A newly disclosed Windows zero-day vulnerability named ‘MiniPlasma’ allows attackers to gain SYSTEM-level privileges on fully patched Windows 11 systems.
The vulnerability affects the Windows Cloud Files Mini Filter Driver (cldflt.sys), a core component used by cloud synchronization services such as Microsoft OneDrive.
Researchers released a public proof-of-concept (PoC) exploit, increasing the risk of real-world exploitation by threat actors and ransomware groups.
The flaw enables a normal user account to escalate privileges without requiring administrator access, making it highly dangerous in enterprise environments.
The exploit reportedly abuses:
Weak access validation
Registry interactions
Undocumented Windows APIs
Logic flaws in the cloud synchronization subsystem
How enterprise will address the risk
Researchers claim the same underlying weakness still exists and remains exploitable.The vulnerability is still present in fully patched systems running the latest May 2026 updates. The original proof-of-concept code published by Forshaw worked without modification.
The flaw allows attackers with physical access to bypass BitLocker protections and gain unrestricted shell access to encrypted volumes through the Windows Recovery Environment (WinRE).
The attack is triggered by placing specially crafted files inside a specific directory on a USB drive or directly in the EFI partition.
The flaw is disturbing as the vulnerable component exists exclusively within the WinRE image, not in standard Windows installations, and an identical component appears in normal installations but without the triggering functionality.
Microsoft has not publicly addressed the claim and neither dedicated emergency patch or confirmed whether MiniPlasma represents a new vulnerability class .
Summary: Microsoft released its April 2026 Patch Tuesday addressing 165 security vulnerabilities across Windows, Office, SharePoint, Microsoft Defender, .NET Framework, Azure, SQL Server and other components.
The April release brings in relevant update and significant accessibility improvements, display and hardware enhancements, and several quality-of-life additions across Settings and File Explorer.
The first of the two zero-days is CVE-2026-32201, a spoofing vulnerability leading to cross-site scripting (XSS) in Microsoft SharePoint Server.The issue stems from an input validation failure that lets an attacker inject malicious scripts through improperly sanisised input fields.
Elevation of privilege (EoP) vulnerabilities accounted for 57.1% of the vulnerabilities patched this month, followed by information disclosure vulnerabilities and remote code execution (RCE) vulnerabilities at 12.3% each.
OEM
Microsoft
Severity
Critical
Date of Announcement
2026-04-14
No. of Vulnerability
165
Actively Exploited
Yes
Exploited in Wild
Yes
Advisory Version
1.0
Overview
This is the second-largest Patch Tuesday release in Microsoft’s history. The update includes two zero-day vulnerabilities one actively exploited in the wild (SharePoint spoofing) and one publicly disclosed (Microsoft Defender privilege escalation linked to the BlueHammer exploit).
Here are the CVE addresses for Microsoft April 2026:
165 Microsoft CVEs
82 Non Microsoft CVEs
Breakdown of April 2026 Vulnerabilities
93 Elevation of Privilege (EoP)
20 Remote Code Execution
21 Information Disclosure
10 Denial of Service (DoS)
9 Spoofing
13 Security Feature Bypass
Vulnerability Name
CVE ID
Product Affected
Severity
CVSS Score
Windows Internet Key Exchange (IKE) Service Extensions RCE
CVE-2026-33824
Windows IKE Service
Critical
9.8
Windows TCP/IP Remote Code Execution (Wormable via IPv6)
CVE-2026-33827
Windows TCP/IP Stack
Critical
9.8
Windows Active DirectoryRemote Code Execution
CVE-2026-33826
Windows Active Directory
Critical
9.1
Remote Desktop Client Remote Code Execution
CVE-2026-32157
Remote Desktop Client
High
8.8
Microsoft Office Remote Code Execution (Preview Pane)
CVE-2026-32190
Microsoft Office
High
8.4
Microsoft Word Remote Code Execution (Preview Pane)
CVE-2026-33114
Microsoft Word
High
8.4
Microsoft Word Remote Code Execution (Preview Pane)
CVE-2026-33115
Microsoft Word
High
8.4
Technical Summary
This month’s Patch Tuesday is largely driven by Elevation of Privilege vulnerabilities, which make up a significant portion of the fixes and can be leveraged by attackers after initial access to escalate privileges and move laterally.
The release also includes several critical remote code execution issues in core Windows components. Notably, vulnerabilities such as those affecting the Windows IKE service and TCP/IP stack demonstrate the risk of unauthenticated or low-interaction exploitation, particularly in network-exposed scenarios. Other issues in Office, Word, and Remote Desktop highlight continued risk from user-driven attack vectors such as malicious documents and crafted connection files.
The update also addresses zero-day vulnerabilities, including one actively exploited and another publicly disclosed prior to patching, increasing the urgency for remediation.
Key vulnerabilities in this cycle show a mix of attack paths from preview pane-based document exploitation to wormable network flaws and Active Directory-based code execution through authenticated access.
This combination of network-level and user-interaction-based risks, along with the volume of privilege escalation issues, makes this a high-priority update cycle. Organizations should prioritize testing and deployment to reduce exposure across both endpoint and infrastructure layers.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2026-33824
Windows IKE Service Extensions
Unauthenticated attacker can send crafted UDP packets to IKEv2-enabled systems (UDP 500/4500), achieving full remote code execution with no prior access required
Remote Code Execution
CVE-2026-32190
Microsoft Office
Exploitation via preview pane allows execution of malicious payload without explicit user interaction beyond viewing file
Remote Code Execution
CVE-2026-33114 / 33115
Microsoft Word
Malicious document processed via preview triggers RCE; commonly used in phishing delivery chains
Remote Code Execution
CVE-2026-32157
Remote Desktop Client
RCE triggered when user connects using a crafted RDP file; attack surface includes lateral movement scenarios
Remote Code Execution
CVE-2026-33827
Windows TCP/IP Stack
Race condition in IPv6/IPsec stack enables unauthenticated wormable RCE across enterprise networks
Remote Code Execution
CVE-2026-33826
Windows Active Directory
Authenticated attacker executes code via crafted RPC calls within domain; high likelihood of privilege chaining
Remote Code Execution
Key Affected Products and Services
April 2026 updates address vulnerabilities across:
Windows Core Components
Kernel, TCP/IP stack, Active Directory, IKE Service, BitLocker, NTFS, SMB, and Remote Desktop components are impacted, including critical RCE and privilege escalation vulnerabilities.
Microsoft Office Suite
Word, Excel, and PowerPoint are affected by multiple remote code execution vulnerabilities, including cases exploitable through the preview pane.
SharePoint & Collaboration
SharePoint Server (2016, 2019, Subscription Edition) is impacted, including an actively exploited zero-day vulnerability requiring immediate attention.
Microsoft Defender
A publicly disclosed elevation of privilege vulnerability is addressed through updates to the Antimalware Platform.
.NET Framework & Developer Tools
.NET and related developer components, including Visual Studio, are affected by denial of service and privilege escalation vulnerabilities.
Azure & Cloud Services
Azure components such as Logic Apps and monitoring agents include vulnerabilities related to information disclosure and privilege escalation.
SQL Server
Multiple vulnerabilities affecting SQL Server components, including privilege escalation and remote code execution risks, are addressed.
Remediation:
Apply April 2026 security updates on all Windows systems as a priority
Here are some recommendations
Prioritize patching internet-facing and critical services, particularly SharePoint and core Windows components.
Ensure Microsoft Defender and other security components are updated to the latest platform versions.
Review network exposure and apply temporary mitigations where patching may be delayed.
Monitor for suspicious activity, especially related to privilege escalation, remote code execution, and authentication anomalies.
Validate that systems are aligned with ongoing platform security updates, including Secure Boot-related changes.
Conclusion: April 2026 Patch Tuesday addresses a significant number of vulnerabilities across Windows and related Microsoft products, including an actively exploited issue, multiple critical remote code execution flaws, and a high volume of privilege escalation vulnerabilities. Given the breadth of affected components and the potential for attack chaining, organizations should prioritize timely testing and deployment of updates, especially for critical and externally exposed systems.
Summary : Microsoft’s November 2025 Patch Tuesday resolves 63 vulnerabilities across multiple Microsoft components. The Microsoft Patch Tuesday also addresses four “Critical” vulnerabilities, two of which are remote code execution vulnerabilities, one is an elevation of privileges and the fourth is an information disclosure flaw.
OEM
Microsoft
Severity
Critical
Date of Announcement
2025-11-11
No. of Patches
63
Actively Exploited
Yes
Exploited in Wild
Yes
Advisory Version
1.0
Overview : Key Updateson Patch Tuesday
The update includes one actively exploited zero-day vulnerability (CVE-2025-62215) in the Windows Kernel and five additional Critical-rated vulnerabilities affecting Office, DirectX, GDI+, Visual Studio, and Nuance PowerScribe.
This release continues Microsoft’s focus on privilege escalation and remote code execution (RCE) vulnerabilities, highlighting the urgent need for comprehensive patch management across enterprise systems.
Here are the CVE addresses for Microsoft & non-Microsoft:
63 Microsoft CVEs addressed
5 non-Microsoft CVEs addressed (Republished)
Breakdown of October 2025 Vulnerabilities
29 Elevation of Privilege (EoP)
16 Remote Code Execution (RCE)
11 Information Disclosure
3 Denial of Service (DoS)
2 Security Feature Bypass
2 Spoofing
Source: Microsoft
Vulnerability Name
CVE ID
Product Affected
Severity
CVSS Score
Windows Kernel Elevation of Privilege Vulnerability (Zero-Day, Exploited in Wild)
CVE-2025-62215
Windows 10, 11, Server 2016–2022
Critical
9.0
Microsoft Office Use-After-Free Remote Code Execution Vulnerability
CVE-2025- 62199
Microsoft Office (Word/Excel/Office Suite)
Critical
9.8
Nuance PowerScribe Missing Authorization Information Disclosure Vulnerability
CVE-2025-30398
Nuance PowerScribe 360
Critical
9.1
Windows DirectX Graphics Kernel Use-After-Free Vulnerability
CVE-2025-60716
Windows DirectX Graphics Kernel
Critical
8.8
Microsoft GDI+ Heap-Based Buffer Overflow RCE Vulnerability
CVE-2025-60724
Microsoft Graphics Component (GDI+)
Critical
8.7
Visual Studio Command Injection Remote Code Execution Vulnerability
CVE-2025-62214
Microsoft Visual Studio / Visual Studio Code
Critical
8.1
Technical Summary
The zero-day is a Windows Kernel bug that lets attackers gain full system control. Other critical & important vulnerabilities include Office and GDI+ vulnerabilities that could allow hackers to run malicious code or steal data.
Microsoft also patched issues in Visual Studio, DirectX, and Azure services. Users and admins are strongly advised to install these updates right away to stay protected.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-62215
Windows Kernel
Race conditions in shared resource execution enables local attackers to elevate privileges to SYSTEM (Zero-Day; Exploited in Wild)
Elevation of Privilege
CVE-2025-62199
Microsoft Office
Use-after-free vulnerability in Office allows RCE via malicious documents, typically delivered through phishing campaigns
Remote Code Execution
CVE-2025-30398
Nuance PowerScribe 360
Missing authorization vulnerability allows disclosure of sensitive medical or user data over the network
Information Disclosure
CVE-2025-60716
Windows DirectX Graphics Kernel
Use-after-free conditions allow local attackers to escalate privileges, potentially compromising the entire system
Elevation of Privilege
CVE-2025-60724
Microsoft GDI+
Heap-based buffer overflow allows attackers to execute arbitrary code remotely via crafted network traffic or malicious files
Remote Code Execution
CVE-2025-62214
Visual Studio
Command injection vulnerability allows attackers to execute arbitrary code locally in developer environments
Remote Code Execution
Source: Microsoft
In addition to several other Important severity vulnerabilities were addressed below –
The November 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services:
Windows Core Components
Updates for Kernel, Hyper-V, Kerberos, RRAS, WinSock, Smart Card, Bluetooth subsystems.
Microsoft Office Suite
Patches for Word, Excel, and related components impacted by RCE and Information Disclosure vulnerabilities.
Azure & Cloud Services
Fixes for Azure Monitor Agent, Dynamics 365, Entra ID, and related connectors.
Graphics Components
Patches for GDI+, DirectX, WSL GUI.
Developer Tools
Updates for Visual Studio, Visual Studio Code, and GitHub Copilot.
Third-Party Applications
Patches for Nuance PowerScribe (Medical domain).
Mobile Platform Technologies
Updates for Microsoft OneDrive for Android.
Remediation:
Install the November 2025 Microsoft security updates immediately across all Windows, Office, and Azure systems.
Here are some recommendations below
Monitor for Indicators of Compromise (IoCs) for privilege escalation attempts, new SYSTEM-level services, or unusual Office file crashes.
Ensure Windows 10 ESU enrollment for extended support systems.
Restrict local admin privileges and enforce least-privilege access.
Leverage EDR/SIEM solutions to detect suspicious kernel and Office activity.
Segment critical systems and disable unused network services (RRAS, SMB).
Conclusion: Microsoft’s November 2025 Patch Tuesday resolves 63 vulnerabilities, including one actively exploited Zero-Day and multiple Critical RCE and EoP vulnerabilities in Office, Windows Kernel, GDI+, and Visual Studio.
Given the confirmed exploitation and the presence of memory corruption vulnerabilities, immediate patch deployment is necessary to prevent potential ransomware and privilege escalation attacks in our modern cyber world.
Summary: Microsoft’s October 2025 Patch Tuesday fixes 175 security vulnerabilities in the products Windows, Office, Azure, and .NET and others. It includes patches for 6 – zero-day vulnerabilities where three vulnerabilities have been exploited and three publicly known vulnerabilities.
Microsoft advises immediate deployment of updates and removal of affected drivers, while assessing legacy fax hardware for compatibility issues introduced by the driver removal in this month update.
The October 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services.
OEM
Microsoft
Severity
Critical
Date of Announcement
2025-10-14
No. of Patches
175
Actively Exploited
Yes
Exploited in Wild
Yes
Advisory Version
1.0
Overview
Major fixes address serious remote code execution issues in Office and WSUS, along with privilege escalation vulnerabilities in Windows and Azure. The update also removes the Agere Modem driver, which could affect older fax devices. Users & Administrator are urged to update the patch to immediately to stay protected.
Here are the CVE addresses for Microsoft & non-Microsoft:
175 Microsoft CVEs addressed
21 non-Microsoft CVEs addressed (Republished)
Breakdown of October 2025 Vulnerabilities
80 Elevation of Privilege (EoP)
31 Remote Code Execution (RCE)
28 Information Disclosure
11 Denial of Service (DoS)
11 Security Feature Bypass
12 Spoofing
2 Tampering
Source: Microsoft
Vulnerability Name
CVE ID
Product Affected
Severity
CVSS Score
Windows Agere Modem Driver Elevation of Privilege Vulnerability
CVE-2025-24990
Windows 10, 11, Server 2016-2022
High
7.8
Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
CVE-2025-59230
Windows 10, 11, Server 2016-2022
High
7.8
Secure Boot Bypass Vulnerability in IGEL OS
CVE-2025-47827
IGEL OS
Medium
4.6
Windows Server Update Service (WSUS) Remote Code Execution Vulnerability
CVE-2025-59287
Windows Server
Critical
9.8
Microsoft Office Remote Code Execution Vulnerability
CVE-2025-59234
Microsoft Office
High
7.8
Microsoft Excel Remote Code Execution Vulnerability
CVE-2025-59236
Microsoft Excel (2016-2021)
High
8.4
Technical Summary
October 2025 Patch Tuesday includes security updates addresses remote code execution, privilege escalation and information disclosure vulnerabilities in core Windows components, Office applications and Azure cloud services.
3 zero-days are actively exploited, including CVE-2025-24990 in the Agere Modem driver, where attackers can abuse the third-party component to gain administrative privileges without needing the modem hardware active, leading to local system compromise.
Additionally, exposes improper access controls in Windows Remote Access Connection Manager, enabling authorized attackers to escalate to SYSTEM privileges with moderate effort.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-24990
Windows Agere Modem Driver
Third-party driver abused for admin privileges; removed in updates, may break fax modem hardware
Privilege Escalation
CVE-2025-59230
Windows Remote Access Connection Manager
Improper access control allows local attackers to gain SYSTEM privileges
CVE-2016-9535: LibTIFF Heap Buffer Overflow – RCE via malformed TIFF files in image processing. (Critical)
CVE-2025-59291 & CVE-2025-59292: Azure Container Instances/Compute Gallery EoP – External file path control for local privilege escalation. (Critical)
Key Affected Products and Services
Windows Core and Security Components
Updates for Windows Kernel, NTFS, BitLocker, NTLM, SMB, WinSock, PrintWorkflowUserSvc and Remote Desktop Services, with several vulnerabilities rated CVSS 7.8 or higher.
Microsoft Office Suite
Patches for Excel, Word, PowerPoint, Visio, and SharePoint addressing RCE and information disclosure issues, particularly via malicious file execution.
Azure and Cloud Services
Fixes for Azure Entra ID, Monitor Agent, Connected Machine Agent, PlayFab and Confidential Container Instances.
Virtualization and Hyper-V
Vulnerabilities in Hyper-V and Virtual Secure Mode, including privilege escalation and DoS risks.
Developer and Management Tools
Updates for PowerShell, Visual Studio and Configuration Manager addressing local privilege escalation.
Communication & File Services
Patches for SMB, WSUS, and Connected Devices Platform with critical RCE and lateral movement risks.
Browsers and Web Technologies
Microsoft Edge (Chromium-based) updates, including republished Chrome CVEs.
Remediation:
Install the October 2025 security updates immediately to mitigate risks.
Here are some recommendations below
Use EDR tools to monitor any indicators like Office crashes or logs.
Disable unused services to prevent any remote access or other exploitation.
Apply least privilege access in Office and Azure environments.
Segment networks to reduce any lateral movement.
Conclusion: Critical RCE flaws in Office and WSUS, along with privilege escalation bugs, pose significant risks for ransomware, data theft and lateral movement. Administrator, users & security teams should deploy patches immediately, enhance monitoring and apply mitigations to reduce exposure.
September 2025 Patch Tuesday update, addressing 86 security issues in products like Microsoft Windows, Microsoft Office etc.
This includes two publicly known zero-day bugs in the Windows SMB Server and another in Newtonsoft.Json. Here are the CVE addressed for Microsoft & non-Microsoft.
Organizations are strongly encouraged to prioritize patching of systems tied to network services, virtualization and productivity tools to mitigate risks of exploitation.
OEM
Microsoft
Severity
Critical
Date of Announcement
2025-09-09
No. of Patches
86
Actively Exploited
No
Exploited in Wild
No
Advisory Version
1.0
Overview
Here are the CVE addressed for Microsoft & non-Microsoft
81 Microsoft CVEs addressed
5 non-Microsoft CVEs addressed
Breakdown of September 2025 Vulnerabilities
41 Elevation of Privilege (EoP)
22 Remote Code Execution (RCE)
16 Information Disclosure
4 Denial of Service (DoS)
2 Security Feature Bypass
1 Spoofing
Vulnerability Name
CVE ID
Product Affected
Severity
CVSS Score
Windows SMB Elevation of Privilege Vulnerability
CVE-2025-55234
Windows Server, Windows 10, 11
High
8.8
Improper Handling of Exceptional Conditions in Newtonsoft.Json
CVE-2024-21907
Microsoft SQL Server
High
7.5
Technical Summary
September 2025 Patch Tuesday includes security updates addressing denial-of-service and privilege escalation vulnerabilities in commonly used libraries and services.
One of the publicly disclosed zero-day CVE-2024-21907 affects the popular .NET library Newtonsoft.Json, where deserialization of crafted JSON can lead to application crashes.
Additionally, CVE-2025-55234 highlights a potential for relay attacks in SMB Server configurations that lack hardening measures such as signing and Extended Protection for Authentication (EPA). Microsoft advises assessing current SMB deployments using new audit capabilities introduced in this month’s updates.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-55234
Microsoft SMB Server
Lack of hardening (signing & EPA) in SMB Server can allow attackers to perform relay attacks, potentially resulting in elevation of privilege.
Privilege Escalation
CVE-2024-21907
Newtonsoft.Json < 13.0.1
Improper handling of crafted input to JsonConvert.DeserializeObject may trigger a StackOverflowException, leading to a denial-of-service condition.
Denial of Service
Source: Microsoft and NVD
In addition to the publicly disclosed zero day vulnerability, several other Critical & High severity issues were addressed
CVE‑2025‑55232: Microsoft High Performance Compute Pack (HPC), deserialization of untrusted data vulnerability enabling unauthorized remote code execution over a network interface.
CVE‑2025‑54918: Windows NTLM, improper authentication vulnerability that enables elevation of privilege over a network, with potential for lateral movement across enterprise systems.
CVE‑2025‑54110: Windows Kernel, integer overflow vulnerability allowing local privilege escalation through exploitation of kernel memory operations.
CVE‑2025‑54098: Windows Hyper-V, improper access control flaw permitting local privilege escalation from guest to host in virtualized environments.
CVE‑2025‑54916: Windows NTFS, stack-based buffer overflow vulnerability enabling local attackers to execute arbitrary code with elevated privileges.
Key Affected Products and Services
The September 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services:
Windows Core and Security Components
Includes updates for Windows Kernel, NTFS, TCP/IP, Defender Firewall, LSASS, BitLocker, NTLM, Win32K, and RRAS (Routing and Remote Access Service), with several vulnerabilities rated CVSS 8.8 or higher.
Microsoft Office Suite
Patches released for Excel, Word, PowerPoint, Visio, and SharePoint addressing RCE and information disclosure issues, especially through Preview Pane vectors.
Multiple vulnerabilities in Hyper‑V and Virtual Hard Drive components, including privilege escalation and denial-of-service risks.
Developer and Management Tools
Patches applied to PowerShell, AutoZone, Windows Management Services and Capability Access Management, addressing local privilege escalation.
Communication & File Services
Updates cover SMB, SMBv3, MSMQ and Connected Devices Platform, with critical RCE and lateral movement vectors in enterprise environments.
Browsers and Web Technologies
Microsoft Edge (Chromium-based) updates, along with republished Chrome CVEs for continued coverage of known browser threats.
Remediation:
Apply Patches Promptly: Install the September 2025 security updates immediately to mitigate risks.
Conclusion: Microsoft’s September 2025 Patch Tuesday addresses 86 vulnerabilities, including several critical and high rated issues across Windows, Office, Hyper-V and Azure components etc.
Notably, multiple flaws affect Windows Routing and Remote Access Service (RRAS), SQL Server, and Microsoft High Performance Compute Pack (HPC), with potential for remote code execution (RCE) and privilege escalation.
Microsoft fixed an elevation of privileges flaw in SMB Server that is exploited through relay attacks.
“SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks,” explains Microsoft.
Recent Comments