-based command-and-control (C2) mechanism. The malware utilizes three process injection techniques: module stomping, manual DLL mapping, and debug-driven execution. It avoids detection by using direct system calls instead of standard Windows APIs and incorporates a hardware breakpoint mechanism to disable security protections like AMSI and ETW. PHANTOMPULSE retrieves its C2 server address from Ethereum-based transaction data but has a vulnerability that allows defenders to hijack communication. It achieves persistence through scheduled tasks and supports self-healing capabilities. Privilege escalation is done using the "schuac" UAC bypass technique. The malware conducts system reconnaissance focusing on cryptocurrency wallets and messaging apps but does not directly steal credentials. It shows signs of AI-assisted development and shares tactics with DPRK-aligned threat groups, particularly in targeting cryptocurrency platforms.

Winsage

June 1, 2026

Windows 11 sandbox flaw lets attackers escape with one click

SafeBreach Labs identified a vulnerability in Windows 11, named Click Or Trick, cataloged as CVE-2025-59199, which was addressed by Microsoft in October 2025. The vulnerability allows a one-click attack from a low-integrity process to achieve arbitrary write capabilities and escalated code execution by exploiting built-in Windows components. The researchers discovered a COM object with an undocumented flag that enabled a low-integrity process to launch a medium-integrity server process using the user's logon token. They found that certain applications could accept command-line parameters through notifications, allowing attackers to execute commands. The Snipping Tool was leveraged to transition execution to another registered application, such as Microsoft Teams, enabling the injection of a remote debugging switch. This exploit chain involved multiple Windows subsystems and was assigned a CVSS score of 7.8.

Winsage

May 29, 2026

Windows quality update: May

Recent visits to Hyderabad and Taipei have reinforced Windows' commitment to improving user experience, with insights from local Windows Insiders informing preparations for the upcoming Build event. This month focuses on momentum in performance and refinement, with advancements in core functionalities like File Explorer and search capabilities, supported by architectural enhancements. New personalization features for the Taskbar and Start menu have been rolled out, allowing users to reposition the taskbar, choose icon alignment, and utilize app labels. The Start menu has been updated to better align with workflows, offering controls to show or hide sections and adjust size for privacy. The Driver Quality Initiative (DQI) was unveiled at WinHEC 2026 to improve driver quality, reliability, and security, along with Cloud Initiated Driver Recovery for better driver maintenance. Significant updates to File Explorer include improved reliability, readability, and usability, such as support for specific path formats and enhanced dropdown functionality. Accessibility enhancements include Voice Isolation in Voice Access to improve command recognition in noisy environments, expanded personalization options like screen tint adjustments, and new gesture controls for precision touchpads. The Microsoft Build keynote is scheduled for 9:30 AM PT on Tuesday, and a new podcast series, Inside Windows, has been launched to provide insights into ongoing work in Windows.

Winsage

May 25, 2026

Windows zero-days expose gaps in built-in security protections

Two Windows zero-day vulnerabilities, YellowKey and GreenPlasma, have been identified. YellowKey targets the Windows Recovery Environment (WinRE) on Windows 11 and Windows Server 2025, allowing attackers with physical access to bypass BitLocker protections using a USB device. GreenPlasma affects Windows 10, Windows 11, and Windows Server environments with active Collaborative Translation Framework Monitor (CTFMON) sessions, enabling local privilege escalation from a standard user account to SYSTEM-level privileges. Both vulnerabilities require either physical or local access to exploit. Microsoft has not yet released patches for these vulnerabilities, prompting organizations to enhance their security measures and operational resilience. Recommendations include reassessing physical security, limiting local administrative access, and implementing multifactor authentication and robust credential management practices.

Tech Optimizer

May 23, 2026

CVE-2026-9082: Critical Drupal Core SQLi Flaw

Drupal has issued critical security updates for a vulnerability in Drupal Core, identified as CVE-2026-9082, which affects sites using PostgreSQL databases. This flaw allows anonymous attackers to exploit the system through arbitrary SQL injection, posing risks such as sensitive information disclosure, privilege escalation, and remote code execution. The vulnerability is rated 20 out of 25 by Drupal and 6.5 out of 10 by CVE.org. It specifically impacts the database abstraction API, which fails to properly sanitize queries. The fixed versions include 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10, with best-effort patches available for unsupported versions 9.5 and 8.9. Organizations are advised to inventory their Drupal installations, verify PostgreSQL usage, and prioritize patching for public-facing sites.

Winsage

May 22, 2026

Windows is entering its “Agentic Era”—and its AI architect is moving on

Yusuf Mehdi, head of product marketing for AI and Copilot at Microsoft, is transitioning to a new role focused on reimagining Windows before leaving the company after 35 years. He aims to enhance Microsoft 365 services and the vision of One Copilot in the upcoming fiscal year. In late 2022, Pavan Davuluri initiated a reorganization to develop an agentic operating system, consolidating engineering and features teams for better cohesion. Microsoft plans to introduce a new agentic workspace feature with AI agents in secure sessions, allowing users control over data sharing. The company has moderated its AI integration strategy in Windows 11 to improve user sentiment and is addressing pain points through the Windows K2 project, which will continue through 2026. Jacob Andreou has been appointed as the lead for consumer and commercial Copilot experiences, reporting to CEO Satya Nadella. Mehdi expressed gratitude for his time at Microsoft and reassured his team of a smooth transition.

Winsage

May 22, 2026

MediaDailyNews: Microsoft Consumer CMO To Leave, Hints At Changes To Windows OS

Yusuf Mehdi, Microsoft's Consumer Chief Marketing Officer, is leaving the company after 35 years. He plans to continue working through the next fiscal year on projects related to Windows, Microsoft 365, and One Copilot. Mehdi's departure follows other notable exits at Microsoft, including Rajesh Jha, who will retire next month, and others such as Charlie Bell, Phil Spencer, and Sarah Bond, who left in February.

Tech Optimizer

May 22, 2026

Microsoft confirms two major Defender security issues — so update now or face possible attack

Microsoft has addressed two critical zero-day vulnerabilities in its Defender antivirus software: CVE-2026-41091 (privilege escalation) and CVE-2026-45498 (denial of service). The patches were delivered through Malware Protection Engine version 1.1.26040.8 and Antimalware Platform version 4.18.26040.7. Users are advised to verify their software versions to ensure they have the latest updates. Both vulnerabilities have been included in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog, requiring federal agencies to patch them or stop using the affected software by June 3.

Winsage

May 21, 2026

Microsoft Defender Zero-Day Vulnerabilities RedSun and UnDefend Actively Exploited on Windows 10, 11, and Server (April 2026 CVE Analysis)

In April 2026, two zero-day vulnerabilities, RedSun and UnDefend, were discovered in Microsoft Defender, affecting Windows 10, Windows 11, and Windows Server platforms. These vulnerabilities allow attackers to escalate privileges to SYSTEM and bypass Defender’s protections. RedSun exploits a flaw in Defender's remediation process, enabling low-privileged users to overwrite critical system files. UnDefend allows attackers to disrupt Defender’s updates, keeping it outdated and ineffective. Both vulnerabilities are actively being exploited, with attackers leveraging them to gain persistent access and deploy ransomware. The primary targets are organizations using Windows systems with Defender enabled, particularly in sectors like finance, healthcare, and government. Mitigation strategies include applying updates for related vulnerabilities, monitoring for suspicious activities, and implementing additional security measures.

Tech Optimizer

May 21, 2026

Nvidia tells users to update GPU drivers now or face possible attack — here’s what we know

NVIDIA has released an update to its GPU display drivers that addresses 14 vulnerabilities across its product lines, including GeForce, RTX, Quadro, Tesla, NVS, vGPU, and Cloud Gaming software. The most critical vulnerability is CVE‑2026‑24187, a high-severity use-after-free bug rated 8.8 out of 10, which could allow code execution, privilege escalation, data theft, or system crashes. Linux systems are vulnerable due to improper access to GPU resources at the kernel level, while Windows systems are at risk from a timing flaw. Two vulnerabilities in NVIDIA’s Unified Virtual Memory subsystem on Linux could lead to denial-of-service attacks without elevated permissions. The vGPU software also received patches for vulnerabilities in its virtual GPU manager component. Users can download the updated drivers from the NVIDIA Driver Downloads page or the NVIDIA Licensing Portal, with Windows users needing version 569.49 or newer and Linux users needing version 590.48.01. Users are advised to maintain their antivirus programs for enhanced security. NVIDIA thanked external security researchers for their responsible disclosure of these vulnerabilities.