zero-day flaw Archives

Winsage

January 14, 2026

Microsoft Fixes 114 Windows Flaws in January 2026 Patch, One Actively Exploited

On Tuesday, Microsoft released its first security update for 2026, addressing 114 vulnerabilities, including eight classified as Critical and 106 as Important. The vulnerabilities include 58 related to privilege escalation, 22 concerning information disclosure, 21 linked to remote code execution, and five categorized as spoofing flaws. A notable vulnerability, CVE-2026-20805, involves information disclosure within the Desktop Window Manager (DWM) and has a CVSS score of 5.5. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities catalog, requiring federal agencies to implement fixes by February 3, 2026. Additionally, Microsoft announced the expiration of three Windows Secure Boot certificates issued in 2011, effective June 2026, urging customers to transition to newer certificates to avoid disruptions. The update also removed vulnerable Agere Soft Modem drivers due to a local privilege escalation flaw (CVE-2023-31096) and addressed another critical privilege escalation flaw in Windows Virtualization-Based Security (CVE-2026-20876) with a CVSS score of 6.7. Other vendors, including Adobe, Amazon Web Services, and Cisco, have also released security patches for various vulnerabilities.

Winsage

December 12, 2025

New Windows RasMan zero-day flaw gets free, unofficial patches

Free unofficial patches are available for a newly identified Windows zero-day vulnerability that allows attackers to crash the Remote Access Connection Manager (RasMan) service, which operates with SYSTEM-level privileges and manages VPN and remote network connections. This denial-of-service flaw was discovered by ACROS Security while investigating a previously patched privilege escalation vulnerability (CVE-2025-59230) in RasMan. The new zero-day has not yet received a CVE ID and affects all Windows versions from Windows 7 to Windows 11, including Windows Server 2008 R2 through Server 2025. The vulnerability can be exploited by unprivileged users due to a coding error in how RasMan processes circular linked lists, leading to a crash when a null pointer is encountered. ACROS Security is providing free micropatches through its 0Patch service until Microsoft releases an official fix. Users must create an account and install the 0Patch agent to apply the micropatch automatically.

Winsage

December 10, 2025

Microsoft Patch Tuesday, December 2025 Edition

Microsoft released a significant update addressing 56 security vulnerabilities across its Windows operating systems and supported software. This update includes a patch for a zero-day exploit, CVE-2025-62221, a privilege escalation vulnerability affecting Windows 10 and later versions. Throughout 2025, Microsoft has patched a total of 1,129 vulnerabilities, marking an 11.9% increase from the previous year. Three vulnerabilities were classified as critical: CVE-2025-62554 and CVE-2025-62557 related to Microsoft Office, and CVE-2025-62562 related to Microsoft Outlook. Several non-critical privilege escalation vulnerabilities were identified as likely to be exploited, including CVE-2025-62458, CVE-2025-62470, CVE-2025-62472, CVE-2025-59516, and CVE-2025-59517. Another vulnerability, CVE-2025-64671, was found in the Github Copilot Plugin for Jetbrains, allowing remote code execution. Additionally, CVE-2025-54100 is a remote code execution bug in Windows Powershell affecting Windows Server 2008 and later.

Winsage

November 12, 2025

Microsoft November 2025 Patch Tuesday fixes 1 zero-day, 63 flaws

Microsoft's November 2025 Patch Tuesday addresses a total of 63 vulnerabilities, including one actively exploited zero-day flaw (CVE-2025-62215) related to Windows Kernel Elevation of Privilege. The updates include four vulnerabilities classified as "Critical," with two for remote code execution, one for elevation of privileges, and one for information disclosure. The breakdown of vulnerabilities is as follows: - 29 Elevation of Privilege Vulnerabilities - 2 Security Feature Bypass Vulnerabilities - 16 Remote Code Execution Vulnerabilities - 11 Information Disclosure Vulnerabilities - 3 Denial of Service Vulnerabilities - 2 Spoofing Vulnerabilities This Patch Tuesday marks the first extended security update (ESU) for Windows 10, and users are encouraged to upgrade to Windows 11 or enroll in the ESU program. Microsoft has also released an out-of-band update to assist with enrollment issues. Other companies, including Adobe, Cisco, and Google, have also issued security updates in November 2025.

Winsage

November 11, 2025

Update Windows ASAP to Patch Another Zero-Day Vulnerability

Microsoft's November Patch Tuesday release addresses a total of 63 vulnerabilities, including a zero-day flaw (CVE-2025-62215) that allows elevation of privilege through a race condition in the Windows Kernel. The vulnerabilities include 29 elevation of privilege, 2 security feature bypass, 16 remote code execution, 11 information disclosure, 2 denial of service, and 3 spoofing vulnerabilities. Four vulnerabilities are classified as "critical." Windows 11 users will receive updates such as a scrollable Start menu and enhancements to File Explorer and other features. Microsoft has ended support for Windows 10, but Extended Security Updates are available until October 13, 2026, for those who opted in.

Winsage

October 31, 2025

Windows zero-day actively exploited to spy on European diplomats

A China-linked hacking group, identified as UNC6384 or Mustang Panda, is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats, particularly in Hungary, Belgium, Serbia, Italy, and the Netherlands. The attacks are initiated through spearphishing emails that disguise malicious LNK files as legitimate invitations to NATO and European Commission events. Once activated, these files allow the deployment of the PlugX remote access trojan (RAT), enabling persistent access to compromised systems for surveillance and data extraction. The vulnerability requires user interaction to exploit and resides in the handling of .LNK files, allowing attackers to execute arbitrary code remotely. As of March 2025, the vulnerability is being exploited by multiple state-sponsored groups and cybercrime organizations, but Microsoft has not yet released a patch for it. Network defenders are advised to restrict the use of .LNK files and block connections from identified command-and-control infrastructure.

Winsage

October 16, 2025

Patch Tuesday: Windows 10 end of life pain for IT departments

Microsoft has ceased support for Windows 10 and released a significant Patch Tuesday update addressing several zero-day vulnerabilities, including CVE-2025-24990, which involves a legacy device driver that has been completely removed from Windows. This driver, the Agere Modem driver (ltmdm64.sys), supports hardware from the late 1990s and early 2000s and has not kept pace with modern security practices. The removal of the driver is a strategic decision to reduce security risks associated with outdated components, as patching such legacy code can lead to instability and may not effectively resolve vulnerabilities. Another vulnerability addressed in the update is CVE-2025-2884, related to the Trusted Platform Module (TPM) 2.0 reference implementation. Additionally, CVE-2025-49708, a critical vulnerability in the Microsoft Graphics Component with a CVSS score of 9.9, poses severe risks by allowing a full virtual machine escape, enabling attackers to gain system privileges on the host server from a low-privilege guest VM. Security experts recommend prioritizing patches for this vulnerability to maintain the integrity of virtualization security.

Winsage

August 15, 2025

Microsoft patches more than 100 Windows security flaws – update your PC now

Microsoft's August Patch Tuesday update addresses 107 vulnerabilities in Windows, including 13 critical ones. It affects all current versions of Windows, including Windows 10, Windows 11, and Windows Server. The update fixes security issues in components like File Explorer, Remote Desktop, and Hyper-V, as well as bugs in Microsoft Office, Edge, and Teams. Nine critical vulnerabilities involve remote code execution. One vulnerability, CVE-2025-53779, is a zero-day flaw in the Windows Kerberos authentication system that could grant domain administrator privileges if exploited. The update also introduces new features, including a revamped error screen called the Black Screen of Death and Quick Machine Recovery for troubleshooting boot failures. Users can check for the update in the Windows Update section of Settings.

Tech Optimizer

August 4, 2025

Zero-Day Flaw in PostgreSQL Exploited to Target BeyondTrust Systems

A significant PostgreSQL vulnerability, CVE-2025–1094, was identified during the investigation of another vulnerability, CVE-2024–12356, which was exploited in the BeyondTrust breach in December 2024. The breach involved unauthorized access to BeyondTrust's systems and was linked to the state-sponsored hacking group Silk Typhoon from China. The U.S. Treasury Department confirmed its network was compromised through a stolen BeyondTrust API key. CVE-2025–1094 is an SQL injection vulnerability that allows attackers to execute arbitrary SQL commands due to improper handling of invalid UTF-8 byte sequences. Rapid7 found that CVE-2024–12356's exploitation relied on CVE-2025–1094, and that CVE-2025–1094 could be exploited independently. BeyondTrust issued patches for these vulnerabilities, but the patch for CVE-2024–12356 did not directly address the underlying cause of CVE-2025–1094. The exploitation of these vulnerabilities underscores the need for timely patching and proactive security measures in organizations using PostgreSQL.

Winsage

May 7, 2025

Play ransomware affiliate leveraged zero-day to deploy malware

The Play ransomware gang exploited a critical vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, which has a CVSS score of 7.8 and is categorized as a "Use after free" vulnerability. This flaw allows an authorized attacker to elevate privileges locally and has been confirmed to be exploited in real-world attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities catalog in April. Microsoft addressed this vulnerability during its April Patch Tuesday security updates, acknowledging its exploitation in limited attacks targeting various sectors in the U.S. and Saudi Arabia. Researchers from Symantec reported that the Play ransomware gang used the CVE-2025-29824 exploit in an attack against a U.S. organization before the public disclosure and patching of the vulnerability. The attackers utilized the Grixba infostealer tool and initially exploited a public-facing Cisco ASA firewall to gain entry. They deployed tools to gather information, escalated privileges using the CVE-2025-29824 exploit, and executed malicious scripts to steal credentials. The exploit took advantage of race conditions in driver memory handling, allowing kernel access and manipulation of files. Before the patch was released, the exploit was reportedly used by multiple threat actors, and Microsoft linked it to other malware.