A newly disclosed Windows zero-day vulnerability named ‘MiniPlasma’ allows attackers to gain SYSTEM-level privileges on fully patched Windows 11 systems.
The vulnerability affects the Windows Cloud Files Mini Filter Driver (cldflt.sys), a core component used by cloud synchronization services such as Microsoft OneDrive.
Researchers released a public proof-of-concept (PoC) exploit, increasing the risk of real-world exploitation by threat actors and ransomware groups.
The flaw enables a normal user account to escalate privileges without requiring administrator access, making it highly dangerous in enterprise environments.
The exploit reportedly abuses:
Weak access validation
Registry interactions
Undocumented Windows APIs
Logic flaws in the cloud synchronization subsystem
How enterprise will address the risk
Researchers claim the same underlying weakness still exists and remains exploitable.The vulnerability is still present in fully patched systems running the latest May 2026 updates. The original proof-of-concept code published by Forshaw worked without modification.
The flaw allows attackers with physical access to bypass BitLocker protections and gain unrestricted shell access to encrypted volumes through the Windows Recovery Environment (WinRE).
The attack is triggered by placing specially crafted files inside a specific directory on a USB drive or directly in the EFI partition.
The flaw is disturbing as the vulnerable component exists exclusively within the WinRE image, not in standard Windows installations, and an identical component appears in normal installations but without the triggering functionality.
Microsoft has not publicly addressed the claim and neither dedicated emergency patch or confirmed whether MiniPlasma represents a new vulnerability class .
Summary: Microsoft released its April 2026 Patch Tuesday addressing 165 security vulnerabilities across Windows, Office, SharePoint, Microsoft Defender, .NET Framework, Azure, SQL Server and other components.
The April release brings in relevant update and significant accessibility improvements, display and hardware enhancements, and several quality-of-life additions across Settings and File Explorer.
The first of the two zero-days is CVE-2026-32201, a spoofing vulnerability leading to cross-site scripting (XSS) in Microsoft SharePoint Server.The issue stems from an input validation failure that lets an attacker inject malicious scripts through improperly sanisised input fields.
Elevation of privilege (EoP) vulnerabilities accounted for 57.1% of the vulnerabilities patched this month, followed by information disclosure vulnerabilities and remote code execution (RCE) vulnerabilities at 12.3% each.
OEM
Microsoft
Severity
Critical
Date of Announcement
2026-04-14
No. of Vulnerability
165
Actively Exploited
Yes
Exploited in Wild
Yes
Advisory Version
1.0
Overview
This is the second-largest Patch Tuesday release in Microsoft’s history. The update includes two zero-day vulnerabilities one actively exploited in the wild (SharePoint spoofing) and one publicly disclosed (Microsoft Defender privilege escalation linked to the BlueHammer exploit).
Here are the CVE addresses for Microsoft April 2026:
165 Microsoft CVEs
82 Non Microsoft CVEs
Breakdown of April 2026 Vulnerabilities
93 Elevation of Privilege (EoP)
20 Remote Code Execution
21 Information Disclosure
10 Denial of Service (DoS)
9 Spoofing
13 Security Feature Bypass
Vulnerability Name
CVE ID
Product Affected
Severity
CVSS Score
Windows Internet Key Exchange (IKE) Service Extensions RCE
CVE-2026-33824
Windows IKE Service
Critical
9.8
Windows TCP/IP Remote Code Execution (Wormable via IPv6)
CVE-2026-33827
Windows TCP/IP Stack
Critical
9.8
Windows Active DirectoryRemote Code Execution
CVE-2026-33826
Windows Active Directory
Critical
9.1
Remote Desktop Client Remote Code Execution
CVE-2026-32157
Remote Desktop Client
High
8.8
Microsoft Office Remote Code Execution (Preview Pane)
CVE-2026-32190
Microsoft Office
High
8.4
Microsoft Word Remote Code Execution (Preview Pane)
CVE-2026-33114
Microsoft Word
High
8.4
Microsoft Word Remote Code Execution (Preview Pane)
CVE-2026-33115
Microsoft Word
High
8.4
Technical Summary
This month’s Patch Tuesday is largely driven by Elevation of Privilege vulnerabilities, which make up a significant portion of the fixes and can be leveraged by attackers after initial access to escalate privileges and move laterally.
The release also includes several critical remote code execution issues in core Windows components. Notably, vulnerabilities such as those affecting the Windows IKE service and TCP/IP stack demonstrate the risk of unauthenticated or low-interaction exploitation, particularly in network-exposed scenarios. Other issues in Office, Word, and Remote Desktop highlight continued risk from user-driven attack vectors such as malicious documents and crafted connection files.
The update also addresses zero-day vulnerabilities, including one actively exploited and another publicly disclosed prior to patching, increasing the urgency for remediation.
Key vulnerabilities in this cycle show a mix of attack paths from preview pane-based document exploitation to wormable network flaws and Active Directory-based code execution through authenticated access.
This combination of network-level and user-interaction-based risks, along with the volume of privilege escalation issues, makes this a high-priority update cycle. Organizations should prioritize testing and deployment to reduce exposure across both endpoint and infrastructure layers.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2026-33824
Windows IKE Service Extensions
Unauthenticated attacker can send crafted UDP packets to IKEv2-enabled systems (UDP 500/4500), achieving full remote code execution with no prior access required
Remote Code Execution
CVE-2026-32190
Microsoft Office
Exploitation via preview pane allows execution of malicious payload without explicit user interaction beyond viewing file
Remote Code Execution
CVE-2026-33114 / 33115
Microsoft Word
Malicious document processed via preview triggers RCE; commonly used in phishing delivery chains
Remote Code Execution
CVE-2026-32157
Remote Desktop Client
RCE triggered when user connects using a crafted RDP file; attack surface includes lateral movement scenarios
Remote Code Execution
CVE-2026-33827
Windows TCP/IP Stack
Race condition in IPv6/IPsec stack enables unauthenticated wormable RCE across enterprise networks
Remote Code Execution
CVE-2026-33826
Windows Active Directory
Authenticated attacker executes code via crafted RPC calls within domain; high likelihood of privilege chaining
Remote Code Execution
Key Affected Products and Services
April 2026 updates address vulnerabilities across:
Windows Core Components
Kernel, TCP/IP stack, Active Directory, IKE Service, BitLocker, NTFS, SMB, and Remote Desktop components are impacted, including critical RCE and privilege escalation vulnerabilities.
Microsoft Office Suite
Word, Excel, and PowerPoint are affected by multiple remote code execution vulnerabilities, including cases exploitable through the preview pane.
SharePoint & Collaboration
SharePoint Server (2016, 2019, Subscription Edition) is impacted, including an actively exploited zero-day vulnerability requiring immediate attention.
Microsoft Defender
A publicly disclosed elevation of privilege vulnerability is addressed through updates to the Antimalware Platform.
.NET Framework & Developer Tools
.NET and related developer components, including Visual Studio, are affected by denial of service and privilege escalation vulnerabilities.
Azure & Cloud Services
Azure components such as Logic Apps and monitoring agents include vulnerabilities related to information disclosure and privilege escalation.
SQL Server
Multiple vulnerabilities affecting SQL Server components, including privilege escalation and remote code execution risks, are addressed.
Remediation:
Apply April 2026 security updates on all Windows systems as a priority
Here are some recommendations
Prioritize patching internet-facing and critical services, particularly SharePoint and core Windows components.
Ensure Microsoft Defender and other security components are updated to the latest platform versions.
Review network exposure and apply temporary mitigations where patching may be delayed.
Monitor for suspicious activity, especially related to privilege escalation, remote code execution, and authentication anomalies.
Validate that systems are aligned with ongoing platform security updates, including Secure Boot-related changes.
Conclusion: April 2026 Patch Tuesday addresses a significant number of vulnerabilities across Windows and related Microsoft products, including an actively exploited issue, multiple critical remote code execution flaws, and a high volume of privilege escalation vulnerabilities. Given the breadth of affected components and the potential for attack chaining, organizations should prioritize timely testing and deployment of updates, especially for critical and externally exposed systems.
macOS Security at Risk: PoC Exploit for CVE-2025-24118 Kernel Flaw
A newly discovered race condition in Apple’s macOS kernel (XNU) could allow attackers to escalate privileges, corrupt memory, and potentially achieve kernel-level code execution.
Tracked as CVE-2025-24118 and assigned a CVSS score of 9.8 (Critical), this vulnerability was patched in macOS Sonoma 14.7.3, macOS Sequoia 15.3, and iPadOS 17.7.4.
This vulnerability can be reliably triggered by an unprivileged local attacker using a multi-threaded attack that forces frequent credential updates.
OEM
Apple
Severity
Critical
CVSS
9.8
CVEs
CVE-2025-24118
Exploited in Wild
No
Publicly POC Available
Yes
Patch/Remediation Available
Yes
Advisory Version
1.0
Overview
A proof-of-concept (PoC) exploit is publicly available, making it critical for users to apply the patch on priority. The vulnerability arises from a race condition in Apple’s XNU kernel due to improper handling of per-thread credentials in read-only structures.
Vulnerability Name
CVE ID
Product Affected
Severity
Race Condition Vulnerability
CVE-2025-24118
Apple
Critical
Technical Summary
This issue results from a combination of Safe Memory Reclamation (SMR), per-thread credentials, read-only page mappings and memcpy behavior, leading to unauthorized credential modification.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-24118
macOS Sonoma prior to 14.7.3 macOS Sequoia prior to 15.3 iPadOS prior to 17.7.4
A concurrency issue in XNU kernel allows corruption of a thread’s kauth_cred_t credential pointer through a non-atomic memory update. This results in a time-of-check to time-of-use (TOCTOU) race condition.
Patch Installation: Users should upgrade to macOS Sonoma 14.7.3, macOS Sequoia 15.3, and iPadOS 17.7.4 to mitigate the risk.
Conclusion:
CVE-2025-24118 is a critical race condition vulnerability in Apple’s XNU kernel that allows local attackers to escalate privileges and compromise system integrity. Users and organizations are strongly advised to apply the latest patches provided by Apple to protect against potential exploits.
CVE-2025-24085 is a zero-day vulnerability in Apple’s “Core Media framework” which enables malicious applications to potentially gain elevated privileges on impacted devices. It falls under the “Memory Corruption vulnerability category”, posing significant security risks such as unauthorized access to sensitive data or potential device control.
OEM
Apple Inc
Severity
High
CVEs
CVE-2025-24085
Exploited in Wild
Yes
Patch/Remediation Available
Yes
Advisory Version
1.0
Vulnerability Name
CVE ID
Product Affected
Severity
Affected Version
Privilege escalation vulnerability
CVE-2025-24085
Apple
High
iPhone-XS and later, macOS Sequoia iPad-Pro (3rd generation and later), iPad Air (3rd generation and later), iPad (7th generation and later), iPad mini (5th generation and later) Apple Watch: Series 6 and later Apple TV: All models
Technical Summary
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-24085
iPhone, iPad, Mac, Apple Watch, Apple TV
CVE-2025-24085 is a memory management vulnerability in Apple’s Core Media framework, responsible for processing audio and video content. The vulnerability stems from improper handling of media data, allowing attackers to execute arbitrary code with elevated privileges. It can be remotely exploited through malicious media files, creating significant security risks.
Arbitrary Code Execution, Privilege Escalation, Sensitive Data Exposure, Remote Exploitation via Media Files
Remediation:
Update: Ensure the latest patches are applied to affected Apple devices as listed below
Affected Version(s)
Fixes and Releases
iOS 17.2 and later
iOS 18.3
iPadOS 17.2 and later
iPadOS 18.3
macOS Sequoia (all previous versions)
macOS Sequoia 15.3
watchOS 10.3 and later
watchOS 11.3
tvOS 17.2 and later
tvOS 18.3
visionOS 1.3 and later
visionOS 2.3
Apple has fixed this vulnerability in these software versions. Update devices immediately to mitigate the risk of exploitation.
General Recommendations:
Untrusted Media: Avoid opening suspicious media files, emails, or links from unknown sources, as the vulnerability can be exploited remotely via malicious media.
Automatic Updates: Enable automatic updates on all Apple devices to ensure timely installation of future security patches.
Cisco has warned about a new privilege escalation vulnerability in its Meeting Management tool that could allow a remote attacker to gain administrator privileges on exposed instances.
The vulnerability, CVE-2025-20156 was disclosed by Cisco on January 22 and is awaiting further analysis by the US National Vulnerability Database (NVD)
OEM
Cisco
Severity
Critical
CVSS
9.9
CVEs
CVE-2025-20156
Exploited in Wild
No
Patch/Remediation Available
Yes
Advisory Version
1.0
Overview
A critical vulnerability (CVE-2025-20156) in Cisco Meeting Management could allow attackers to gain unauthorized administrative access. This issue affects versions prior to 3.9.1 and has been classified as critical. Cisco strongly recommends updating to the latest fixed version to address this risk.
Vulnerability Name
CVE ID
Product Affected
Severity
Privilege Escalation Vulnerability
CVE-2025-20156
Cisco
Critical
Technical Summary
A critical security vulnerability has been identified in Cisco Meeting Management. This flaw resides in the REST API and stems from improper enforcement of authorization protocols for REST API users. Remote, authenticated attackers with low-level privileges can exploit this issue by sending specially crafted API requests to specific endpoints. A successful exploit could allow attackers to escalate their privileges to administrator level and gain control over edge nodes managed by Cisco Meeting Management.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-20156
Cisco Meeting Management prior to version 3.9.1
Insufficient authorization checks in the REST API allow attackers to send crafted API requests to escalate privileges.
Attackers can gain full administrative control and disrupt business operations.
Remediation:
Update to the Latest Version:
Upgrade Cisco Meeting Management to version 3.9.1or later.
Regular Security Practices:
Monitor Cisco’s security advisories.
Regularly update systems to address emerging threats.
Conclusion:
CVE-2025-20156 poses a critical risk to Cisco Meeting Management users. Exploiting this flaw could disrupt operations by granting attacker’s administrative control. Immediate updates are crucial to mitigate the risk and protect affected systems.
A critical vulnerability in the ComboBlocks WordPress plugin (formerly Post Grid and Gutenberg Blocks) exposes over 40,000 websites to potential complete takeover by unauthenticated attackers. This vulnerability exists due to improper handling of user meta during the registration process, enabling privilege escalation. It affects versions 2.2.85 to 2.3.3 and has been addressed in version 2.3.4.
OEM
WordPress
Severity
Critical
Date of Announcement
2025-01-17
CVSS score
9.8
CVE
CVE-2024-9636
Exploited in Wild
No
Patch/Remediation Available
Yes
Advisory Version
1.0
Overview
ComboBlocks, a plugin designed to enhance website design and functionality, was found to have a critical security flaw (CVE-2024-9636) that could allow unauthenticated attackers to register as administrators, granting them full control over the affected websites.
The vulnerability stems from improper restriction of user meta updates during profile registration. This flaw allows unauthenticated attackers to register as administrators, granting them full control over the website.
Complete website takeover and malware injection.
Remediations
Update Plugin: Immediately update the ComboBlocks plugin to version 2.3.4 or later.
Review Administrative Accounts:
Audit all user accounts with administrative privileges.
Revoke any unauthorized access.
Enhance Security Posture:
Enable multi-factor authentication (MFA) for all admin accounts.
Restrict user permissions based on the principle of least privilege.
Use a web application firewall (WAF) to filter and block malicious traffic.
Monitor and Log Activity:
Activate detailed logging for user registration and privilege changes.
Configure alerts for unusual activity, such as mass registrations or privilege escalations.
Implement Preventative Measures:
Regularly update all plugins and themes.
Backup the WordPress site frequently to ensure quick recovery in case of any compromise.
