vulnerability Archives

Winsage

May 14, 2026

Microsoft pits more than 100 AI agents against each other to find Windows vulnerabilities

Microsoft has introduced MDASH (Multi-Model Agentic Scanning Harness), a security solution that uses over 100 specialized AI agents to identify software vulnerabilities. On May 12, 2026, MDASH identified 16 new vulnerabilities (CVEs) in the Windows networking and authentication stack, four of which were critical, including remote code execution vulnerabilities in tcpip.sys, ikeext.dll, netlogon.dll, and dnsapi.dll. Ten of these vulnerabilities can be accessed over the network without authentication. MDASH operates through a four-stage pipeline: analyzing source code, scrutinizing for suspicious elements, debating the exploitability of issues, and attempting to exploit vulnerabilities. The system is model-agnostic and allows integration of new models and domain-specific knowledge. MDASH scored 88.45 percent on the CyberGym benchmark, ranking first among competitors, although the comparison may not be entirely fair as it contrasts a comprehensive framework with individual models. The models used to achieve this score are not specified. MDASH is supported by Microsoft's Autonomous Code Security Team and is currently in a limited private preview for select customers.

AppWizard

May 14, 2026

‘Won’t Fix’—All VPN Apps Affected As Google Android 16 Leaks Info

A significant vulnerability in Android 16 undermines VPN protections across all applications, allowing user traffic to leak outside the secure VPN tunnel. The “Always-On VPN” and “Block connections without VPN” settings are ineffective, potentially exposing users' real IP addresses. The issue was highlighted by security researcher Yusef, who noted that Google dismissed the problem as “Won’t Fix.” Mullvad VPN also reported the vulnerability, which affects all VPN applications on Android 16. The flaw involves a Binder method on ConnectivityManager that allows an attacker app to leak the user's real IP address without proper permission checks. Current mitigation options are limited and not advisable for average users, with a suggestion to switch to Graphene OS, which has addressed the vulnerability.

Winsage

May 14, 2026

Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation

An anonymous cybersecurity researcher disclosed two new zero-day vulnerabilities affecting Microsoft systems: YellowKey and GreenPlasma. YellowKey is a BitLocker bypass that operates as a backdoor within the Windows Recovery Environment, impacting Windows 11 and Windows Server 2022/2025. Exploiting YellowKey involves copying specially crafted files to a USB drive, connecting it to a Windows computer, and rebooting into WinRE. The researcher expressed skepticism about Microsoft's response time to this vulnerability, noting that using TPM+PIN does not mitigate the risk. GreenPlasma is a privilege escalation vulnerability that allows an unprivileged user to obtain a shell with SYSTEM permissions through arbitrary section creation in Windows CTFMON. The proof-of-concept for this exploit is incomplete but indicates potential manipulation of trusted privileged services or drivers. Additionally, a related attack against BitLocker was detailed by French cybersecurity firm Intrinsec, which exploits a boot manager downgrade using CVE-2025-48804 to bypass encryption protections on fully patched Windows 11 systems. This method allows attackers to boot from a controlled WIM while the boot manager checks the legitimate one, executing with the decrypted BitLocker volume. Despite Microsoft releasing fixes for this defect in July 2025, a flaw in Secure Boot verification allows a vulnerable boot manager to bypass BitLocker safeguards. To mitigate these risks, enabling a BitLocker PIN at startup and migrating to a new boot manager certificate is recommended.

Winsage

May 14, 2026

Microsoft unveils MDASH, its AI agent-driven security platform — and it’s already spotted a host of new Windows flaws

Microsoft has introduced MDASH, a platform that enhances vulnerability discovery using artificial intelligence, developed by the Autonomous Code Security Team and the Windows Attack Research and Protection group. MDASH has identified 16 previously unknown vulnerabilities in various Windows components, including four critical remote code execution vulnerabilities (CVE‑2026‑33827 and CVE‑2026‑33824). The platform achieved zero false positives during testing and is currently used internally at Microsoft and in a private preview for select partners.

AppWizard

May 14, 2026

Meta faces court over Android tracking claims

Meta is facing a class action lawsuit for allegedly exploiting vulnerabilities in Android smartphones to track users' private information, linking browsing activity to Instagram and Facebook accounts. The lawsuit claims Meta unlawfully accessed and de-anonymized personal data of millions of Android users to enhance advertising profiling. A US District Court Judge ruled that most privacy-related claims in the lawsuit must proceed, stating that plaintiffs have plausibly alleged a significant intrusion upon their privacy. Meta is accused of exploiting an Android vulnerability to bypass security measures that isolate apps, allowing it to link browsing information to users' accounts. Although Meta has reportedly stopped using this tracking method, it successfully dismissed two claims related to unjust enrichment and the use of modified pixel code. Additionally, the lawsuit includes claims against Google for negligence, with one claim dismissed but another allowed to proceed. In response to regulatory pressures, Meta is introducing new features for parental supervision of teens on its platforms and plans to use AI to detect underage accounts.

Winsage

May 14, 2026

Microsoft MDASH finds Windows security flaws with AI | ETIH EdTech News

Microsoft has developed an AI security system called MDASH that has identified 16 vulnerabilities in Windows networking and authentication frameworks, with four classified as Critical, allowing for remote code execution. MDASH uses over 100 specialized AI agents to analyze code from multiple perspectives, improving the accuracy of vulnerability detection. The system has successfully detected all 21 planted vulnerabilities in a private testing environment without false positives, achieving a 96 percent recall rate against historical cases and an 88.45 percent success rate on the CyberGym benchmark. The identified vulnerabilities include issues in tcpip.sys and IKEEXT, which can be exploited remotely without needing credentials.

Winsage

May 13, 2026

Disgruntled researcher releases two more Microsoft zero-days

An anonymous researcher known as Nightmare-Eclipse has revealed two new vulnerabilities affecting Windows systems, named YellowKey and GreenPlasma, shortly after Microsoft's latest Patch Tuesday update. YellowKey is a "BitLocker bypass" that allows attackers with physical access to gain unrestricted shell access to protected machines. Experts have expressed concerns about YellowKey's potential to transform laptop theft into a serious breach notification scenario, and suggested mitigations such as implementing a BitLocker PIN and a BIOS password lock. Nightmare-Eclipse has also hinted that YellowKey could function as a backdoor allegedly introduced by Microsoft, although this claim remains unsubstantiated. GreenPlasma is a privilege escalation flaw for which partial exploit code has been released, but it currently triggers a User Account Control (UAC) consent prompt, requiring attackers to invest time in weaponizing it. There is no known mitigation for GreenPlasma, making it crucial for organizations to patch their systems promptly once Microsoft addresses the issue. Nightmare-Eclipse has previously disclosed five zero-day vulnerabilities this year, including BlueHammer, and has characterized their actions as a response to a perceived violation of trust. The researcher has indicated the existence of a "dead man's switch," suggesting that more disclosures could follow if their demands are not met.

Winsage

May 13, 2026

Windows BitLocker zero-day gives access to protected drives, PoC released

A cybersecurity researcher known as Chaotic Eclipse has released proof-of-concept exploits for two unpatched vulnerabilities in Microsoft Windows: YellowKey, a BitLocker bypass, and GreenPlasma, a privilege-escalation flaw. The YellowKey vulnerability affects Windows 11 and Windows Server 2022/2025, allowing unauthorized access to BitLocker-protected volumes by exploiting the Windows Recovery Environment. The exploit can be executed using specially crafted 'FsTx' files on a USB drive or directly on the EFI partition. Independent researcher Kevin Beaumont has validated the exploit, which can bypass BitLocker protections even in a Trusted Platform Module (TPM) environment. The GreenPlasma vulnerability allows unprivileged users to create arbitrary memory-section objects, potentially leading to privilege escalation. Chaotic Eclipse has expressed dissatisfaction with Microsoft's handling of bug reports, prompting the public disclosure of these vulnerabilities. Microsoft has stated its commitment to investigating security issues and updating affected devices.

Winsage

May 13, 2026

Microsoft’s MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday

Microsoft has introduced a multi-model AI system called MDASH, designed to enhance vulnerability discovery and remediation processes. Currently in limited private preview testing with select customers, MDASH employs over 100 specialized AI agents for various classes of vulnerabilities, enabling autonomous discovery, validation, and demonstration of exploitable defects in complex codebases. The system operates through a structured pipeline that analyzes source code, constructs threat models, and validates findings using auditor and debater agents. MDASH has successfully identified 16 vulnerabilities in its initial tests, including two critical flaws affecting Windows networking and authentication: 1. CVE-2026-33824 (CVSS score: 9.8) - A double-free vulnerability in "ikeext.dll" allowing remote code execution via specially crafted packets. 2. CVE-2026-33827 (CVSS score: 8.1) - A race condition vulnerability in Windows TCP/IP ("tcpip.sys") enabling remote code execution through specially crafted IPv6 packets.

Winsage

May 13, 2026

May Patch Tuesday roundup: Critical holes in Windows Netlogon, DNS, and SAP S/4HANA

Organizations using S/4HANA for critical functions should prioritize remediation efforts as SAP has confirmed there is no alternative workaround for existing vulnerabilities. They must implement specified correction instructions or support packages. Additionally, SAP has issued a HotNews note (#3733064) with a CVSS score of 9.6, indicating a high-severity vulnerability in SAP Commerce Cloud due to missing authentication checks. This vulnerability allows unauthenticated users to execute malicious actions, including configuration uploads and code injections, potentially leading to arbitrary server-side code execution. Organizations are advised to take immediate action to protect their systems.