All news with #zero day exploitation tag

🔒 Huntress warns that threat actors are actively exploiting three recently disclosed Microsoft Defender vulnerabilities — codenamed BlueHammer, RedSun, and UnDefend — to gain elevated privileges and disrupt defenses. Microsoft addressed BlueHammer in this week's Patch Tuesday as CVE-2026-33825, but RedSun and UnDefend remain unpatched and have PoCs observed in the wild. Huntress reported weaponization beginning April 10 for BlueHammer and April 16 for RedSun and UnDefend, and said it isolated affected environments while investigating post-exploitation activity.

🔒 DarkSword and Coruna are two newly discovered, zero-click spyware families actively abused in the wild to compromise iPhones and iPads without user interaction. DarkSword targets iOS 18 with a six‑vulnerability chain and runs filelessly in RAM, while Coruna exploits older releases (iOS 13–17.2.1) via numerous WebKit flaws. Both harvest passwords, messages, photos, browser history and crypto‑wallet secrets; researchers report several thousand infections and advise immediate OS updates and mitigations.

🔓 Threat actors are actively using proof-of-concept exploit code for three recently disclosed Windows vulnerabilities to elevate privileges or disrupt Microsoft Defender. Researcher "Chaotic Eclipse" (aka "Nightmare-Eclipse") published PoCs for BlueHammer, RedSun, and UnDefend in protest over Microsoft’s handling of disclosure. Huntress Labs has observed exploitation in the wild, with BlueHammer seen since April 10, and Microsoft has patched only BlueHammer (CVE-2026-33825) so far while RedSun and UnDefend remain unaddressed.

⚠️ A proof-of-concept for a second Microsoft Defender zero-day, dubbed RedSun, was published by researcher 'Chaotic Eclipse', demonstrating a local privilege escalation that grants SYSTEM privileges on patched Windows 10, Windows 11, and supported Windows Server releases when Defender is enabled. The PoC exploits Defender's handling of cloud-tagged files via the Cloud Files API to overwrite system binaries and achieve code execution as SYSTEM. Security analyst Will Dormann of Tharros confirmed the exploit works; some antivirus products detect elements of the PoC due to an embedded EICAR test file. The researcher says the publication was a protest over interactions with the Microsoft Security Response Center.

🔒 Microsoft released its April Patch Tuesday update addressing an unusually large set of CVEs, including two zero-day flaws. CVE-2026-32201 is being actively exploited and is a SharePoint server spoofing vulnerability that can manipulate how information is presented to users. The second, CVE-2026-33825, is a publicly disclosed elevation-of-privilege bug in Microsoft Defender that could allow system-level access if chained with other exploits. Administrators are urged to prioritise these fixes and also review a high-risk IKEv2 remote code execution issue rated CVSS 9.8.

🔒 Microsoft released its April 2026 Patch Tuesday updates addressing 167 security flaws across Windows and related products, including a SharePoint Server zero-day (CVE-2026-32201) and a publicly disclosed Windows Defender privilege escalation dubbed BlueHammer. Google Chrome and Adobe issued emergency fixes for actively exploited zero-days. Administrators should prioritize patches for SharePoint, SQL Server, and Defender and restart browsers to ensure Chromium-based updates are applied.

🔒 Microsoft released its April 2026 Patch Tuesday addressing 165 vulnerabilities across Windows, Office, .NET and server components, including eight rated critical. Critical issues include a .NET DoS (CVE-2026-23666), Remote Desktop and Office use-after-free flaws that can lead to code execution (CVE-2026-32157, CVE-2026-32190), multiple Word local code-execution bugs (CVE-2026-33114, CVE-2026-33115), and an IKEv2 double-free enabling remote code execution (CVE-2026-33824). Talos notes SharePoint vulnerability CVE-2026-32201 is being exploited in the wild and has released Snort rules; administrators should prioritize exposed services and apply mitigations such as blocking UDP 500/4500 if IKE is unused.

🔒 Microsoft released its April 2026 Patch Tuesday addressing 167 vulnerabilities, including two zero-days and eight Critical flaws. The updates patch an actively exploited SharePoint Server spoofing bug (CVE-2026-32201) and a publicly disclosed Microsoft Defender elevation-of-privilege flaw (CVE-2026-33825) that can grant SYSTEM privileges. Multiple Microsoft Office RCEs exploitable via preview panes or malicious documents were fixed; administrators should prioritize installing these patches immediately.

⚠️ Microsoft’s April 2026 Patch Tuesday addresses 164 CVEs, including two zero-days and eight Critical vulnerabilities. The release focuses heavily on elevation-of-privilege flaws (57% of patches) and updates for Windows, Office and developer tools. Notable fixes include an exploited SharePoint spoofing zero-day (CVE-2026-32201), a disclosed Defender elevation-of-privilege issue (CVE-2026-33825), and several high‑risk RCEs; deploy patches promptly and apply recommended mitigations.

🔒 A critical vulnerability in the wolfSSL TLS/SSL library (tracked as CVE-2026-5194) permits improper verification of hash algorithms and sizes when validating ECDSA and other signatures. Researchers warn attackers can present forged certificates with undersized digests that vulnerable implementations will accept, enabling impersonation of servers, files, or connections. Discovered by Nicholas Carlini of Anthropic, the issue was fixed in wolfSSL 5.9.1 (April 8); administrators should review deployments and apply updates or vendor patches promptly.

🔒 Adobe released an emergency security update to fix a zero-day tracked as CVE-2026-34621, which has been exploited since at least December to bypass Acrobat/Reader sandbox protections. The flaw lets malicious PDFs invoke privileged JavaScript APIs (for example util.readFileIntoStream() and RSS.addFeed()) to read local files and exfiltrate data with no user interaction beyond opening the file. Affected versions of Acrobat DC, Acrobat Reader DC and Acrobat 2024 have fixes available; Adobe urges users to update via Help > Check for Updates or by downloading the installer.

⚠️ A critical pre-authentication remote code execution vulnerability in Marimo (tracked as CVE-2026-39987) allows unauthenticated attackers to obtain a full interactive shell by connecting to the exposed /terminal/ws endpoint. The flaw affects all Marimo versions before 0.23.0 and was exploited in the wild within 9 hours and 41 minutes of disclosure. Sysdig observed an attacker steal cloud credentials in under three minutes. Update to 0.23.0 or block public access and rotate any exposed keys.

🔍 Researchers at Horizon3.ai used Anthropic’s Claude to rapidly identify a critical remote code execution vulnerability in Apache ActiveMQ Classic that persisted for roughly 13 years. The flaw (CVE-2026-34197) allows misuse of the Jolokia management API—for example via addNetworkConnector—to load a malicious remote Spring XML and execute arbitrary Java/system commands. While the issue requires authentication in principle, default credentials remain common and a separate vulnerability in some 6.x builds can expose Jolokia without auth, turning it into an unauthenticated RCE. Apache has released patches in 5.19.4 and 6.2.3; administrators should upgrade and restrict access to management interfaces immediately.

⚠️ A critical pre-auth remote code execution flaw, CVE-2026-39987, in Marimo allowed unauthenticated attackers to obtain a full PTY shell via the /terminal/ws WebSocket endpoint. The issue affected all versions up to and including 0.20.4 and was addressed in Marimo 0.23.0. Security researchers at Sysdig observed exploitation within 9 hours and 41 minutes of public disclosure, with rapid credential-theft activity on a honeypot. Operators were able to explore the file system and access .env and SSH key files without requiring proof-of-concept code.

⚠️ Security researchers report a previously unknown zero-day in Adobe Reader is being actively exploited via maliciously crafted PDF documents. The exploit, linked to samples named Invoice540.pdf, has been observed since at least December 2025 and executes obfuscated JavaScript to harvest data and retrieve additional payloads. Analysts warn the vulnerability abuses privileged Acrobat APIs, works on the latest Adobe Reader build, and may enable follow-on RCE or sandbox escape.

⚠ Haifei Li has identified a zero-day vulnerability in Adobe Reader that has been exploited since at least December via maliciously crafted PDFs. The attack uses a highly sophisticated, fingerprinting-style exploit that can harvest local data using Acrobat APIs and may enable follow-on RCE or sandbox escape without user interaction beyond opening a file. Li urges users to avoid PDFs from untrusted sources and to monitor network traffic for the Adobe Synchronizer User-Agent string as a temporary mitigation.

🔒 Agentic AI is accelerating vulnerability discovery and shrinking the window between unknown flaws and active exploitation. A zero-day is dangerous because it exists in a defensive vacuum with no vendor patch and no established playbook, forcing emergency responses. Automated agents can probe, adapt and iterate continuously, so periodic assurance measures like quarterly scans and annual penetration tests are no longer sufficient as the primary resilience strategy. Organizations should emphasize data minimization, strict API discipline, least-privilege controls and micro-segmentation while embedding security into day-to-day IT operations and aligning CIO and CISO responsibilities.

🔐 Anthropic launched Project Glasswing to apply a preview of its frontier model, Claude Mythos, to find and help remediate security vulnerabilities in critical software. The company says Mythos Preview has already identified thousands of high‑severity zero‑day flaws and autonomously developed complex exploits in testing. Access is restricted to a small set of vendors and foundations due to abuse risks. Anthropic committed significant usage credits and donations to support coordinated defensive patching while acknowledging prior operational leaks and the risk that the same capabilities could be misused.

🔎 Anthropic's Project Glasswing uses Claude Mythos Preview to autonomously hunt software vulnerabilities and is being offered to a closed consortium of more than 40 organizations, including Amazon, Microsoft, Apple, Google and the Linux Foundation. Anthropic says early tests found thousands of high-severity flaws across operating systems, browsers, and other widely used software, including an allegedly 27-year-old OpenBSD bug. Security leaders warn the development could upend bug-bounty economics, push security upstream, shorten exposure windows, and raise dual-use control questions.

🚨 Security researchers report active exploitation of Flowise via CVE-2025-59528, a CVSS-10 arbitrary JavaScript injection that can lead to remote command execution and filesystem access. The flaw stems from the CustomMCP node unsafely evaluating user-supplied mcpServerConfig, allowing execution of supplied scripts. The developer fixed the issue in Flowise 3.0.6; users should upgrade to 3.1.1 or at minimum 3.0.6 and restrict public exposure.