Microsoft Patches SharePoint RCE Flaw Enabling RCE Attacks
Microsoft SharePoint Remote Code Execution Vulnerability CVE-2026-45659 Patches Rolled out
Continue ReadingMicrosoft
Microsoft Defender Vulnerability Leveraged in 0-Day Attacks; Patches Rolled Out
Microsoft has released security updates to fix two vulnerabilities in Microsoft Defender that attackers were already exploiting in real-world zero-day attacks. This exploitation was confirmed by CISA, which has added the security flaws to its known exploited vulnerability(KEV) catalogue.
As per Microsoft, they addressed the two security defects in Microsoft Defender Antimalware Platform version 4.18.26040.7. According to the company, systems with Microsoft Defender disabled are not exploitable, even though Defender’s files remain on disk.
CVE-2026-41091, vulnerability affects older versions of the Microsoft Malware Protection Engine used by Microsoft antivirus and anti-malware products.
(CVE-2026-45498,) affects systems running the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier.
| CVE ID | Affected Product | Vulnerability Description | Potential Impact | Severity Rating |
|---|---|---|---|---|
| CVE-2026-41091 | Microsoft Malware Protection Engine | Vulnerability affecting older versions of the Microsoft antivirus and anti-malware scanning engine | Privilege escalation allowing attackers to gain SYSTEM-level access | 🔴 Critical |
| CVE-2026-45498 | Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier | Vulnerability affecting Microsoft Defender and related endpoint protection platforms | Security risk impacting endpoint protection systems and enterprise security tools | 🟠 High |
CVE-2026-41091 vulnerability affects:
- The flaw allows attackers to trick the antivirus engine into accessing files incorrectly.
- By exploiting this weakness, attackers can gain SYSTEM-level privileges, which is the highest level of access on a Windows system.
- With this access, attackers could potentially take full control of the affected device.
CVE-2026-45498 vulnerability affects:
Attackers can exploit the flaw to make affected Windows systems stop responding or crash. This creates a Denial-of-Service (DoS) condition, where the device or security service becomes unavailable temporarily.
As a result, users may experience:
- System slowdowns or freezes
- Security services stopping unexpectedly
CISA Adds the vulnerability in its KEV
For Malware attacks the vulnerability fits well and attackers are in advantageous position. In first to prevent detection if the system relies only on Microsoft endpoint protection and second to gain full control over the system.
On Wednesday, the United States Cybersecurity and Infrastructure Security Agency (CISA), added the two vulnerabilities, tracked as CVE-2026-41091 and CVE-2026-45498, to its Known Exploited Vulnerabilities (KEV) catalog, signaling that exploitation was detected in the wild.
Privilege Escalation Flaw:
The vulnerability CVE-2026-41091 is a Privilege Escalation (PE) flaw affecting mpengine.dll, a core component of the Microsoft Malware Protection Engine used by Microsoft Defender and other Microsoft security products.
mpengine.dll (Microsoft Malware Protection Engine) is responsible for:
- Malware scanning
- Threat detection
- File inspection
- Cleaning and remediation operations
- The vulnerability arises from an improper link resolution before file access issue, commonly referred to as a link following vulnerability.
- During scanning or file operations, the engine may improperly handle symbolic links, junctions, or reparse points before validating the target file path.
- An attacker can exploit this behavior by crafting malicious file links that redirect privileged operations to unintended system locations.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the U.S. cybersecurity agency warned.
“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
On Tuesday, also shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day flaw that allows attackers to access protected drives.
CISA gave federal agencies until June 3 to ensure mitigation measures are in place.
Threat Mitigation advice from Microsoft:
“For enterprise deployments as well as end users,” Microsoft said, “the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically,” and as such no action is required as the update that is now rolling out will get applied without user input.
Most Windows systems using Microsoft Defender are configured to update automatically. What happens if automatic updates are enabled, users usually do not need to manually install the security fix.
It is assumed Microsoft Defender should automatically download and apply the updated malware protection engine and required security update in the background.
One can ensure that all the latest updates are installed and configures device protection against the recently disclosed vulnerabilities.
The April 2026 vulnerabilities identified in Defender:
Few months back we have witnessed how a zero-day vulnerability in Microsoft Defender, dubbed “RedSun,” allowed an unprivileged user to escalate privileges to full SYSTEM-level access on fully patched Windows 10, Windows 11, and Windows Server 2019 and later systems.
RedSun was the second zero-day exploit published within a two-week span in April 2026 by the security researcher known as “Chaotic Eclipse”
For threat mitigation it was advised that security teams should closely watch for suspicious activity involving Microsoft Defender until Microsoft releases an official fix. Attackers may try to misuse certain Windows files and Defender processes to gain higher access or modify protected system files.
RakshaOne from Intrucept helps simplify workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.
SIEM Helps Detect Exploitation
Privilege Escalation Detection (CVE-2026-41091)
The SIEM can correlate:
- Suspicious file write activity
- Abnormal SYSTEM privilege assignments
- Unexpected execution of privileged processes
- Defender engine (
mpengine.dll) anomalies - Unauthorized access attempts to protected system directories
DoS & Security Service Monitoring (CVE-2026-45498)
The SIEM can detect:
- Unexpected Microsoft Defender crashes
- Antimalware service restarts
- Endpoint protection failures
- Repeated system instability events
- Disabled or unavailable Defender services
This helps security teams identify attempts to disrupt endpoint protection mechanisms
Sources: Security Update Guide – Microsoft Security Response Center
Sources:
ZeroDay Vulnerability ‘MiniPlasma’ Grant’s Attackers SYSTEM privileges
A newly disclosed Windows zero-day vulnerability named ‘MiniPlasma’ allows attackers to gain SYSTEM-level privileges on fully patched Windows 11 systems.
- The vulnerability affects the Windows Cloud Files Mini Filter Driver (cldflt.sys), a core component used by cloud synchronization services such as Microsoft OneDrive.
- Researchers released a public proof-of-concept (PoC) exploit, increasing the risk of real-world exploitation by threat actors and ransomware groups.
- The flaw enables a normal user account to escalate privileges without requiring administrator access, making it highly dangerous in enterprise environments.
- The exploit reportedly abuses:
- Weak access validation
- Registry interactions
- Undocumented Windows APIs
- Logic flaws in the cloud synchronization subsystem
How enterprise will address the risk
Researchers claim the same underlying weakness still exists and remains exploitable.The vulnerability is still present in fully patched systems running the latest May 2026 updates. The original proof-of-concept code published by Forshaw worked without modification.
The flaw allows attackers with physical access to bypass BitLocker protections and gain unrestricted shell access to encrypted volumes through the Windows Recovery Environment (WinRE).
The attack is triggered by placing specially crafted files inside a specific directory on a USB drive or directly in the EFI partition.
The flaw is disturbing as the vulnerable component exists exclusively within the WinRE image, not in standard Windows installations, and an identical component appears in normal installations but without the triggering functionality.
Microsoft has not publicly addressed the claim and neither dedicated emergency patch or confirmed whether MiniPlasma represents a new vulnerability class .
Sources: Windows MiniPlasma Zero-Day Exposes SYSTEM Access Risk
Copy Fail Bug, A Critical Local Privilege Escalation in Linux Kernel Exploited in the wild
Copy Fail vulnerability in Kernel Linux
Continue Reading
Microsoft April 2026 Patch Tuesday- Fixes 165 Flaws including 2 Zero-Days
Summary: Microsoft released its April 2026 Patch Tuesday addressing 165 security vulnerabilities across Windows, Office, SharePoint, Microsoft Defender, .NET Framework, Azure, SQL Server and other components.
The April release brings in relevant update and significant accessibility improvements, display and hardware enhancements, and several quality-of-life additions across Settings and File Explorer.
The first of the two zero-days is CVE-2026-32201, a spoofing vulnerability leading to cross-site scripting (XSS) in Microsoft SharePoint Server.The issue stems from an input validation failure that lets an attacker inject malicious scripts through improperly sanisised input fields.
Elevation of privilege (EoP) vulnerabilities accounted for 57.1% of the vulnerabilities patched this month, followed by information disclosure vulnerabilities and remote code execution (RCE) vulnerabilities at 12.3% each.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2026-04-14 |
| No. of Vulnerability | 165 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
This is the second-largest Patch Tuesday release in Microsoft’s history. The update includes two zero-day vulnerabilities one actively exploited in the wild (SharePoint spoofing) and one publicly disclosed (Microsoft Defender privilege escalation linked to the BlueHammer exploit).
Here are the CVE addresses for Microsoft April 2026:
- 165 Microsoft CVEs
- 82 Non Microsoft CVEs
Breakdown of April 2026 Vulnerabilities
- 93 Elevation of Privilege (EoP)
- 20 Remote Code Execution
- 21 Information Disclosure
- 10 Denial of Service (DoS)
- 9 Spoofing
- 13 Security Feature Bypass
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Internet Key Exchange (IKE) Service Extensions RCE | CVE-2026-33824 | Windows IKE Service | Critical | 9.8 |
| Windows TCP/IP Remote Code Execution (Wormable via IPv6) | CVE-2026-33827 | Windows TCP/IP Stack | Critical | 9.8 |
| Windows Active DirectoryRemote Code Execution | CVE-2026-33826 | Windows Active Directory | Critical | 9.1 |
| Remote Desktop Client Remote Code Execution | CVE-2026-32157 | Remote Desktop Client | High | 8.8 |
| Microsoft Office Remote Code Execution (Preview Pane) | CVE-2026-32190 | Microsoft Office | High | 8.4 |
| Microsoft Word Remote Code Execution (Preview Pane) | CVE-2026-33114 | Microsoft Word | High | 8.4 |
| Microsoft Word Remote Code Execution (Preview Pane) | CVE-2026-33115 | Microsoft Word | High | 8.4 |
Technical Summary
This month’s Patch Tuesday is largely driven by Elevation of Privilege vulnerabilities, which make up a significant portion of the fixes and can be leveraged by attackers after initial access to escalate privileges and move laterally.
The release also includes several critical remote code execution issues in core Windows components. Notably, vulnerabilities such as those affecting the Windows IKE service and TCP/IP stack demonstrate the risk of unauthenticated or low-interaction exploitation, particularly in network-exposed scenarios. Other issues in Office, Word, and Remote Desktop highlight continued risk from user-driven attack vectors such as malicious documents and crafted connection files.
The update also addresses zero-day vulnerabilities, including one actively exploited and another publicly disclosed prior to patching, increasing the urgency for remediation.
Key vulnerabilities in this cycle show a mix of attack paths from preview pane-based document exploitation to wormable network flaws and Active Directory-based code execution through authenticated access.
This combination of network-level and user-interaction-based risks, along with the volume of privilege escalation issues, makes this a high-priority update cycle. Organizations should prioritize testing and deployment to reduce exposure across both endpoint and infrastructure layers.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2026-33824 | Windows IKE Service Extensions | Unauthenticated attacker can send crafted UDP packets to IKEv2-enabled systems (UDP 500/4500), achieving full remote code execution with no prior access required | Remote Code Execution |
| CVE-2026-32190 | Microsoft Office | Exploitation via preview pane allows execution of malicious payload without explicit user interaction beyond viewing file | Remote Code Execution |
| CVE-2026-33114 / 33115 | Microsoft Word | Malicious document processed via preview triggers RCE; commonly used in phishing delivery chains | Remote Code Execution |
| CVE-2026-32157 | Remote Desktop Client | RCE triggered when user connects using a crafted RDP file; attack surface includes lateral movement scenarios | Remote Code Execution |
| CVE-2026-33827 | Windows TCP/IP Stack | Race condition in IPv6/IPsec stack enables unauthenticated wormable RCE across enterprise networks | Remote Code Execution |
| CVE-2026-33826 | Windows Active Directory | Authenticated attacker executes code via crafted RPC calls within domain; high likelihood of privilege chaining | Remote Code Execution |
Key Affected Products and Services
April 2026 updates address vulnerabilities across:
- Windows Core Components
Kernel, TCP/IP stack, Active Directory, IKE Service, BitLocker, NTFS, SMB, and Remote Desktop components are impacted, including critical RCE and privilege escalation vulnerabilities.
- Microsoft Office Suite
Word, Excel, and PowerPoint are affected by multiple remote code execution vulnerabilities, including cases exploitable through the preview pane.
- SharePoint & Collaboration
SharePoint Server (2016, 2019, Subscription Edition) is impacted, including an actively exploited zero-day vulnerability requiring immediate attention.
- Microsoft Defender
A publicly disclosed elevation of privilege vulnerability is addressed through updates to the Antimalware Platform.
- .NET Framework & Developer Tools
.NET and related developer components, including Visual Studio, are affected by denial of service and privilege escalation vulnerabilities.
- Azure & Cloud Services
Azure components such as Logic Apps and monitoring agents include vulnerabilities related to information disclosure and privilege escalation.
- SQL Server
Multiple vulnerabilities affecting SQL Server components, including privilege escalation and remote code execution risks, are addressed.
Remediation:
- Apply April 2026 security updates on all Windows systems as a priority
Here are some recommendations
- Prioritize patching internet-facing and critical services, particularly SharePoint and core Windows components.
- Ensure Microsoft Defender and other security components are updated to the latest platform versions.
- Review network exposure and apply temporary mitigations where patching may be delayed.
- Monitor for suspicious activity, especially related to privilege escalation, remote code execution, and authentication anomalies.
- Validate that systems are aligned with ongoing platform security updates, including Secure Boot-related changes.
Conclusion:
April 2026 Patch Tuesday addresses a significant number of vulnerabilities across Windows and related Microsoft products, including an actively exploited issue, multiple critical remote code execution flaws, and a high volume of privilege escalation vulnerabilities. Given the breadth of affected components and the potential for attack chaining, organizations should prioritize timely testing and deployment of updates, especially for critical and externally exposed systems.
References:
- https://msrc.microsoft.com/update-guide/en-us/releaseNote/2026-Apr
- https://www.tenable.com/blog/microsofts-april-2026-patch-tuesday-addresses-163-cves-cve-2026-32201
- https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/
Microsoft Patch Tuesday Feb-2026, Critical Azure RCE & Windows EoP & 0-Days
Microsoft’s February 2026 Patch Tuesday
Continue Reading
Microsoft Released Emergency Security Updates; Patches Microsoft Office 0-Day Vulnerability
Microsoft Released Emergency Security Updates
Continue Reading
Microsoft Fixes 113 Vulnerabilities & 1 Actively Exploited 0-Day in First Patch Released -Jan2026
Microsoft Patch Tuesday 2026 Jan
Continue Reading
Microsoft Patched Critical Azure Bastion Elevation of Privilege Vulnerability
Azure Bastion Elevation of Privilege Vulnerability CVE-2025-49752
Continue Reading
Microsoft November Updates- Fixes 63 Vulnerabilities,1 Zero-Day Exploits ; Patch Now
Summary : Microsoft’s November 2025 Patch Tuesday resolves 63 vulnerabilities across multiple Microsoft components. The Microsoft Patch Tuesday also addresses four “Critical” vulnerabilities, two of which are remote code execution vulnerabilities, one is an elevation of privileges and the fourth is an information disclosure flaw.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-11-11 |
| No. of Patches | 63 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview : Key Updates on Patch Tuesday
The update includes one actively exploited zero-day vulnerability (CVE-2025-62215) in the Windows Kernel and five additional Critical-rated vulnerabilities affecting Office, DirectX, GDI+, Visual Studio, and Nuance PowerScribe.
This release continues Microsoft’s focus on privilege escalation and remote code execution (RCE) vulnerabilities, highlighting the urgent need for comprehensive patch management across enterprise systems.
Here are the CVE addresses for Microsoft & non-Microsoft:
- 63 Microsoft CVEs addressed
- 5 non-Microsoft CVEs addressed (Republished)
Breakdown of October 2025 Vulnerabilities
- 29 Elevation of Privilege (EoP)
- 16 Remote Code Execution (RCE)
- 11 Information Disclosure
- 3 Denial of Service (DoS)
- 2 Security Feature Bypass
- 2 Spoofing
Source: Microsoft
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Kernel Elevation of Privilege Vulnerability (Zero-Day, Exploited in Wild) | CVE-2025-62215 | Windows 10, 11, Server 2016–2022 | Critical | 9.0 |
| Microsoft Office Use-After-Free Remote Code Execution Vulnerability | CVE-2025- 62199 | Microsoft Office (Word/Excel/Office Suite) | Critical | 9.8 |
| Nuance PowerScribe Missing Authorization Information Disclosure Vulnerability | CVE-2025-30398 | Nuance PowerScribe 360 | Critical | 9.1 |
| Windows DirectX Graphics Kernel Use-After-Free Vulnerability | CVE-2025-60716 | Windows DirectX Graphics Kernel | Critical | 8.8 |
| Microsoft GDI+ Heap-Based Buffer Overflow RCE Vulnerability | CVE-2025-60724 | Microsoft Graphics Component (GDI+) | Critical | 8.7 |
| Visual Studio Command Injection Remote Code Execution Vulnerability | CVE-2025-62214 | Microsoft Visual Studio / Visual Studio Code | Critical | 8.1 |
Technical Summary
The zero-day is a Windows Kernel bug that lets attackers gain full system control. Other critical & important vulnerabilities include Office and GDI+ vulnerabilities that could allow hackers to run malicious code or steal data.
Microsoft also patched issues in Visual Studio, DirectX, and Azure services. Users and admins are strongly advised to install these updates right away to stay protected.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-62215 | Windows Kernel | Race conditions in shared resource execution enables local attackers to elevate privileges to SYSTEM (Zero-Day; Exploited in Wild) | Elevation of Privilege |
| CVE-2025-62199 | Microsoft Office | Use-after-free vulnerability in Office allows RCE via malicious documents, typically delivered through phishing campaigns | Remote Code Execution |
| CVE-2025-30398 | Nuance PowerScribe 360 | Missing authorization vulnerability allows disclosure of sensitive medical or user data over the network | Information Disclosure |
| CVE-2025-60716 | Windows DirectX Graphics Kernel | Use-after-free conditions allow local attackers to escalate privileges, potentially compromising the entire system | Elevation of Privilege |
| CVE-2025-60724 | Microsoft GDI+ | Heap-based buffer overflow allows attackers to execute arbitrary code remotely via crafted network traffic or malicious files | Remote Code Execution |
| CVE-2025-62214 | Visual Studio | Command injection vulnerability allows attackers to execute arbitrary code locally in developer environments | Remote Code Execution |
Source: Microsoft
In addition to several other Important severity vulnerabilities were addressed below –
- CVE-2025-59505: Windows Smart Card Reader – Double-free memory handling vulnerability enabling privilege escalation.
- CVE-2025-60704: Windows Kerberos – Missing cryptographic validation allows privilege escalation.
- CVE-2025-60719: Windows WinSock Driver – Untrusted pointer dereference enabling SYSTEM-level access.
- CVE-2025-59504: Azure Monitor Agent – Heap-based buffer overflow allowing local code execution.
- CVE-2025-60714: Windows OLE – Buffer overflow permitting local RCE.
- CVE-2025-62452: Windows RRAS – Heap overflow enabling network-based RCE.
- CVE-2025-59509: Windows Speech Recognition – Sensitive data exposure vulnerability.
- CVE-2025-62208 / CVE-2025-62209: Windows License Manager – Sensitive information insertion into logs.
- CVE-2025-62210 / CVE-2025-62211: Dynamics 365 Field Service – Cross-site scripting (XSS) spoofing.
- CVE-2025-62449 / CVE-2025-62453: VS Code / GitHub Copilot – Path traversal and AI output validation bypass & Others more Vulnerabilities.
Source: Microsoft, bleepingcompute, cybersecuritynews
Key Affected Products and Services
The November 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services:
- Windows Core Components
Updates for Kernel, Hyper-V, Kerberos, RRAS, WinSock, Smart Card, Bluetooth subsystems.
- Microsoft Office Suite
Patches for Word, Excel, and related components impacted by RCE and Information Disclosure vulnerabilities.
- Azure & Cloud Services
Fixes for Azure Monitor Agent, Dynamics 365, Entra ID, and related connectors.
- Graphics Components
Patches for GDI+, DirectX, WSL GUI.
- Developer Tools
Updates for Visual Studio, Visual Studio Code, and GitHub Copilot.
- Third-Party Applications
Patches for Nuance PowerScribe (Medical domain).
- Mobile Platform Technologies
Updates for Microsoft OneDrive for Android.
Remediation:
- Install the November 2025 Microsoft security updates immediately across all Windows, Office, and Azure systems.
Here are some recommendations below
- Monitor for Indicators of Compromise (IoCs) for privilege escalation attempts, new SYSTEM-level services, or unusual Office file crashes.
- Ensure Windows 10 ESU enrollment for extended support systems.
- Restrict local admin privileges and enforce least-privilege access.
- Leverage EDR/SIEM solutions to detect suspicious kernel and Office activity.
- Segment critical systems and disable unused network services (RRAS, SMB).
Conclusion:
Microsoft’s November 2025 Patch Tuesday resolves 63 vulnerabilities, including one actively exploited Zero-Day and multiple Critical RCE and EoP vulnerabilities in Office, Windows Kernel, GDI+, and Visual Studio.
Given the confirmed exploitation and the presence of memory corruption vulnerabilities, immediate patch deployment is necessary to prevent potential ransomware and privilege escalation attacks in our modern cyber world.
References: