remote attackers Archives

Winsage

February 11, 2026

Microsoft fixes six actively exploited flaws in latest Windows 11 update

Microsoft's February 2026 Patch Tuesday addressed 59 vulnerabilities in Windows 11, with six confirmed as actively exploited. The most critical vulnerability is CVE-2026-21510, a Windows Shell security feature bypass with a CVSS rating of 8.8, allowing attackers to evade warnings by tricking users into opening malicious files. Another significant vulnerability, CVE-2026-21513, also rated at 8.8, affects MSHTML and allows remote attackers to bypass execution prompts through malicious code in HTML or shortcut files. CVE-2026-21514 impacts Microsoft Word and enables adversaries to disable OLE mitigations, posing risks through document-based attacks. Two local privilege escalation vulnerabilities are CVE-2026-21519 in Desktop Window Manager and CVE-2026-21533 in Windows Remote Desktop Services, with CVSS scores of 7.8. CVE-2026-21525 is a denial-of-service vulnerability in Remote Access Connection Manager. The update includes 53 additional vulnerabilities across various Microsoft products and services, with CVE-2026-21531 in Azure SDK rated at 9.8 and CVE-2026-20841 affecting Windows Notepad rated at 8.8. The cumulative update for Windows 11 (KB5077181) also includes enhancements and resolves WPA3 Wi-Fi connectivity issues. Microsoft reminded users of the June 2026 expiration of Secure Boot certificates, which requires timely updates to ensure secure booting. Users can install the updates via Windows Update.

Winsage

December 10, 2025

U.S. CISA adds Microsoft Windows and WinRAR flaws to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog to include two critical vulnerabilities: 1. CVE-2025-6218 (CVSS score of 7.8) - RARLAB WinRAR Path Traversal Vulnerability, which allows attackers to execute arbitrary code by manipulating file paths within a malicious archive or webpage. 2. CVE-2025-62221 (CVSS score of 7.8) - Microsoft Windows Use After Free Vulnerability, which enables an authorized attacker to elevate their privileges locally to SYSTEM. Federal agencies are required to address these vulnerabilities by December 30, 2025, in accordance with Binding Operational Directive (BOD) 22-01.

AppWizard

November 14, 2025

Android Photo Frame App Infects Devices With Malware, Allows Full Remote Takeover

A recent investigation revealed significant security vulnerabilities in Android-powered digital photo frames, particularly those using the Uhale app (version 4.2.0). These vulnerabilities allow preinstalled applications to autonomously download and execute malware, granting remote attackers complete control of the device without user interaction. The malware is sourced from infrastructure linked to China, with domains like dc168888888.com and webtencent.com distributing malicious content. Many antivirus applications inadequately detect these threats. The Uhale app has high-risk vulnerabilities, including insecure HTTPS trust management and insufficient input validation, enabling remote code execution with root access. Brands associated with Uhale include BIGASUO, Canupdog, Euphro, and others. Exploits can lead to data exfiltration, access to private photos, and further attacks within home and enterprise environments. Technical oversights include outdated Android 6 firmware, disabled SELinux, weak cryptographic protections, and lack of authentication for incoming file transfers. Compromised frames can serve as surveillance tools or points for data exfiltration, posing risks to both home and enterprise networks. Users are advised to disconnect affected frames and monitor for unusual behavior.

Winsage

November 3, 2025

Windows Graphics Vulnerabilities Allow Remote Attackers to Execute Arbitrary Code

Multiple vulnerabilities have been identified in Microsoft’s Graphics Device Interface (GDI), particularly related to Enhanced Metafile (EMF) formats, allowing potential remote code execution and information exfiltration. Key vulnerabilities include: - CVE-2025-30388: Rated Important with a CVSS score of 8.8, it involves out-of-bounds memory operations during processing of records, affecting Windows 10/11 and Office for Mac/Android. It allows attackers to read or write beyond allocated heap buffers. - CVE-2025-53766: Rated Critical with a CVSS score of 9.8, it permits remote code execution through out-of-bounds writes in the ScanOperation::AlphaDivide_sRGB function, affecting Windows 10/11 without requiring privileges. - CVE-2025-47984: Rated Important with a CVSS score of 7.5, it exploits a flaw in handling EMR_STARTDOC records, leading to information disclosure by exposing adjacent heap memory. Microsoft has released patches to address these vulnerabilities, and users are advised to apply them promptly. Recommendations include disabling EMF rendering in untrusted contexts and using sandboxed viewers for document access.

Winsage

October 15, 2025

Microsoft frightful Patch Tuesday: 175+ CVEs, 3 under attack

Microsoft's October Patch Tuesday addressed 175 vulnerabilities, including 21 non-Microsoft CVEs. Among these, three vulnerabilities are under active attack: 1. CVE-2025-24990: An elevation of privilege bug in the Agere Modem driver (rated 7.8) that allows attackers to gain administrator privileges on supported Windows versions. The driver has been removed in the update. 2. CVE-2025-59230: An elevation of privilege vulnerability in the Windows Remote Access Connection Manager (rated 7.8) that could grant SYSTEM privileges to attackers. 3. CVE-2025-47827: A Secure Boot bypass flaw (rated 4.6) in the IGEL OS that allows attackers to bypass Secure Boot. Three publicly known vulnerabilities include: 1. CVE-2025-0033: A critical vulnerability affecting AMD EPYC processors with SEV-SNP, requiring a patch that is still in development. 2. CVE-2025-24052: An elevation of privilege vulnerability in the Agere Modem driver (rated 7.8) that is publicly known but not yet exploited. 3. CVE-2025-2884: An out-of-bounds read vulnerability in the TCG TPM2.0 reference implementation's CryptHmacSign function. Additionally, 16 other critical-severity flaws were highlighted, including CVE-2025-59287, a 9.8-rated vulnerability in Windows Server Update Services that allows unauthenticated remote attackers to trigger unsafe object deserialization, leading to remote code execution. Adobe released 12 updates for 36 vulnerabilities, including critical CVEs in Substance 3D Stager, Dimension, Illustrator, and FrameMaker. SAP issued 13 new security notes, with four rated critical, including a fix for an OS command execution flaw in Netweaver. Ivanti provided advisories for vulnerabilities in Endpoint Manager Mobile and Neurons for MDM, which have not yet been exploited.

Winsage

October 7, 2025

U.S. CISA adds Oracle, Mozilla, Microsoft Windows, Linux Kernel, and Microsoft IE flaws to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog, adding critical flaws from Oracle, Mozilla, Microsoft Windows, and the Linux Kernel. The newly added vulnerabilities include: - CVE-2010-3765: Mozilla Multiple Products Remote Code Execution Vulnerability - CVE-2010-3962: Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability - CVE-2011-3402: Microsoft Windows Remote Code Execution Vulnerability - CVE-2013-3918: Microsoft Windows Out-of-Bounds Write Vulnerability - CVE-2021-22555: Linux Kernel Heap Out-of-Bounds Write Vulnerability - CVE-2021-43226: Microsoft Windows Privilege Escalation Vulnerability - CVE-2025-61882: Oracle E-Business Suite Unspecified Vulnerability CVE-2025-61882 has a CVSS score of 9.8 and allows unauthenticated remote attackers to control the Oracle Concurrent Processing component, affecting versions 12.2.3 to 12.2.14 of the Oracle E-Business Suite. It was exploited by the Cl0p ransomware group, and Oracle has released an emergency patch. CVE-2013-3918 was previously used in the 2009 Aurora attack and later by the EQUATION group against government entities in Afghanistan. Federal agencies must address these vulnerabilities by October 27, 2025, as per Binding Operational Directive (BOD) 22-01, which also recommends private organizations review the KEV catalog.

Tech Optimizer

August 29, 2025

NodeBB Vulnerability Let Attackers Inject Boolean-Based Blind and PostgreSQL Error-Based Payloads

NodeBB version 4.3.0 has a critical vulnerability (CVE-2025-50979) in its search-categories API endpoint that allows unauthenticated remote attackers to perform boolean-based blind and PostgreSQL error-based SQL injection attacks. This vulnerability can lead to unauthorized access to sensitive data and information disclosure. The search parameter is inadequately sanitized, enabling the injection of malicious payloads. NodeBB maintainers have released a patch in version 4.3.1 to address this issue. Temporary mitigations include implementing a Web Application Firewall (WAF), restricting API access to trusted IP ranges, and monitoring logs for suspicious activity. The CVSS 3.1 score for this vulnerability is 9.8, indicating a critical severity level.

Winsage

August 11, 2025

‘Win-DDoS’: Researchers unveil botnet technique exploiting Windows domain controllers

SafeBreach researchers have identified several vulnerabilities in Windows environments that could lead to denial of service (DoS) attacks. These include: 1. CVE-2025-26673: A flaw in the Netlogon service that allows remote crashes via crafted Remote Procedure Call (RPC) requests without authentication, potentially locking users out of domain resources until a reboot. 2. CVE-2025-49716: A vulnerability in the Windows Local Security Authority Subsystem Service (LSASS) that enables remote attackers to destabilize the service through specially crafted Lightweight Directory Access Protocol (LDAP) queries, causing immediate DoS. 3. CVE-2025-49722: A DoS vulnerability in the Windows Print Spooler that can be triggered by malformed RPC requests, disrupting printing operations and system stability. Microsoft has addressed some vulnerabilities but has not yet resolved the three identified by SafeBreach, and there has been no response to inquiries about these issues. SafeBreach recommends organizations apply the latest patches, limit exposure of Domain Controller services, segment critical systems, and monitor for unusual LDAP or RPC traffic for early attack detection.

Winsage

July 10, 2025

Microsoft fixes critical wormable Windows flaw (CVE-2025-47981)

Microsoft released patches for 130 vulnerabilities in the July 2025 Patch Tuesday update. Notable vulnerabilities include CVE-2025-49719, an uninitialized memory disclosure in Microsoft SQL Server, and CVE-2025-47981, a wormable remote code execution flaw in Windows. CVE-2025-49719 is assessed as having "unproven" exploit code, while CVE-2025-47981 has a high likelihood of exploitation within 30 days. Other vulnerabilities include CVE-2025-49717, a buffer overflow in SQL Server, and CVE-2025-49704, which allows code injection in SharePoint. Additionally, updates address vulnerabilities in Windows Routing and Remote Access Service (RRAS) and Microsoft Edge, including CVE-2025-6554, which has been actively exploited. Administrators are advised to prioritize patching internet-facing assets and consider additional mitigations for RRAS vulnerabilities.

Winsage

May 15, 2025

Windows Remote Desktop Gateway Vulnerability Let Attackers Trigger Dos Condition

The Microsoft Security Response Center (MSRC) has released critical security updates to address a significant vulnerability in the Windows Remote Desktop Gateway service, identified as CVE-2025-26677, which allows unauthorized attackers to cause denial of service (DoS) conditions. This vulnerability is rated as "High" severity with a CVSS score of 7.5 and affects multiple versions of Windows Server, including 2016, 2019, 2022, and 2025. Microsoft has provided security updates (KB5058383, KB5058392, KB5058385, and KB5058411) to rectify the issue. Additionally, another vulnerability, CVE-2025-29831, has been identified that could enable remote code execution (RCE) through a Use After Free weakness, also rated with a CVSS score of 7.5. This vulnerability requires user interaction, specifically an admin user to stop or restart the service, and affects Windows Server versions 2008 R2, 2012/R2, 2016, 2019, 2022, and 2025. Organizations are advised to prioritize patching both vulnerabilities and to review network configurations to limit exposure of Remote Desktop Gateway services. The vulnerabilities were discovered by security researchers from Kunlun Lab.