Google Releases Exploit Code for Unpatched Chromium Flaws
Chrome Browser Vulnerabilities
Continue ReadingPosts
Microsoft Defender Vulnerability Leveraged in 0-Day Attacks; Patches Rolled Out
Microsoft has released security updates to fix two vulnerabilities in Microsoft Defender that attackers were already exploiting in real-world zero-day attacks. This exploitation was confirmed by CISA, which has added the security flaws to its known exploited vulnerability(KEV) catalogue.
As per Microsoft, they addressed the two security defects in Microsoft Defender Antimalware Platform version 4.18.26040.7. According to the company, systems with Microsoft Defender disabled are not exploitable, even though Defender’s files remain on disk.
CVE-2026-41091, vulnerability affects older versions of the Microsoft Malware Protection Engine used by Microsoft antivirus and anti-malware products.
(CVE-2026-45498,) affects systems running the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier.
| CVE ID | Affected Product | Vulnerability Description | Potential Impact | Severity Rating |
|---|---|---|---|---|
| CVE-2026-41091 | Microsoft Malware Protection Engine | Vulnerability affecting older versions of the Microsoft antivirus and anti-malware scanning engine | Privilege escalation allowing attackers to gain SYSTEM-level access | 🔴 Critical |
| CVE-2026-45498 | Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier | Vulnerability affecting Microsoft Defender and related endpoint protection platforms | Security risk impacting endpoint protection systems and enterprise security tools | 🟠 High |
CVE-2026-41091 vulnerability affects:
- The flaw allows attackers to trick the antivirus engine into accessing files incorrectly.
- By exploiting this weakness, attackers can gain SYSTEM-level privileges, which is the highest level of access on a Windows system.
- With this access, attackers could potentially take full control of the affected device.
CVE-2026-45498 vulnerability affects:
Attackers can exploit the flaw to make affected Windows systems stop responding or crash. This creates a Denial-of-Service (DoS) condition, where the device or security service becomes unavailable temporarily.
As a result, users may experience:
- System slowdowns or freezes
- Security services stopping unexpectedly
CISA Adds the vulnerability in its KEV
For Malware attacks the vulnerability fits well and attackers are in advantageous position. In first to prevent detection if the system relies only on Microsoft endpoint protection and second to gain full control over the system.
On Wednesday, the United States Cybersecurity and Infrastructure Security Agency (CISA), added the two vulnerabilities, tracked as CVE-2026-41091 and CVE-2026-45498, to its Known Exploited Vulnerabilities (KEV) catalog, signaling that exploitation was detected in the wild.
Privilege Escalation Flaw:
The vulnerability CVE-2026-41091 is a Privilege Escalation (PE) flaw affecting mpengine.dll, a core component of the Microsoft Malware Protection Engine used by Microsoft Defender and other Microsoft security products.
mpengine.dll (Microsoft Malware Protection Engine) is responsible for:
- Malware scanning
- Threat detection
- File inspection
- Cleaning and remediation operations
- The vulnerability arises from an improper link resolution before file access issue, commonly referred to as a link following vulnerability.
- During scanning or file operations, the engine may improperly handle symbolic links, junctions, or reparse points before validating the target file path.
- An attacker can exploit this behavior by crafting malicious file links that redirect privileged operations to unintended system locations.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the U.S. cybersecurity agency warned.
“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
On Tuesday, also shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day flaw that allows attackers to access protected drives.
CISA gave federal agencies until June 3 to ensure mitigation measures are in place.
Threat Mitigation advice from Microsoft:
“For enterprise deployments as well as end users,” Microsoft said, “the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically,” and as such no action is required as the update that is now rolling out will get applied without user input.
Most Windows systems using Microsoft Defender are configured to update automatically. What happens if automatic updates are enabled, users usually do not need to manually install the security fix.
It is assumed Microsoft Defender should automatically download and apply the updated malware protection engine and required security update in the background.
One can ensure that all the latest updates are installed and configures device protection against the recently disclosed vulnerabilities.
The April 2026 vulnerabilities identified in Defender:
Few months back we have witnessed how a zero-day vulnerability in Microsoft Defender, dubbed “RedSun,” allowed an unprivileged user to escalate privileges to full SYSTEM-level access on fully patched Windows 10, Windows 11, and Windows Server 2019 and later systems.
RedSun was the second zero-day exploit published within a two-week span in April 2026 by the security researcher known as “Chaotic Eclipse”
For threat mitigation it was advised that security teams should closely watch for suspicious activity involving Microsoft Defender until Microsoft releases an official fix. Attackers may try to misuse certain Windows files and Defender processes to gain higher access or modify protected system files.
RakshaOne from Intrucept helps simplify workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.
SIEM Helps Detect Exploitation
Privilege Escalation Detection (CVE-2026-41091)
The SIEM can correlate:
- Suspicious file write activity
- Abnormal SYSTEM privilege assignments
- Unexpected execution of privileged processes
- Defender engine (
mpengine.dll) anomalies - Unauthorized access attempts to protected system directories
DoS & Security Service Monitoring (CVE-2026-45498)
The SIEM can detect:
- Unexpected Microsoft Defender crashes
- Antimalware service restarts
- Endpoint protection failures
- Repeated system instability events
- Disabled or unavailable Defender services
This helps security teams identify attempts to disrupt endpoint protection mechanisms
Sources: Security Update Guide – Microsoft Security Response Center
Sources:
Claude Code network sandbox; Now Attackers can Exfiltrate Data, Bypass Flaw
Claude Code’s Network Sandbox Flaw Enable Data Exfiltration
Continue Reading
GitHub’s Repositories Targeted by TeamPCP
securing Git repositories is no longer optional, it’s essential.
Continue Reading
Security Vulnerabilities in NGINX Causing DoS in RCE
NGINX rewrite module, is used to redirect or modify web requests.
The NGINX vulnerability known as CVE-2026-42945, is a programming mistake in the software where it writes or reads more data in memory than it should, causing a heap buffer overflow and is 18 year old, where in certain rewrite rules are configured in a vulnerable way.
This enables attackers to send specially crafted network requests that cause the NGINX server process to crash. Further attackers don’t need any authentication to send malformed requests to servers. The vulnerability was discovered with the help of AI models in recent months, missed by scanners and humans over the years.
The attack can be leveraged & Potential Impact
Nginx is one of the most popular web servers, powering almost one third of all websites on the internet, and is integrated into many commercial products as well.
- Crash or restart the NGINX server remotely
- Cause websites or applications to become unavailable
- Launch Denial-of-Service (DoS) attacks
In worst case if a Windows/Linux security protection called ASLR (Address Space Layout Randomization) is disabled:
- Attackers may be able to run malicious code on the server
- This could potentially lead to full server compromise
- Attackers require no authentication and can be performed remotely, while 5.7 million internet-facing NGINX servers may be exposed
- Exploitation is already happening in real-world attacks
- The vulnerable code has reportedly existed for nearly 18 years
| Vulnerability | Details |
|---|---|
| CVE ID | CVE-2026-42945 |
| Severity | High / Critical |
| Affected Product | NGINX OSS & NGINX Plus |
| Impact | DoS / Possible Remote Code Execution |
| Attack Requirement | Specially crafted web requests |
| Authentication Needed | No |
Researchers also found additional medium-severity vulnerabilities affecting:
- HTTP/3 QUIC module
- HTTP/2 proxy mode
- SSL module
- SCGI and uWSGI modules
- Charset handling module
These may cause:
- Memory exhaustion
- Data leakage
- Spoofing attacks
- Service instability
This causes a buffer overflow in the NGINX worker process, meaning the server tries to handle more data than expected in memory. As a result, the NGINX service crashes and restarts, causing a Denial-of-Service (DoS) condition.
Immediate Patching Recommendation
Upgrade to the latest patched NGINX versions immediately.
- Review and modify vulnerable rewrite rules.
- Restrict unnecessary internet exposure of NGINX servers.
- Monitor for unexpected NGINX crashes or restarts.
- Ensure ASLR and other OS-level security protections remain enabled.
The recently disclosed NGINX vulnerability (CVE-2026-42945) affecting the ngx_http_rewrite_module can allow unauthenticated attackers to remotely crash vulnerable servers and, in certain conditions, potentially execute malicious code.
How GaarudNode Helps Secure Against This Vulnerability
GaarudNode helps organizations proactively identify, prioritize, and remediate such vulnerabilities across the complete application and infrastructure lifecycle through its unified Shift-Left and Shift-Right security capabilities.
| Security Capability | How It Helps |
|---|---|
| Continuous OS & Infrastructure Vulnerability Scanning | Detects vulnerable NGINX OSS and NGINX Plus versions across servers, containers, and cloud workloads |
| Missing Patch Detection | Identifies systems missing critical NGINX security updates and tracks remediation status |
| Misconfiguration Assessment | Detects insecure rewrite rules and vulnerable NGINX configurations that may trigger the flaw |
| CSPM (Cloud Security Posture Management) | Identifies internet-exposed NGINX instances and insecure cloud deployments |
| Network Security Visibility | Detects externally exposed web services and risky attack surfaces |
| Runtime Monitoring (Shift Right) | Monitors abnormal NGINX crashes, unexpected restarts, and suspicious traffic patterns linked to exploitation attempts |
| Risk Prioritization | Correlates internet exposure, vulnerable configurations, and exploitability to prioritize remediation |
| Unified Risk Dashboard | Provides centralized visibility across applications, infrastructure, cloud, OS, and network risks |
Sources: NGINX: DoS vulnerability is being attacked | heise online
ZeroDay Vulnerability ‘MiniPlasma’ Grant’s Attackers SYSTEM privileges
A newly disclosed Windows zero-day vulnerability named ‘MiniPlasma’ allows attackers to gain SYSTEM-level privileges on fully patched Windows 11 systems.
- The vulnerability affects the Windows Cloud Files Mini Filter Driver (cldflt.sys), a core component used by cloud synchronization services such as Microsoft OneDrive.
- Researchers released a public proof-of-concept (PoC) exploit, increasing the risk of real-world exploitation by threat actors and ransomware groups.
- The flaw enables a normal user account to escalate privileges without requiring administrator access, making it highly dangerous in enterprise environments.
- The exploit reportedly abuses:
- Weak access validation
- Registry interactions
- Undocumented Windows APIs
- Logic flaws in the cloud synchronization subsystem
How enterprise will address the risk
Researchers claim the same underlying weakness still exists and remains exploitable.The vulnerability is still present in fully patched systems running the latest May 2026 updates. The original proof-of-concept code published by Forshaw worked without modification.
The flaw allows attackers with physical access to bypass BitLocker protections and gain unrestricted shell access to encrypted volumes through the Windows Recovery Environment (WinRE).
The attack is triggered by placing specially crafted files inside a specific directory on a USB drive or directly in the EFI partition.
The flaw is disturbing as the vulnerable component exists exclusively within the WinRE image, not in standard Windows installations, and an identical component appears in normal installations but without the triggering functionality.
Microsoft has not publicly addressed the claim and neither dedicated emergency patch or confirmed whether MiniPlasma represents a new vulnerability class .
Sources: Windows MiniPlasma Zero-Day Exposes SYSTEM Access Risk
Open Claw Vulnerabilities Reflect AI Agents Operate with High privilege
Open Claw Vulnerabilities Reflect How AI Agents Operate with High privilege
Continue Reading
New Malware Framework Highlight Attackers Tactics; Gain Browser Access
New malware TencShell, a previously undocumented, Go-based implant derived from the open-source Rshell C2 framework targets manufacturing based enterprises. The malware’s activity appeared in traffic associated with a third-party user connected to the customer environment. The malware framework is based on screen control, browser artifact access and User Account Control (UAC) bypass that highlights how attackers are increasingly adapting open-source tools for real-world intrusions. Their attack pattern reveal careful design that can blend into normal enterprise traffic.
The tactics was revealed in April 2026, when Cato CTRL identified and blocked an attempted intrusion against a global manufacturing customer involving TencShell.
The malware has been previously undocumented, Go-based implant derived from the open-source Rshell C2 framework.
The activity appeared in traffic associated with a third-party user connected to the customer environment.
Malware attack chain
The attack chain used a first-stage dropper, Donut shellcode, a masqueraded .woff web-font resource, memory injection, and web-like C2 communication.
Activity noticed an suspected China-linked based on the apparent Rshell lineage, Tencent-themed API impersonation, and infrastructure patterns, While this pattern is relevant to our suspected China-linked assessment, it is not sufficient on its own for attribution.
If successful, TencShell could have given the attacker remote command execution, in-memory payload execution, proxying, pivoting, system profiling, and a path to deploy additional tooling. We blocked the attempt before the attacker could establish durable remote control.
Command & control framework
A C2 framework deployed through third-party access can turn a trusted business connection into an attacker-controlled bridge.
According to Cato CTRL, TencShell is a customized, Go-based implant derived from the open-source Rshell in C2 framework.
Security analysts suspect the malware has ties to Chinese threat actors, largely due to its infrastructure patterns and its clever impersonation of Tencent API services, which are designed to camouflage malicious communication.
If TencShell had installed successfully, the attacker could potentially execute commands, inspect files, steal credentials or session material, stage additional tools, proxy traffic through the endpoint, and move toward internal systems that are not directly exposed to the internet.
Business Risk for manufacturers posed by the Malware
From the standpoint of manufacturers across the globe, the business risk extends beyond. If any endpoint connected is compromised to a regional site can further expose supplier relationships, production workflows, intellectual property, customer data, logistics processes and business continuity.
The C2 framework gives the attacker the control needed to decide what comes next.
What can attackers do from operational standpoint
To evade endpoint defenses, attackers can execute inline binaries, load dynamic link libraries and run .NET assemblies directly from memory.
The framework also enables operators to establish SOCKS5 proxies, allowing them to tunnel traffic and pivot deeper into segmented internal systems.
TencShell is derived from Rshell, an open-source Go-based C2 framework designed for cross-platform offensive security use. The original Rshell project includes remote command execution, file and process management, terminal access, in-memory payload execution, multiple C2 transports, and an MCP server. The version we observed was customized and repackaged for this operation, with communication and delivery changes that made it more suitable for the attacker’s campaign.
Embedded Go source paths in TencShell exposed the Reacon project structure and the threat actor user, as shown in Figure 1.
Figure 1. TencShell Go paths revealing the threat actor’s REACON project
Conclusion: The framework for Malware classification system (MCS) if adopted to analyze malware behavior dynamically using a concept of information theory and a machine learning technique will be useful for manufacturing organizations.
Any proposed framework will extracts behavioral patterns from execution reports of malware in terms of its features and generates a data repository. The specific aim of any proposed framework detects the family of unknown malware samples after training of a classifier from malware data repository.
Security researchers have the opinion, attackers no longer need custom malware development pipelines to conduct sophisticated intrusions. Adaptable open-source tooling is often enough for implementation and TencShell appears to have been customized from Rshell into a practical post-exploitation implant with web-like C2 communication. This assited the attacker to adapt available offensive tooling and attempted to blend the activity into normal enterprise traffic.
Sources: https://www.catonetworks.com/blog/cato-ctrl-suspected-china-linked-threat-actor-targets-global-manufacturer/
Critical Vulnerability in Exim Affects Exim Mail Transfer Agent
Security updates released for Exim Mail Transfer Agent (MTA) and addressed multiple possible remote-triggered critical vulnerabilities allowing RCE.
The flaw affected outdated Exim deployments. It is a user-after-free (UAF) flaw triggered during the TLS shutdown while handling BDAT chunked SMTP traffic.
Exim is a widely used open-source mail transfer agent deployed across enterprise, ISP, academic, and government infrastructures for internet-connected Unix systems. CVE-2026-45185 was discovered and reported by XBOW researcher Federico Kirschbaum. It impacts Exim versions 4.97 through 4.99.2 on builds compiled with GnuTLS that have STARTTLS and CHUNKING advertised. OpenSSL-based builds are not affected.
The Exim Project has confirmed
- All versions prior to 4.99.3 are obsolete.
- Legacy 3.x versions are more than 20 years outdated and should no longer be used.
- Version 4.99.3 is the latest security release addressing remotely triggerable issues.
The vulnerability impacts some Exim versions before 4.99.3 that use the default GNU Transport Layer Security (GnuTLS) library for secure communication. It is a user-after-free (UAF) flaw triggered during the TLS shutdown while handling BDAT chunked SMTP traffic.
There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of sendmail, although the configuration of Exim is quite different.
Vulnerability Exploitation
Attackers exploiting the vulnerability could execute commands on the server as well as access Exim data and emails, and potentially pivot further into the environment depending on server permissions and configuration.
Findings from EXBOW research:
XBOW Native successfully produced a working exploit for a simplified target Exim server that had no Address Space Layout Randomization (ASLR) and non-PIE (Position Independent Executables) binary.
In a second attempt, the LLM achieved an exploit on a machine with ASLR, but still a non-PIE binary.
“[…] instead of continuing to attack glibc’s allocator with off-the-shelf mechanisms, XBOW Native had taken on Exim’s own allocator,” XBOW researchers say.
Despite the surprising result below, it was the human researcher who won the race, with assistance from the LLM for tasks such as assembling files and testing exploitation avenues.
Threat actors commonly target internet-facing mail transfer agents due to their direct exposure to external networks and critical role in enterprise communication infrastructure.
Threat Context
| Security Area | Details |
|---|---|
| Product | Exim Mail Transfer Agent (MTA) |
| Current Secure Version | 4.99.3 |
| Affected Versions | All versions prior to 4.99.3 |
| Legacy Risk | Exim 3.x releases are obsolete |
| Attack Surface | Internet-facing SMTP services |
| Potential Impact | Remote exploitation, mail service compromise, unauthorized access |
Indicators of Concern (IoCs / Risk Indicators)
| Type | Indicator | Description |
|---|---|---|
| Network Activity | Unusual SMTP connections | Suspicious external mail interactions |
| Service Behaviour | Unexpected Exim crashes/restarts | Possible exploitation attempts |
| Log Activity | Unauthorized mail relay events | Potential abuse of mail routing |
| Authentication | Unknown SMTP authentication attempts | Credential abuse indicators |
| System Activity | Unexpected child process execution | Possible remote code execution attempts |
Mitigations
- Upgrade all Exim installations to version 4.99.3 immediately.
- Identify and decommission obsolete Exim 3.x deployments.
- Restrict unnecessary external exposure of SMTP services.
- Audit mail server configurations and relay permissions.
For users of Ubuntu and Debian-based Linux distributions should apply the available Exim updates (v4.99.3) through their package managers.
Sources: Exim Remote Code Execution Vulnerability
Sources: New critical Exim mailer flaw allows remote code execution