All news with #zero day exploitation tag

🛡️ GreyNoise telemetry indicates a single IP hosted by PROSPERO OOO is responsible for roughly 83% of active exploitation attempts against Ivanti Endpoint Manager Mobile (EPMM), targeting CVE-2026-21962 and CVE-2026-24061. Between Feb 1–9 researchers observed 417 exploit sessions from eight source IPs, with a sharp spike on Feb 8. Activity appears automated, using OAST-style DNS callbacks consistent with initial access broker behavior; Ivanti has released hotfixes and will issue full patches in Q1.

🔴 watchTowr reported the first in-the-wild exploitation of a critical BeyondTrust vulnerability, CVE-2026-1731, with attackers abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. The flaw (CVSS 9.9) allows unauthenticated remote code execution by sending specially crafted requests and has been patched in Remote Support (BT26-02-RS, 25.3.2+) and Privileged Remote Access (BT26-02-PRA, 25.1.1+). The rapid weaponization highlights how quickly defenders must patch critical systems. CISA also added four actively exploited flaws to its KEV catalog and set federal remediation deadlines in February and March 2026.

🔒 Flashpoint reports that the median time between disclosure and exploitation fell 94% over five years, from 745 days in 2020 to 44 days in 2025. The vendor attributes the decline to rapid weaponization of researcher proof-of-concept code and the growing use of n-day exploits, which now represent over 80% of CVEs in its VulnDB KEV list. Attackers are combining turnkey exploits with mass-scanning tools to achieve large-scale compromise in hours. Limited asset inventories and a 'CVE blind spot' from vulnerabilities lacking CVE IDs further shrink defenders' remediation window.

🔒 Apple released updates for iOS, iPadOS, macOS Tahoe, tvOS, watchOS and visionOS to fix an actively exploited zero-day, tracked as CVE-2026-20700, a memory corruption flaw in dyld that can permit arbitrary code execution when an attacker has memory write capability. Google Threat Analysis Group (TAG) is credited with reporting the issue. Apple said the bug may have been used in extremely sophisticated targeted attacks and also issued related fixes for CVE-2025-14174 and CVE-2025-43529. Patches are available for supported recent devices and additional updates address vulnerabilities in older OS releases.

🔒 Apple issued security updates to fix a zero-day in dyld (CVE-2026-20700) that was exploited in an extremely sophisticated targeted attack against specific individuals. Apple warns an attacker with memory write capability may be able to execute arbitrary code on affected devices. Patches are available in iOS 18.7.5, iPadOS 18.7.5, macOS Tahoe 26.3, tvOS 26.3, watchOS 26.3 and visionOS 26.3; users and administrators should install them immediately to reduce risk.

🔒 Microsoft released security updates fixing 59 vulnerabilities across Windows and related products, including six flaws Microsoft says are being actively exploited. The update includes five Critical, 52 Important and two Moderate fixes, addressing privilege escalation, remote code execution, spoofing and information disclosure. Microsoft and external researchers reported several actively exploited CVEs; CISA has added them to its KEV catalog with a March 3, 2026 remediation deadline for federal agencies.

🔒 Microsoft released updates to fix six actively exploited zero-day vulnerabilities, three of which have been publicly disclosed. The issues include security feature bypasses in Windows Shell, MSHTML and Word, plus elevation-of-privilege and denial-of-service flaws affecting DWM, Remote Access Connection Manager and Remote Desktop Services. None are rated critical and only five of 58 patches this month were classed as critical. Administrators should prioritise applying updates and monitoring for exploitation.

🔒 Microsoft’s February 2026 Patch Tuesday delivers 60 fixes, including six vulnerabilities the vendor says are actively exploited. Three are security feature bypass flaws in Windows Shell, MSHTML and Office OLE mitigations; two permit local elevation to System, and one enables local denial-of-service. Experts note patches are straightforward and require no post-patch configuration, but prioritization of the bypasses and cloud-related issues is urgent.

🔒 BeyondTrust has released emergency patches to address a critical unauthenticated remote code execution vulnerability in self-hosted instances of Remote Support and Privileged Remote Access. Tracked as CVE-2026-1731 and discovered in January by Hacktron AI, the flaw is rated 9.9/10. BeyondTrust published Patch BT26-02-RS for RS 21.3–25.3.1 and Patch BT26-02-PRA for PRA 22.1–24.x; PRA 25.1+ are not affected and SaaS tenants were patched server-side. Around 11,000 RS instances are internet-exposed, roughly 8,500 of which are on-premises and need immediate patching.

🔒 Microsoft released February 2026 Patch Tuesday updates addressing more than 50 vulnerabilities, including six actively exploited zero-days. Patches cover security feature bypasses in Windows Shell, MSHTML and Word, elevation-of-privilege flaws in Remote Desktop Services and Desktop Window Manager, and a denial-of-service risk in the Remote Access Connection Manager. Administrators and developers are urged to prioritize testing and deployment, maintain recent backups, and apply least-privilege controls to limit exposure, particularly for AI-assisted development workflows.

🔒 Microsoft released the Windows 10 KB5075912 extended security update for ESU-enrolled systems and Enterprise LTSC installations to address February 2026 Patch Tuesday fixes, including six actively exploited zero-day vulnerabilities. After installation, affected systems are updated to build 19045.6937 (or 19044.6937 for LTSC 2021). The update also continues a phased rollout of replacement Secure Boot certificates and resolves a Secure Launch-related shutdown/hibernation issue.

🔒 Microsoft released its February 2026 Patch Tuesday security update addressing 58 flaws, including six actively exploited zero-days and three that were publicly disclosed. The release fixes five Critical bugs and numerous elevation-of-privilege, remote code execution, and information disclosure issues across Windows and Office components. Microsoft also began a phased rollout of updated Secure Boot certificates to replace expiring 2011 certificates and has integrated built-in Sysmon functionality into Windows 11 insider builds.

🔒 Analysis by Huntress shows SolarWinds Web Help Desk instances are being actively exploited through a chain of zero‑day and previously disclosed deserialization flaws from late 2025 and January. The incidents combine two January zero‑days—CVE-2025-40551 (deserialization RCE) and CVE-2025-40536 (authentication bypass)—with the earlier CVE-2025-26399. Organizations should urgently upgrade to WHD 2026.1, follow SolarWinds' release notes, reset service and admin credentials, and treat any unexpected Velociraptor, Cloudflared, or Zoho Assist activity and silent MSI installations as indicators of compromise.

🔒 Several European government bodies reported breaches tied to a coordinated exploitation of Ivanti EPMM zero-day vulnerabilities disclosed on 29 January. Affected organizations include the European Commission, Finnish central agencies and at least two Dutch bodies, with as many as 50,000 Finnish staff details potentially exposed. Compromised data appears limited to names, work emails, phone numbers and device metadata; no device-level data has been confirmed. Authorities contained the incidents quickly, but security teams warn of elevated follow-on risks such as spearphishing, credential misuse and malicious configuration changes, and advise reassessing administrative credentials, keys and certificates.

🔒 Dutch authorities confirmed the Dutch Data Protection Authority (AP) and the Council for the Judiciary reported system intrusions tied to vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). Investigators say unauthorized actors accessed work-related data such as names, business email addresses, phone numbers and device details. The European Commission and Finland's Valtori also reported traces or breaches, with Valtori estimating up to 50,000 government employees affected.

🚨 Microsoft’s February 2026 updates address 59 vulnerabilities, including six actively exploited zero-days and five Critical issues. CrowdStrike identified the Windows Remote Desktop elevation-of-privilege (CVE-2026-21533) and observed exploitation against U.S. and Canadian organizations; other zero-days affect MSHTML, Windows Shell, Microsoft Word, Desktop Window Manager and Remote Access Connection Manager. Three Critical Azure service flaws were remediated in-platform while two Critical issues in Azure confidential containers require customer patching. CrowdStrike recommends timely updates, compensating controls, expanded detection/hunting, and use of the Falcon Exposure Management dashboard to prioritize and mitigate risk.

🔎 Claude Opus 4.6 markedly improves automated vulnerability discovery, finding high-severity bugs faster and without task-specific tooling. Unlike traditional fuzzers, which depend on massive random inputs, Opus 4.6 reads and reasons about code like a human researcher—spotting patterns, past fixes, and precise inputs that trigger failures. Early tests show it uncovered long-standing zero-days in projects previously subject to extensive fuzzing.

⚠️ Microsoft Defender observed in-the-wild exploitation of internet-facing SolarWinds Web Help Desk, enabling unauthenticated remote code execution and arbitrary command execution within the application context. Post-exploitation behaviors included PowerShell using BITS to download payloads, installation of ManageEngine RMM components for interactive control, credential theft via DLL sideloading and LSASS access, and persistence through scheduled tasks and reverse SSH/RDP tunnels. Organizations should patch WHD, restrict public admin access, hunt for unauthorized RMM artifacts, and rotate exposed service and admin credentials.

🔒 Check Point researchers say attackers rapidly weaponized CVE-2025-8088, a path traversal flaw in the Microsoft Windows version of WinRAR, to deliver crafted archives that execute arbitrary code and maintain persistence. The campaign used the open-source Havoc Framework and targeted government and law-enforcement organisations in Southeast Asia. Check Point attributes the activity to a group dubbed Amaranth-Dragon, whose tools and tactics resemble APT41. Organisations are advised to prioritise patching and monitor for suspicious archive files.

🔒 Datadog Security Labs disclosed an active web-traffic hijacking campaign that leverages the critical React2Shell vulnerability (CVE-2025-55182, CVSS 10.0) to inject malicious nginx configurations. Attackers use multi-stage shell scripts to create proxy_pass rules that route requests to attacker-controlled backends, focusing on Asian and government/education TLDs and Baota management panels. GreyNoise telemetry links the activity to two dominant IPs and over 1,000 unique sources.