< ciso
brief />
Tag Banner

All news with #privilege escalation tag

259 articles · page 4 of 13

Critical Microsoft Vulnerabilities Double; Privilege Risk

🔍 The BeyondTrust 2026 Microsoft Vulnerabilities Report shows Microsoft disclosed 1,273 vulnerabilities in 2025, while critical flaws doubled from 78 to 157 year‑over‑year. The data highlights a concentration in Elevation of Privilege (40% of CVEs) and a 73% increase in Information Disclosure, signaling attacker focus on stealth and reconnaissance. Cloud and Office-critical bugs spiked, expanding potential blast radii beyond mere data leaks. Authors recommend prioritizing privilege reduction, identity visibility, and contextual remediation over patching alone.
read more →

Patched Windows Cloud Filter Bug Reappears as Exploit

🔒 Researchers report a six-year-old elevation-of-privilege vulnerability in the Windows Cloud Filter driver cldflt.sys remains exploitable despite a 2020 patch. Nightmare Eclipse reworked a Google Project Zero PoC by James Forshaw into an exploit called MiniPlasma, which can elevate a local user to SYSTEM on many builds. The issue, tracked as CVE-2020-17103, involves undocumented key-creation behavior and is race-dependent; Microsoft declined immediate comment.
read more →

MiniPlasma Zero-Day Enables SYSTEM Privilege on Windows

🛡️Chaotic Eclipse has published a proof-of-concept for a Windows privilege escalation zero-day, dubbed MiniPlasma, which targets the Cloud Files Mini Filter Driver (cldflt.sys) in the HsmOsBlockPlaceholderAccess routine. Originally reported to Microsoft in September 2020 and linked to CVE-2020-17103, the researcher says the exact issue remains unpatched. Tests show it can spawn a SYSTEM shell on fully patched Windows 11 systems running May 2026 updates, though success rates vary due to a race condition.
read more →

Exploit Released for DirtyDecrypt Linux Root Escalation

🔒 A proof-of-concept exploit is available for the recently patched DirtyDecrypt (aka DirtyCBC) local privilege escalation in the Linux kernel's rxgk module, enabling attackers to gain root on systems built with CONFIG_RXGK enabled. The flaw, independently reported by the V12 team on May 9, aligns with CVE-2026-31635, which was patched in late April. The PoC has been tested against Fedora and mainline kernels and mainly affects distributions that track upstream releases, such as Fedora, Arch, and openSUSE Tumbleweed. Users should apply kernel updates or use recommended mitigations until patches are deployed.
read more →

MiniPlasma Zero-Day Allows SYSTEM Access on Windows

🔒 A researcher known as Chaotic Eclipse published a proof-of-concept exploit and a compiled executable for a Windows privilege escalation zero-day named MiniPlasma. The researcher says the issue affects the cldflt.sys Cloud Filter driver and an undocumented CfAbortHydration API, and claims the bug traces back to a 2020 report (CVE-2020-17103). BleepingComputer tested the PoC on a fully patched Windows 11 Pro system (May 2026 updates) and reproduced SYSTEM-level access. Microsoft has been contacted for comment.
read more →

Microsoft Rejects Azure Backup AKS Vulnerability Report

🔒 A security researcher alleges Microsoft quietly changed Azure Backup for AKS behavior after rejecting his March disclosure and blocking a CVE, arguing the issue required pre-existing administrative access. The reported flaw purportedly allowed a user with only the Backup Contributor role to gain cluster-admin privileges via Trusted Access. Microsoft maintains the behavior was expected and that no product changes were made, yet the researcher observed new permission checks and a shift to manual Trusted Access configuration after disclosure. CERT/CC validated the bug but the CVE process stalled, leaving defenders with limited visibility.
read more →

Four OpenClaw Flaws Enable Data Theft and Persistence

🔒 Cybersecurity researchers disclosed four vulnerabilities in OpenClaw — collectively named Claw Chain — that can be chained for data theft, privilege escalation, and persistence. The flaws include two TOCTOU race conditions enabling reads and writes outside sandbox mounts, an allowlist bypass via heredoc expansion, and an access-control weakness allowing owner impersonation. Vendor patches are available in version 2026.4.22; users are urged to update immediately. Successful exploitation can expose credentials, modify configurations, and plant backdoors while mimicking normal agent behavior to evade detection.
read more →

Fragnesia: New Local Linux Kernel Privilege Flaw Emerges

🔒 Fragnesia (CVE-2026-46300) is a local Linux kernel privilege escalation that exploits the XFRM ESP-in-TCP subsystem to obtain a memory write primitive, enabling in-memory modification of security-sensitive files while bypassing standard filesystem permissions. A public PoC exists, but remote exploitation is not possible; an attacker needs local access and control of socket operations. Vendors including Red Hat and Ubuntu are issuing patches and workarounds, and administrators should update kernels, consider disabling esp4/esp6 or avoiding kernels built with CONFIG_INET_ESPINTCP, and increase monitoring until systems are patched.
read more →

Ongoing Exploitation of Cisco Catalyst SD-WAN Systems

🔔 Talos reports active, in-the-wild exploitation of multiple Cisco Catalyst SD‑WAN vulnerabilities, including CVE-2026-20182 and a chained set (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122) that enable unauthorized access, persistent webshell deployment, and privilege escalation. The threat cluster UAT-8616 and other adversaries have deployed JSP webshells such as XenShell, Godzilla, and Behinder and have installed miners, C2 implants, and reconnaissance and tunneling tools post-compromise. Customers should urgently apply Cisco updates, follow Talos detection guidance and Snort/ClamAV signatures, and engage TAC for incident support and remediation.
read more →

Fragnesia: New Linux Kernel LPE Emerging from Dirty Frag

🔒Fragnesia (CVE-2026-46300) is a newly disclosed Linux kernel local privilege escalation discovered by William Bowling of Zellic and the V12 team, with a working PoC published on May 13. The flaw permits unprivileged users to overwrite kernel page-cache contents of read-only files, enabling in-memory tampering that can spawn a root shell without touching disk. It stems from shared page fragment bookkeeping failures tied to ESP-in-TCP decryption behavior and is being mitigated by interim distro backports and module hardening.
read more →

Windows Zero-Days Expose BitLocker and CTF Privilege Flaws

🔒 An anonymous researcher known as Chaotic Eclipse (aka Nightmare-Eclipse) disclosed two new Windows zero-days: YellowKey, a BitLocker bypass present in the Windows Recovery Environment (WinRE), and GreenPlasma, a CTFMON-related privilege escalation. YellowKey targets Windows 11 and Windows Server 2022/2025 by placing crafted FsTx files on a USB or EFI partition and replaying them to obtain a shell even when BitLocker is enabled. The GreenPlasma proof-of-concept can create arbitrary memory section objects in SYSTEM-writable directories, potentially enabling higher-privilege manipulation, though the exploit is incomplete. Microsoft says it investigates reported issues and supports coordinated disclosure.
read more →

High-Severity Fragnasia Linux Kernel Vulnerability

⚠️ A new high-severity Linux kernel privilege escalation, named Fragnasia (CVE-2026-46300), abuses a logic bug in the XFRM ESP-in-TCP subsystem to write arbitrary bytes into the kernel page cache of read-only files, enabling local attackers to gain root. A proof-of-concept exploit demonstrates corrupting /usr/bin/su to obtain a root shell. It affects kernels released before May 13, 2026, and mirrors the mitigation used for the recently disclosed Dirty Frag class.
read more →

Fragnesia: New Linux Kernel LPE CVE-2026-46300 Alert

🔒 A new local privilege escalation dubbed Fragnesia (CVE-2026-46300) was disclosed in the Linux kernel's XFRM ESP-in-TCP subsystem, allowing unprivileged local attackers to corrupt the kernel page cache and gain root. The issue, discovered by William Bowling of V12, is a separate bug from Dirty Frag but affects the same surface. A PoC exploit has been published and multiple distributions have issued advisories. Mitigations for Dirty Frag apply until patched kernels are available.
read more →

Windows BitLocker Zero-Day: YellowKey and GreenPlasma

🔒 A researcher known as Chaotic Eclipse (Nightmare-Eclipse on GitHub) published proof-of-concept exploits named YellowKey and GreenPlasma that bypass BitLocker protections and enable local privilege escalation on affected Windows versions. YellowKey abuses the Windows Recovery Environment (WinRE) and NTFS transaction replay to spawn a shell and access encrypted volumes, while GreenPlasma allows arbitrary memory-section creation that can be escalated to SYSTEM. The author said the disclosures were driven by dissatisfaction with Microsoft's handling of reports. Microsoft says it investigates and supports coordinated disclosure.
read more →

Microsoft May 2026 Patch Tuesday: 120 Vulnerabilities Fixed

🔔 Today's May 2026 Patch Tuesday from Microsoft delivers security updates addressing 120 distinct vulnerabilities, including 17 rated Critical. The release corrects multiple remote code execution, elevation-of-privilege, information disclosure, denial-of-service, spoofing, and security feature bypass flaws across Windows, Office, SharePoint, and developer tools. Notable patches close dangerous RCE vectors in Microsoft Office (Word, Excel, PowerPoint) that can be exploited via malicious attachments or the preview pane, and key fixes include Windows GDI EMF parsing, SharePoint server RCE, and a Windows DNS Client RCE. Administrators are strongly advised to prioritize and deploy updates promptly to reduce exposure.
read more →

Fuji Electric Tellus Privilege Escalation Advisory

🔒 CISA published an advisory describing a privilege-escalation vulnerability in Fuji Electric Tellus arising from a kernel driver that grants all users read and write permissions. Successful exploitation could elevate a user to system privileges and may enable temporary denial of service, file opening, or file deletion. The vendor recommends installing Tellus only with administrator privileges; CISA notes the issue is not remotely exploitable and no public exploitation has been reported. CISA advises implementing ICS defensive measures and following established reporting procedures.
read more →

Critical Linux Kernel LPE 'copy.fail' Vulnerability

⚠ copy.fail is a severe Linux kernel local privilege escalation disclosed on 29 April 2026 with a working proof-of-concept. It abuses the kernel crypto API (AF_ALG sockets) together with splice() to write four bytes at a time directly into the page cache of files the attacker does not own, leaving on-disk files unchanged. The exploit works unmodified across Ubuntu, RHEL, Debian, SUSE, Amazon Linux and Fedora, bypasses checksum-based monitoring, and has no race or per-distro offsets; the mainline fix landed on 1 April and distros are rolling patches.
read more →

Active Directory Certificate Services: Exploitation Risks

🔐 This Unit 42 report examines how misconfigured Active Directory Certificate Services (AD CS) components create high-impact attack surfaces that enable privilege escalation, identity impersonation, and persistent access. It details exploitation techniques—especially certificate template misconfigurations and shadow credential abuse—tools observed in the wild, and a five-phase adversary lifecycle. The report emphasizes behavioral detection, telemetry correlation, and mitigation guidance to help defenders close monitoring gaps.
read more →

Dirty Frag: Chained Linux Kernel Flaws Prompt Patch Rush

🛡️ Major Linux distributions are rushing to apply fixes after the embargo on a two‑bug kernel exploit, dubbed Dirty Frag, was broken. The flaw chains CVE-2026-43284 (xfrm‑ESP write‑what‑where, CVSS 8.8) and CVE-2026-43500 (RxRPC out‑of‑bounds write, CVSS 7.8) to enable local privilege escalation to root. Researcher Hyunwoo Kim published a proof‑of‑concept after coordinating with maintainers. Vendors recommend temporarily blacklisting esp4/esp6/rxrpc modules and prioritising immediate patching.
read more →

Dirty Frag Linux Exploit Enables Reliable Root Escalation

🔒 Microsoft warns of a new local Linux privilege escalation called Dirty Frag that abuses fragmented page-cache handling to gain root. The chain uses two kernel flaws — CVE-2026-43284 (ESP) and CVE-2026-43500 (RxRPC) — and is already observed in post-compromise attacks. Administrators are urged to disable esp4, esp6, and rxrpc modules, limit local shell access, and monitor for abnormal privilege escalation while vendors roll out patches.
read more →