< ciso
brief />
Tag Banner

All news with #privilege escalation tag

259 articles · page 6 of 13

Pack2TheRoot flaw in PackageKit lets local users gain root

⚠️ A newly disclosed vulnerability, dubbed Pack2TheRoot (CVE-2026-41651), permits local Linux users to install or remove system packages and obtain root privileges by abusing the PackageKit daemon. The bug dates back to 2014 and affects PackageKit versions 1.0.2 through 1.3.4; it is resolved in PackageKit 1.3.5. Administrators should upgrade immediately, verify if packagekit is running, and monitor logs for assertion failures or crashes as likely indicators of attempted exploitation.
read more →

UAT-4356 Targets Cisco Firepower with FIRESTARTER Backdoor

🔐 Cisco Talos reports that UAT-4356 exploited FXOS n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to deploy a custom backdoor named FIRESTARTER on Cisco Firepower, ASA and FTD appliances. The implant injects into the LINA process, replaces a WebVPN XML handler, and executes shellcode delivered via specially crafted requests. Operators should follow Cisco advisories for detection, remediation and recommended software upgrades.
read more →

CISA Orders Patching of Microsoft Defender BlueHammer Flaw

🔒 CISA has ordered federal agencies to urgently patch a high-severity Microsoft Defender privilege escalation vulnerability tracked as CVE-2026-33825 and publicly dubbed BlueHammer, after evidence of active exploitation. Microsoft released a patch on April 14 following public disclosure and proof-of-concept code published by a researcher using the handle 'Chaotic Eclipse', who also revealed related Defender issues. Huntress Labs reported attacks showing hands‑on‑keyboard activity and suspicious FortiGate SSL VPN access tied to a Russia‑geolocated IP. Agencies must apply mitigations or update systems within two weeks, with a compliance deadline of May 7.
read more →

Microsoft Issues Patch for Critical ASP.NET Core Flaw

🔒 Microsoft released an out-of-band update to address a high-severity privilege-escalation flaw in ASP.NET Core tracked as CVE-2026-40372 (CVSS 9.1). A regression in Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 allowed the managed encryptor to compute HMAC validation over incorrect payload bytes, enabling forged payloads to pass authenticity checks and potentially grant SYSTEM-level access on non-Windows hosts. Microsoft fixed the issue in ASP.NET Core 10.0.7 and warned tokens issued during the vulnerable window remain valid until the DataProtection key ring is rotated.
read more →

Microsoft issues emergency patches for ASP.NET flaw

🔒 Microsoft has released out-of-band updates to fix a critical ASP.NET Core privilege escalation vulnerability (CVE-2026-40372) in the ASP.NET Core Data Protection APIs. A regression in the Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 packages caused HMAC validation to be computed over the wrong bytes, allowing forged auth cookies and decryption of protected payloads. Developers should update to 10.0.7, redeploy, and rotate DataProtection key rings to invalidate tokens issued during the vulnerable window.
read more →

Siemens RUGGEDCOM CROSSBOW SAM-P Privilege Escalation

🔒 Siemens has identified a privilege escalation vulnerability (CVE-2026-27668) in RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) that permits authenticated User Administrators to grant themselves access to any device group. The issue affects SAM-P versions prior to V5.8; Siemens has released V5.8 to remediate the flaw and recommends immediate updates. Operators should also minimize network exposure and follow established industrial security guidelines.
read more →

Three Microsoft Defender Zero-Days Exploited in the Wild

🔒 Huntress warns that threat actors are actively exploiting three recently disclosed Microsoft Defender vulnerabilities — codenamed BlueHammer, RedSun, and UnDefend — to gain elevated privileges and disrupt defenses. Microsoft addressed BlueHammer in this week's Patch Tuesday as CVE-2026-33825, but RedSun and UnDefend remain unpatched and have PoCs observed in the wild. Huntress reported weaponization beginning April 10 for BlueHammer and April 16 for RedSun and UnDefend, and said it isolated affected environments while investigating post-exploitation activity.
read more →

RedSun exploit abuses Microsoft Defender to gain SYSTEM

🛡️ A new proof-of-concept called RedSun demonstrates that Microsoft Defender can be manipulated to overwrite protected system files and escalate privileges to SYSTEM on Windows 10 and 11 systems with cloud files features enabled. The exploit leverages Defender’s special handling of cloud-tagged files, which can trigger a rewrite to disk during remediation, allowing attackers to influence timing and destination. Researchers reproduce the issue using the Cloud Files API, oplocks, Volume Shadow Copy race conditions, and directory junctions; detection is limited and Microsoft has not yet commented.
read more →

Microsoft: April update causes domain controller loops

⚠️After installing the April 2026 Windows security update (KB5082063), some non‑Global Catalog domain controllers configured with Privileged Access Management (PAM) may experience Local Security Authority Subsystem Service (LSASS) crashes during startup. Affected servers can enter repeated reboot loops, disrupting authentication and directory services and potentially rendering domains unavailable. Microsoft is investigating and advises administrators to contact Microsoft Support for Business for mitigation options until a permanent fix is released.
read more →

Leaked Windows zero-days exploited to gain SYSTEM privileges

🔓 Threat actors are actively using proof-of-concept exploit code for three recently disclosed Windows vulnerabilities to elevate privileges or disrupt Microsoft Defender. Researcher "Chaotic Eclipse" (aka "Nightmare-Eclipse") published PoCs for BlueHammer, RedSun, and UnDefend in protest over Microsoft’s handling of disclosure. Huntress Labs has observed exploitation in the wild, with BlueHammer seen since April 10, and Microsoft has patched only BlueHammer (CVE-2026-33825) so far while RedSun and UnDefend remain unaddressed.
read more →

New Microsoft Defender 'RedSun' zero-day grants SYSTEM

⚠️ A proof-of-concept for a second Microsoft Defender zero-day, dubbed RedSun, was published by researcher 'Chaotic Eclipse', demonstrating a local privilege escalation that grants SYSTEM privileges on patched Windows 10, Windows 11, and supported Windows Server releases when Defender is enabled. The PoC exploits Defender's handling of cloud-tagged files via the Cloud Files API to overwrite system binaries and achieve code execution as SYSTEM. Security analyst Will Dormann of Tharros confirmed the exploit works; some antivirus products detect elements of the PoC due to an embedded EICAR test file. The researcher says the publication was a protest over interactions with the Microsoft Security Response Center.
read more →

CISA Flags Exploited Windows Task Host Vulnerability

⚠️ CISA warned federal agencies that a Windows Task Host privilege escalation flaw, tracked as CVE-2025-60710, is being treated as actively exploited and must be patched. The issue affects Windows 11 and Windows Server 2025 and arises from a link-following weakness in the Task Host that lets a local user with basic permissions elevate to SYSTEM. Agencies were given two weeks under BOD 22-01 to remediate; CISA urges all organizations to apply the patch or vendor mitigations immediately.
read more →

Microsoft Patch Tuesday April 2026: 167 Vulnerabilities Fixed

🔒 Microsoft released its April 2026 Patch Tuesday updates addressing 167 security flaws across Windows and related products, including a SharePoint Server zero-day (CVE-2026-32201) and a publicly disclosed Windows Defender privilege escalation dubbed BlueHammer. Google Chrome and Adobe issued emergency fixes for actively exploited zero-days. Administrators should prioritize patches for SharePoint, SQL Server, and Defender and restart browsers to ensure Chromium-based updates are applied.
read more →

April 2026 Patch Tuesday: Two Zero-Days, Eight Critical

⚠️ Microsoft’s April 2026 Patch Tuesday addresses 164 CVEs, including two zero-days and eight Critical vulnerabilities. The release focuses heavily on elevation-of-privilege flaws (57% of patches) and updates for Windows, Office and developer tools. Notable fixes include an exploited SharePoint spoofing zero-day (CVE-2026-32201), a disclosed Defender elevation-of-privilege issue (CVE-2026-33825), and several high‑risk RCEs; deploy patches promptly and apply recommended mitigations.
read more →

Seven IBM WebSphere Liberty Flaws Can Lead to Takeover

🔒 Researchers warn that seven vulnerabilities in IBM WebSphere Liberty can be chained from a pre-authentication SAML Web SSO flaw into full server compromise. The initial defect, tracked as CVE-2026-1561, allows unauthenticated attackers to supply crafted serialized payloads because a String.concat() misuse makes the integrity check ineffective, enabling pre-auth RCE against exposed SAML endpoints. Subsequent AdminCenter weaknesses let low-privileged 'reader' users retrieve keys and sensitive configuration, forge tokens, and abuse an archive-extraction flaw to write arbitrary files; IBM has issued patches and configuration guidance to mitigate the chain.
read more →

Docker CVE-2026-34040 Lets Attackers Bypass AuthZ Exploit

⚠ A high-severity flaw (CVE-2026-34040, CVSS 8.8) in Docker Engine can allow an attacker with API access to bypass AuthZ plugins by causing the daemon to forward requests without their body. The bug is tied to an incomplete fix for CVE-2024-41110 and arises when oversized, padded HTTP requests are dropped before reaching the authorization plugin. An attacker who pads a container-creation request above the threshold can cause the daemon to create a privileged container that mounts the host filesystem. Docker Engine 29.3.1 contains the patch; mitigations include avoiding body-dependent AuthZ plugins, restricting API access to trusted users, or running Docker in rootless mode.
read more →

GPUBreach: GPU Rowhammer Enables Full System Compromise

🔒 Researchers at the University of Toronto demonstrated GPUBreach, a GPU-targeted Rowhammer technique that flips bits in GDDR6 to corrupt GPU page tables and subvert device memory controls. An unprivileged CUDA kernel can obtain arbitrary read/write access to GPU memory and then exploit NVIDIA driver flaws to escalate to CPU privileges and spawn a root shell. The work, due at IEEE S&P 2026, includes technical materials and shows impacts from key leakage to ML model manipulation.
read more →

GPUBreach: RowHammer on GPUs Enables Full Host Takeover

⚠️ New research describes GPUBreach, a set of GDDR6 RowHammer techniques that corrupt GPU page tables to gain arbitrary GPU memory read/write and, in GPUBreach's case, full host control. The work shows chained GDDR6 bit-flips can corrupt trusted driver state and trigger kernel memory-safety bugs in NVIDIA drivers even with the IOMMU enabled. Related efforts (GDDRHammer, GeForge) also achieve GPU-side arbitrary read/write, though some require IOMMU to be disabled. Enabling ECC reduces risk but is not a guaranteed mitigation for all platforms.
read more →

GPUBreach: GPU Rowhammer Enables System Takeover to Root

⚠️ A new attack called GPUBreach demonstrates that Rowhammer-induced bit flips in GDDR6 memory can corrupt GPU page tables and allow an unprivileged CUDA kernel to gain arbitrary GPU memory read/write access. The University of Toronto team showed this capability can be chained into CPU-side privilege escalation by exploiting memory-safety bugs in the NVIDIA driver, potentially yielding a full system compromise up to a root shell. Critically, the attack works with IOMMU enabled and remains unmitigated on consumer GPUs without ECC. Full technical details and a reproduction package will be published on April 13.
read more →

Researcher Releases BlueHammer Windows Zero-Day Exploit

🚨 A security researcher published exploit code for an unpatched Windows privilege escalation vulnerability dubbed BlueHammer, citing dissatisfaction with how Microsoft's Security Response Center handled the report. The public proof-of-concept reportedly combines a TOCTOU and path confusion to access the SAM database and escalate to SYSTEM or elevated administrator privileges. The PoC contains bugs and is not reliably successful across all Windows editions, and Microsoft had not issued a patch at publication, leaving the flaw classified as a zero-day.
read more →