< ciso
brief />
Tag Banner

All news with #privilege escalation tag

259 articles

Microsoft patches RoguePlanet Defender flaw

🛡️ Microsoft released a security update addressing a privilege escalation bug in the Microsoft Malware Protection Engine, tracked as CVE-2026-50656. The issue, dubbed RoguePlanet, is a race condition that can allow an attacker to spawn a SYSTEM-level shell to run arbitrary code. The fix is included in engine version 1.1.26060.3008 and includes defense-in-depth hardening.
read more →

Microsoft patches Defender RoguePlanet zero‑day

🛡️ Microsoft released a Malware Protection Engine update to fix a Defender zero-day tracked as CVE-2026-50656, dubbed "RoguePlanet." The vulnerability, disclosed by researcher "Nightmare Eclipse," allows spawning a SYSTEM command prompt via a Defender race condition and reportedly works on fully patched Windows 10 and 11 devices. Microsoft shipped version 1.1.26060.3008 to address the issue after confirming work on a patch on June 16.
read more →

15-Year-Old Linux GhostLock Flaw Enables Root

🛡️ Researchers at Nebula Security disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel use-after-free that allows any logged-in user to gain root privileges on unpatched systems. The bug, present in mainstream distributions since 2011, requires only ordinary local threading calls and no network access. Nebula developed a 97% reliable exploit that also escapes containers and received $92,337 from Google's kernelCTF bounty. Patching is urgent, with early fixes having introduced a follow-up crash bug and distributions still rolling out the corrected kernel.
read more →

Critical Dialogflow CX 'Rogue Agent' code execution flaw

🛡️ A critical flaw in Google Dialogflow CX's Code Blocks could let an attacker with edit rights on one agent compromise other Code Block-enabled agents in the same Google Cloud project. Varonis named the issue Rogue Agent; it required the dialogflow.playbooks.update permission and thus implied a malicious insider or compromised developer account rather than an unauthenticated internet attacker. Google fixed the vulnerability after Varonis disclosed it via the VRP; there are no signs of exploitation.
read more →

Januscape Linux kernel flaw enables VM escape

🛡️ A 16-year-old Linux kernel vulnerability called Januscape (CVE-2026-53359) allows guest-to-host escapes via a use-after-free in the KVM/x86 shadow MMU emulation. Discovered and detailed by researcher Hyunwoo Kim and patched in June 2026, it affects both Intel and AMD architectures and was used in Google's kvmCTF program. Unpatched multi-tenant hosts, especially with world-writable /dev/kvm, risk host takeover or denial-of-service.
read more →

Januscape: 16-year KVM flaw allows guest-to-host escape

🛡️ A long-standing use-after-free bug in Linux's KVM shadow MMU, tracked as CVE-2026-53359 and dubbed Januscape, lets a guest VM corrupt host shadow-page state and can reliably panic hosts. The public PoC triggers host crashes; the researcher reported an unreleased exploit that achieves full host code execution on Intel and AMD. Fixes were merged June 19, 2026 and backported to stable kernels on July 4, 2026; hosts with nested virtualization should be patched or have nesting disabled.
read more →

LLM-Driven Ransomware JadePuffer Targets Langflow

🔒 Sysdig reports a novel ransomware campaign, dubbed JadePuffer, driven entirely by a large language model agent that exploited CVE-2025-3248 in an internet-facing Langflow instance. The automated attack conducted reconnaissance, credential harvesting, lateral movement, and destructive actions against production databases, encrypting and deleting Nacos configurations so they could not be recovered. Sysdig highlights automation of old vulnerabilities, agent narration that may aid detection, and the erosion of response time for defenders.
read more →

Bad Epoll kernel flaw lets local users become root

🛡️ A newly disclosed Linux kernel vulnerability, Bad Epoll (CVE-2026-46242), allows an ordinary local user to escalate privileges to root and affects Linux desktops, servers, and Android. The flaw is a use-after-free race in the epoll subsystem; the timing window is tiny but an exploit by researcher Jaeyoung Chung widens it and succeeds reliably. A fix is available upstream (commit a6dc643c6931) and distributions should backport it; kernels built on 6.4+ are affected unless patched.
read more →

CISA: BlueHammer bug now exploited by ransomware

🛡️ CISA confirms ransomware actors are exploiting the high-severity Microsoft Defender privilege escalation flaw dubbed BlueHammer (CVE-2026-33825). The bug was leaked with proof-of-concept code by researcher "Nightmare Eclipse" in April and later patched by Microsoft on April 14. CISA added the flaw to its KEV Catalog and ordered federal agencies to patch, and has now flagged it as used in ransomware campaigns.
read more →

Critical Oracle E‑Business Suite Flaw Actively Exploited

🔒 A critical authentication and privilege-management vulnerability, tracked as CVE-2026-46817 (CVSS 9.8), affects Oracle Payments in E‑Business Suite versions 12.2.3 through 12.2.15 and has been observed under active exploitation. Patches were released in Oracle's last Critical Security Patch Update, but Defused Cyber reported exploitation against their honeypots and noted no prior public PoC. Details about the attack method, attribution, and campaign scope remain unknown, while experts urge rapid incident response and patching.
read more →

Weekly Cyber Recap: Kernel Flaws and AI Risks

🛡️ This week’s recap highlights how seemingly small mistakes — missed patches, old access paths, or unprivileged namespaces — can yield significant compromises. New findings include the DirtyClone Linux kernel flaw allowing local privilege escalation, active exploitation of a critical PTC Windchill vulnerability, and novel macOS malware designed to deceive AI analysis tools. The briefing also covers disruptive takedowns, trending CVEs, and emerging AI-model risks.
read more →

Three real-world incident case studies from GERT

🔍 Over the past year, Kaspersky’s Global Emergency Response Team and MDR service investigated diverse security incidents that informed the Anatomy of a Cyber World Global Report 2026. The post presents three real case studies illustrating how adversaries use credential theft, known vulnerabilities, and lateral movement to achieve persistence, escalate privileges, and deploy ransomware or wipers. It highlights recurring misconfigurations, delayed patching, and blind spots in monitoring as root causes of successful attacks.
read more →

Linux pedit COW exploit lets local users gain root

⚠️ A critical memory-corruption bug in the Linux traffic-control subsystem (CVE-2026-46331, “pedit COW”) enables a local unprivileged user to gain root by corrupting shared page-cache memory. The flaw allows modification of a cached setuid binary image in memory without touching the on-disk file; a public exploit appeared within a day of CVE assignment. The exploit requires the act_pedit module be loadable and unprivileged user namespaces enabled; affected vendors have issued patches and mitigations.
read more →

DirtyClone Linux kernel flaw enables local root

🛡️ JFrog Security Research published a working exploit for DirtyClone (CVE-2026-43503) on June 25, demonstrating a local privilege escalation in the DirtyFrag family. The flaw lets a local user corrupt file-backed memory via cloned network packets to gain root; the upstream patch landed in mainline on May 21. Exploitation requires CAP_NET_ADMIN to configure an IPsec tunnel, and unprivileged user namespaces on Debian and Fedora enable the default attack path. Ubuntu 24.04+ mitigates the default vector via AppArmor restrictions.
read more →

Threat Actor Exploited Cisco SD‑WAN Zero‑Day

🔒 A Google (Mandiant) report warns that a threat actor exploited a severe Cisco SD‑WAN vulnerability (CVE-2026-20245) at least two months before disclosure. The flaw, a high-severity (CVSS 7.8) privilege escalation in the CLI of Cisco Catalyst SD-WAN Controller, allowed authenticated local attackers to upload crafted files and execute commands as root. Cisco disclosed the issue on June 4 and began releasing fixes on June 10, while Mandiant detailed related unauthorized peering and credential-theft activity stretching back to late 2025.
read more →

macOS XPC Flaw Lets Non‑Root Users Disable EDR/MDM

🔒 A disclosed macOS privilege escalation allows a non-root user to abuse XPC trusted caller caching to invoke privileged helper functions without authentication, impacting multiple EDR and MDM products. XM Cyber found attackers can tamper with a legitimate app to inherit its cached trust and call sensitive methods to unload or disable security agents with minimal forensic traces. Vendors including CrowdStrike and Kandji have issued fixes and mitigations, while XM Cyber released a scanner and will present findings at Black Hat.
read more →

Apple patches Beats Studio Buds high-severity bug

🔒 Apple released a Beats Firmware Update (1B211) to address a high-severity Bluetooth authorization flaw (CVE-2025-20701, CVSS 8.8) in the Airoha audio SDK that could allow attackers within Bluetooth range to pair and eavesdrop without user consent. The issue, reported by ERNW researchers in 2025 alongside related Airoha SoC flaws, enables remote privilege escalation and unauthorized microphone access. Apple’s advisory confirms the risk and the firmware update resolves the vulnerability.
read more →

Microsoft Confirms RoguePlanet Defender Zero-Day

🛡️ Microsoft disclosed it is preparing a patch for a Defender zero-day tracked as RoguePlanet, now identified as CVE-2026-50656 with a CVSS score of 7.8. The company classifies the issue as a privilege escalation in the Microsoft Malware Protection Engine and says it is working on a quality security update. The exploit was publicly released by researcher Chaotic Eclipse (aka Nightmare-Eclipse), who described it as a race condition that can yield SYSTEM-level shells and may work irrespective of real-time protection settings.
read more →

Microsoft developing patch for Defender RoguePlanet zero-day

🔒 Microsoft is investigating and preparing a security update for a Microsoft Defender elevation-of-privilege vulnerability publicly dubbed RoguePlanet. The flaw, now tracked as CVE-2026-50656, was disclosed with a proof-of-concept last week and reportedly allows spawning SYSTEM-level command prompts via a Defender race condition on fully patched Windows 10 and 11 devices. Microsoft confirmed it is working on a high-quality security update and will publish details in the CVE entry when available.
read more →

CISA flags critical JCE Joomla flaw exploited

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a maximum-severity flaw in Widget Factory's Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities catalog, citing active exploitation. Tracked as CVE-2026-48907 (CVSS 10.0), the improper access control bug allows unauthenticated creation of editor profiles and potential PHP code upload and execution. The flaw affects JCE versions 1.0.0 through 2.9.99.4 and was patched in 2.9.99.5 on June 3, 2026; FCEB agencies must apply fixes by June 19, 2026.
read more →