windows

Windows Zero-Day Barrage Continues After Patch Tuesday

Security researcher “Nightmare Eclipse” has disclosed six Windows zero-day vulnerabilities over the past six weeks, including new flaws named YellowKey, GreenPlasma, and MiniPlasma, following Microsoft's May 2026 Patch Tuesday. These vulnerabilities enable severe attacks such as bypassing BitLocker encryption, privilege escalation, and disabling Microsoft Defender, with some already actively exploited, highlighting significant ongoing security challenges for Windows users despite patches.

https://www.darkreading.com/cyberattacks-data-breaches/windows-zero-day-barrage-continues-after-patch-tuesday

Microsoft’s MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday

Microsoft has introduced MDASH, a multi-model AI-driven system designed to autonomously discover, validate, and prove exploitable vulnerabilities in complex codebases like Windows. Tested in a private preview, MDASH identified 16 flaws fixed in the latest Patch Tuesday, including critical remote code execution vulnerabilities in Windows networking and authentication components. This system represents a production-grade advancement in AI vulnerability discovery by orchestrating over 100 specialized AI agents to enhance security at enterprise scale.

https://thehackernews.com/2026/05/microsofts-mdash-ai-system-finds-16.html

Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws

Microsoft released patches addressing 138 security vulnerabilities across its product portfolio, including critical remote code execution flaws in Windows DNS and Netlogon components. These fixes, part of the May 2026 Patch Tuesday, also involve privilege escalation, information disclosure, and spoofing issues, with several vulnerabilities identified through Microsoft's new AI-driven discovery system, highlighting the growing role of AI in vulnerability detection.

https://thehackernews.com/2026/05/microsoft-patches-138-vulnerabilities.html

New BitUnlocker Downgrade Attack on Windows 11 Allows Access to Encrypted Disks in 5 Minutes

A new tool called BitUnlocker exploits a vulnerability in Windows 11's BitLocker encryption, allowing attackers with physical access to decrypt protected volumes in under five minutes by using a downgrade attack on the boot manager. The attack leverages an unrevoked legacy signing certificate, enabling a pre-patch vulnerable boot manager to pass Secure Boot validation, but Microsoft mitigations like enabling TPM+PIN authentication and deploying update KB5025885 can protect systems against this exploit.

https://cybersecuritynews.com/bitunlocker-downgrade-attack-on-windows-11/

CISA Warns Microsoft Windows Shell 0-Click Vulnerability Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a critical zero-day vulnerability in the Microsoft Windows Shell, tracked as CVE-2026-32202, which is actively being exploited. This vulnerability allows attackers to perform network spoofing, potentially intercepting sensitive data and bypassing access controls, prompting CISA to mandate immediate patching by May 12, 2026, particularly for federal agencies, while strongly urging all organizations to apply mitigations to protect their networks.

https://cybersecuritynews.com/windows-shell-0-click-vulnerability/

Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202

Microsoft has confirmed active exploitation of a high-severity Windows Shell vulnerability (CVE-2026-32202) that allows unauthorized attackers to perform spoofing and access sensitive information. This zero-click exploit, linked to an incomplete patch for CVE-2026-21510 and used by the Russian state-sponsored group APT28, enables credential theft through automatic network authentication when victims open malicious Windows Shortcut files, highlighting ongoing risks despite recent patches.

https://thehackernews.com/2026/04/microsoft-confirms-active-exploitation.html

Exploits Turn Windows Defender Into Attacker Tool

Threat actors are exploiting three publicly available proof-of-concept vulnerabilities—BlueHammer, RedSun, and UnDefend—to turn Microsoft Defender's built-in security functions against the systems it is meant to protect, enabling SYSTEM-level access and disrupting update mechanisms. While Microsoft has patched BlueHammer, the other two remain unpatched, and these exploits are actively used in targeted attacks that highlight systemic validation weaknesses in Defender’s privileged workflows, underscoring the need for updated defenses and multi-factor authentication for remote access.

https://www.darkreading.com/cyberattacks-data-breaches/exploits-turn-windows-defender-attacker-tool

The Who, What, and Why of the Attack That Has Shut Down Stryker’s Windows Network

Stryker, a major multinational medical device supplier, confirmed a cyberattack that disrupted much of its Microsoft network, with a hacking group called Handala Hack—linked to the Iranian government—claiming responsibility. The attack, suspected to have involved remote wiping of devices via Microsoft’s InTune tool rather than typical malware, followed recent US and Israeli airstrikes on Iran, suggesting retaliation through cyber means. Despite the disruption, Stryker’s critical medical devices remain operational, though the company has not yet provided a timeline for full recovery.

https://arstechnica.com/security/2026/03/whats-known-about-wiper-attack-on-stryker-a-major-supplier-of-lifesaving-devices/

Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer

Microsoft revealed a new phishing campaign, ClickFix, using Windows Terminal to deploy Lumma Stealer malware. The campaign tricks users into executing commands via a trusted app, bypassing detection methods aimed at the Run dialog. It executes a multi-stage attack: downloading and extracting malicious scripts, collecting credentials from browsers, and establishing persistence. The malware targets sensitive data, emphasizing the risks of social engineering tactics in cybersecurity.

https://thehackernews.com/2026/03/microsoft-reveals-clickfix-campaign.html

WSL in the Malware Ecosystem

WSL (Windows Subsystem for Linux) enables running a Linux environment on Windows, allowing developers and cybersecurity workflows to leverage Linux tools. It poses security risks, as malware can exploit WSL by checking for its presence and executing commands. An infostealer trojan, “ottercookie-socketScript-module-3.js,” utilizes WSL to access the Windows filesystem and obtain user information.

https://isc.sans.edu/diary/rss/32704

New Clickfix Variant ‘CrashFix’ Deploying Python Remote Access Trojan

New Clickfix variant ‘CrashFix' uses social engineering to deploy Python Remote Access Trojan. It disrupts browsers, luring users into executing malicious commands after a deceptive browser extension installation. Attackers exploit native OS utilities to bypass defenses, emphasizing the need for behavior-based detection and user awareness. The model connects to C2 servers to gather information and maintain future access, highlighting evolving attack techniques. Organizations are urged to enable cloud protection and restrict unnecessary outbound access to mitigate risks.

https://www.microsoft.com/en-us/security/blog/2026/02/05/clickfix-variant-crashfix-deploying-python-rat-trojan/

CISA Warns Microsoft Windows Users—Log Out And Shut Down

CISA advises Microsoft Windows users to back up their data, log out, and fully shut down devices if they will be left unattended over the holidays. This reduces the risk of in-person or remote cyber threats and is especially important given the rise in online shopping scams and cyberattacks. Simple actions like powering down and backing up provide stronger protection during the holiday season.

https://www.forbes.com/sites/zakdoffman/2025/12/09/cisa-warns-microsoft-windows-users-log-out-and-shut-down/

Ransomware IAB Abuses EDR for Stealthy Malware Execution

Ransomware group Storm-0249 exploits EDR tools like SentinelOne to stealthily execute malware. Using social engineering, they trick users into running malicious commands that lead to DLL side-loading, making attacks appear as normal EDR processes, thus evading detection. Recommendations include behavior-based detection and stricter controls on execution of potentially harmful commands.

https://www.bleepingcomputer.com/news/security/ransomware-iab-abuses-edr-for-stealthy-malware-execution/

Microsoft “mitigates” Windows LNK Flaw Exploited as Zero-day

Microsoft mitigated a severe Windows LNK vulnerability exploited by state and cybercrime groups (CVE-2025-9491), allowing attackers to conceal malicious operations in LNK files, requiring user interaction to execute. Despite initial inaction, Microsoft silently adjusted LNK file visibility in June 2025, while unofficial patches have been offered to limit risks until a thorough fix is provided.

https://www.bleepingcomputer.com/news/microsoft/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day/

New ClickFix Wave Infects Users With Hidden Malware in Images and Fake Windows Updates

New ClickFix campaign mimics Windows updates to distribute malware. Attackers use fake update screens prompting users to run commands, leading to infections via steganography embedded in images. Users are urged to be cautious with commands from untrusted sources, limit copy-pasting, and utilize antivirus software for protection.

https://www.malwarebytes.com/blog/news/2025/11/new-clickfix-wave-infects-users-with-hidden-malware-in-images-and-fake-windows-updates

Scroll to Top