All news with #zero day exploitation tag

🔒 Microsoft released security updates fixing 59 vulnerabilities across Windows and related products, including six flaws Microsoft says are being actively exploited. The update includes five Critical, 52 Important and two Moderate fixes, addressing privilege escalation, remote code execution, spoofing and information disclosure. Microsoft and external researchers reported several actively exploited CVEs; CISA has added them to its KEV catalog with a March 3, 2026 remediation deadline for federal agencies.

🔒 Microsoft released updates to fix six actively exploited zero-day vulnerabilities, three of which have been publicly disclosed. The issues include security feature bypasses in Windows Shell, MSHTML and Word, plus elevation-of-privilege and denial-of-service flaws affecting DWM, Remote Access Connection Manager and Remote Desktop Services. None are rated critical and only five of 58 patches this month were classed as critical. Administrators should prioritise applying updates and monitoring for exploitation.

🔒 Microsoft’s February 2026 Patch Tuesday delivers 60 fixes, including six vulnerabilities the vendor says are actively exploited. Three are security feature bypass flaws in Windows Shell, MSHTML and Office OLE mitigations; two permit local elevation to System, and one enables local denial-of-service. Experts note patches are straightforward and require no post-patch configuration, but prioritization of the bypasses and cloud-related issues is urgent.

🔒 BeyondTrust has released emergency patches to address a critical unauthenticated remote code execution vulnerability in self-hosted instances of Remote Support and Privileged Remote Access. Tracked as CVE-2026-1731 and discovered in January by Hacktron AI, the flaw is rated 9.9/10. BeyondTrust published Patch BT26-02-RS for RS 21.3–25.3.1 and Patch BT26-02-PRA for PRA 22.1–24.x; PRA 25.1+ are not affected and SaaS tenants were patched server-side. Around 11,000 RS instances are internet-exposed, roughly 8,500 of which are on-premises and need immediate patching.

🔒 Microsoft released February 2026 Patch Tuesday updates addressing more than 50 vulnerabilities, including six actively exploited zero-days. Patches cover security feature bypasses in Windows Shell, MSHTML and Word, elevation-of-privilege flaws in Remote Desktop Services and Desktop Window Manager, and a denial-of-service risk in the Remote Access Connection Manager. Administrators and developers are urged to prioritize testing and deployment, maintain recent backups, and apply least-privilege controls to limit exposure, particularly for AI-assisted development workflows.

🔒 Microsoft released the Windows 10 KB5075912 extended security update for ESU-enrolled systems and Enterprise LTSC installations to address February 2026 Patch Tuesday fixes, including six actively exploited zero-day vulnerabilities. After installation, affected systems are updated to build 19045.6937 (or 19044.6937 for LTSC 2021). The update also continues a phased rollout of replacement Secure Boot certificates and resolves a Secure Launch-related shutdown/hibernation issue.

🔒 Microsoft released its February 2026 Patch Tuesday security update addressing 58 flaws, including six actively exploited zero-days and three that were publicly disclosed. The release fixes five Critical bugs and numerous elevation-of-privilege, remote code execution, and information disclosure issues across Windows and Office components. Microsoft also began a phased rollout of updated Secure Boot certificates to replace expiring 2011 certificates and has integrated built-in Sysmon functionality into Windows 11 insider builds.

🔒 Analysis by Huntress shows SolarWinds Web Help Desk instances are being actively exploited through a chain of zero‑day and previously disclosed deserialization flaws from late 2025 and January. The incidents combine two January zero‑days—CVE-2025-40551 (deserialization RCE) and CVE-2025-40536 (authentication bypass)—with the earlier CVE-2025-26399. Organizations should urgently upgrade to WHD 2026.1, follow SolarWinds' release notes, reset service and admin credentials, and treat any unexpected Velociraptor, Cloudflared, or Zoho Assist activity and silent MSI installations as indicators of compromise.

🔒 Several European government bodies reported breaches tied to a coordinated exploitation of Ivanti EPMM zero-day vulnerabilities disclosed on 29 January. Affected organizations include the European Commission, Finnish central agencies and at least two Dutch bodies, with as many as 50,000 Finnish staff details potentially exposed. Compromised data appears limited to names, work emails, phone numbers and device metadata; no device-level data has been confirmed. Authorities contained the incidents quickly, but security teams warn of elevated follow-on risks such as spearphishing, credential misuse and malicious configuration changes, and advise reassessing administrative credentials, keys and certificates.

🔒 Dutch authorities confirmed the Dutch Data Protection Authority (AP) and the Council for the Judiciary reported system intrusions tied to vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). Investigators say unauthorized actors accessed work-related data such as names, business email addresses, phone numbers and device details. The European Commission and Finland's Valtori also reported traces or breaches, with Valtori estimating up to 50,000 government employees affected.

🚨 Microsoft’s February 2026 updates address 59 vulnerabilities, including six actively exploited zero-days and five Critical issues. CrowdStrike identified the Windows Remote Desktop elevation-of-privilege (CVE-2026-21533) and observed exploitation against U.S. and Canadian organizations; other zero-days affect MSHTML, Windows Shell, Microsoft Word, Desktop Window Manager and Remote Access Connection Manager. Three Critical Azure service flaws were remediated in-platform while two Critical issues in Azure confidential containers require customer patching. CrowdStrike recommends timely updates, compensating controls, expanded detection/hunting, and use of the Falcon Exposure Management dashboard to prioritize and mitigate risk.

🔎 Claude Opus 4.6 markedly improves automated vulnerability discovery, finding high-severity bugs faster and without task-specific tooling. Unlike traditional fuzzers, which depend on massive random inputs, Opus 4.6 reads and reasons about code like a human researcher—spotting patterns, past fixes, and precise inputs that trigger failures. Early tests show it uncovered long-standing zero-days in projects previously subject to extensive fuzzing.

⚠️ Microsoft Defender observed in-the-wild exploitation of internet-facing SolarWinds Web Help Desk, enabling unauthenticated remote code execution and arbitrary command execution within the application context. Post-exploitation behaviors included PowerShell using BITS to download payloads, installation of ManageEngine RMM components for interactive control, credential theft via DLL sideloading and LSASS access, and persistence through scheduled tasks and reverse SSH/RDP tunnels. Organizations should patch WHD, restrict public admin access, hunt for unauthorized RMM artifacts, and rotate exposed service and admin credentials.

🔒 Check Point researchers say attackers rapidly weaponized CVE-2025-8088, a path traversal flaw in the Microsoft Windows version of WinRAR, to deliver crafted archives that execute arbitrary code and maintain persistence. The campaign used the open-source Havoc Framework and targeted government and law-enforcement organisations in Southeast Asia. Check Point attributes the activity to a group dubbed Amaranth-Dragon, whose tools and tactics resemble APT41. Organisations are advised to prioritise patching and monitor for suspicious archive files.

🔒 Datadog Security Labs disclosed an active web-traffic hijacking campaign that leverages the critical React2Shell vulnerability (CVE-2025-55182, CVSS 10.0) to inject malicious nginx configurations. Attackers use multi-stage shell scripts to create proxy_pass rules that route requests to attacker-controlled backends, focusing on Asian and government/education TLDs and Baota management panels. GreyNoise telemetry links the activity to two dominant IPs and over 1,000 unique sources.

🔒 CISA has flagged a critical SolarWinds Web Help Desk vulnerability (CVE-2025-40551) as actively exploited and ordered federal agencies to patch within three days under BOD 22-01. The flaw is an untrusted data deserialization weakness that can enable unauthenticated remote command execution; SolarWinds released Web Help Desk 2026.1 on January 28 to address it. Administrators are urged to apply the patch immediately and verify affected systems.

🛡️ Google disrupted the IPIDEA residential proxy network by seizing or sinkholing command-and-control domains, cutting operators' ability to route traffic and reducing millions of exit nodes that had been recruited via bundled SDKs or monetization lures. Microsoft released an out‑of‑band patch for an actively exploited Office zero‑day (CVE-2026-21509), while Ivanti fixed two EPMM RCEs. CERT Polska attributed destructive intrusions against Polish energy assets to Static Tundra, and criminals were observed hijacking exposed LLM endpoints for resale and lateral access. Researchers also documented new modular frameworks, open BYOB C2 repositories, and continued exploitation of web platforms and DevOps tooling.

⚠️ Ivanti has released security updates addressing two critical zero-day code-injection flaws in Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340 (both CVSS 9.8) — which enable unauthenticated remote code execution and have been observed in limited attacks. One of the defects, CVE-2026-1281, was added to CISA’s KEV catalog, imposing a Federal remediation deadline of February 1, 2026. A temporary RPM patch is available for affected 12.x releases but does not persist through upgrades; Ivanti plans a permanent fix in EPMM 12.8.0.0 due Q1 2026. Customers are urged to check Apache access logs using the provided regex, inspect administrative and configuration changes, and restore or rebuild compromised appliances if indicators of attack are found.

⚠ Ivanti disclosed two critical code-injection vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), CVE-2026-1281 and CVE-2026-1340, both rated 9.8 and observed in limited zero-day exploitation. The flaws allow unauthenticated remote arbitrary code execution and exposure of administrator, user, and managed-device data. Ivanti published RPM hotfixes to mitigate affected builds, advised immediate application, and warned hotfixes must be reapplied after upgrades until a permanent 12.8.0.0 fix is released in Q1 2026.

⚠️ Fortinet disclosed a critical authentication-bypass zero-day (CVE-2026-24858) that affects FortiCloud SSO and can let attackers compromise FortiGate, FortiManager, and FortiAnalyzer devices. The vendor temporarily disabled FortiCloud SSO globally on Jan 26 to stop active exploitation and re-enabled it Jan 27 with server-side blocking that prevents logins from vulnerable firmware. FortiOS 7.4.11 is available and additional patched releases are being rolled out; most fixes are still listed as "upcoming."