Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: microsoft (30 articles)Clear

SharePoint remote code execution flaw added to CISA KEV after active exploitation

CISA has added a SharePoint remote code execution flaw to its Known Exploited Vulnerabilities catalog after confirming active exploitation, months after Microsoft rated it less likely to be attacked. The bug (CVE-2026-45659, CVSS 8.8) comes from unsafe deserialization of untrusted data and lets an authenticated attacker with only Site Member permissions run code on a SharePoint server over the network, with low complexity and no user interaction. Microsoft patched it in May for SharePoint Server Subscription Edition, 2019, and Enterprise 2016. On-premises SharePoint is a repeated target because it holds sensitive data and is often internet-facing, and it has a long history of weaponized code execution flaws.

Check
Confirm the May 2026 SharePoint updates are applied to all on-premises servers, restrict internet exposure, and hunt for web shells, unexpected scheduled tasks, and unauthorized file changes on internet-facing SharePoint.
Affected
On-premises SharePoint Server Subscription Edition, 2019, and Enterprise 2016 missing the May 2026 patch (CVE-2026-45659); any authenticated user with Site Member permissions can run code remotely on the server.
Fix
Apply Microsoft's May 2026 SharePoint updates now, limit SharePoint to trusted networks or a VPN, tighten privileged access, and run a compromise assessment on internet-facing servers given confirmed exploitation.

Deploy 2023 Secure Boot certificates before Microsoft's 2011 ones expire this week

The original 2011 Microsoft certificates that underpin UEFI Secure Boot begin expiring in late June 2026, and organizations that have not rolled out the replacement 2023 certificates risk a slow erosion of boot-level security. Devices will keep starting normally, but once the old certificate authorities lapse they stop receiving Secure Boot updates for pre-boot components, leaving them more exposed to bootkits, and future bootloaders signed only with the new keys may fail to verify. Most consumer Windows PCs receive the 2023 certificates automatically through Windows Update, but Windows Server and many self-managed or older fleets need manual action. A second certificate that signs the Windows bootloader expires in October.

Check
Inventory Windows devices and servers with Secure Boot enabled and check whether the 2023 certificates are present using the Windows Security app, the UEFICA2023Status registry value, or System log Event ID 1808.
Affected
Windows devices, servers, and VMs still relying on the 2011 Secure Boot certificates; Windows Server and self-managed systems are most at risk because they do not receive the 2023 certificates automatically.
Fix
Apply current cumulative and OEM firmware updates, deploy the 2023 KEK and DB certificates (manually on servers), verify completion, and suspend BitLocker if prompted during the update to avoid recovery prompts.

Microsoft warns of USB worm that hijacks crypto wallets over Tor

Microsoft has detailed a cryptocurrency-stealing campaign, active since February, that spreads through USB drives and hides its command channel inside the Tor network. Infection starts when someone opens a malicious Windows shortcut on a USB stick; the malware then hides real documents and replaces them with lookalike shortcuts, copies itself to other drives, and sets scheduled tasks for persistence. Its clipper component watches the clipboard about twice a second, swapping copied wallet addresses for the attacker's and grabbing seed phrases and private keys, which it sends out over a bundled Tor client. It can also run attacker-supplied code, doubling as a lightweight backdoor.

Check
Watch endpoints for script interpreters spawning unexpected child processes, local Tor proxy use on port 9050, clipboard monitoring, and shortcut files replacing documents on USB drives.
Affected
Windows users, especially cryptocurrency holders, who plug in untrusted USB drives or open shortcut files from them; the malware also spreads worm-like to any removable drive connected afterward.
Fix
Block or tightly control USB removable media, disable autorun, verify wallet addresses after pasting, and use endpoint protection that flags Tor-proxy abuse, clipboard hijacking, and suspicious shortcut-driven script execution.

One-click Microsoft 365 Copilot flaw could silently steal emails and codes

Researchers at Varonis disclosed SearchLeak, a flaw chain in Microsoft 365 Copilot Enterprise Search that let a single click on a legitimate microsoft.com link silently pull a victim's emails, calendar, and indexed files, including security and MFA codes, with no password or further interaction. It worked by smuggling instructions into the search URL's query parameter, which Copilot obeyed as commands, then exfiltrating the data through a Bing image request that bypassed content protections. Because the link used a real Microsoft domain, anti-phishing filters were unlikely to flag it. Microsoft assigned CVE-2026-42824, rated it critical, and fixed it on its backend, so no customer action is required.

Check
No patching is needed since Microsoft fixed this server-side; instead review what data Microsoft 365 Copilot can access and whether broad permissions would amplify a similar AI-assistant flaw.
Affected
Microsoft 365 Copilot Enterprise Search users were exposed (CVE-2026-42824) before Microsoft's server-side fix; the broader risk is any AI assistant that mixes untrusted input with access to internal data.
Fix
No customer action is required, as Microsoft has remediated the flaw. To reduce future AI-assistant risk, tighten Copilot data permissions, apply least privilege to identities, and monitor assistant activity.

New unpatched GreatXML exploit bypasses Windows BitLocker encryption

The researcher known as Nightmare Eclipse has published a second unpatched Windows exploit in two days, this one defeating BitLocker disk encryption. Called GreatXML, it abuses the Windows Defender Offline Scan feature: any machine that has ever run an offline scan is left permanently vulnerable. An attacker with physical access copies a crafted unattend.xml file and a Recovery folder to the recovery partition, reboots into the Windows Recovery Environment with Shift plus Restart, and gets a privileged shell with full access to the encrypted drive, no login needed. Proof-of-concept code is public on GitHub, there is no patch yet, and Microsoft says it is investigating.

Check
Identify Windows devices protected only by BitLocker without a startup PIN, especially laptops that travel, and check whether Windows Defender Offline Scan has ever been run on them.
Affected
Windows devices using BitLocker where a Defender Offline Scan has run at least once; an attacker with physical access to the machine can reach the encrypted volume. No patch yet.
Fix
Require a TPM-plus-PIN or startup password for BitLocker so pre-boot recovery cannot be abused, restrict physical access to devices, and watch for a Microsoft fix to apply once released.

Microsoft finally patches actively exploited Exchange OWA spoofing zero-day

Microsoft has shipped the first full patch for an Exchange Server zero-day that attackers have been exploiting since May. The flaw (CVE-2026-42897) is a cross-site scripting bug in Outlook Web Access: an attacker emails a victim, and when the message is opened in OWA, malicious JavaScript runs inside the victim's authenticated session, allowing session-token theft and mailbox impersonation without ever touching the server. It affects Exchange Server 2016, 2019, and Subscription Edition, and CISA added it to its known-exploited list back in May. Until this week only temporary mitigations existed; the June security updates provide the permanent fix.

Check
Confirm the June 2026 security update is applied to all on-premises Exchange servers, and review OWA and mailbox audit logs for suspicious script activity or session hijacking since May.
Affected
On-premises Microsoft Exchange Server 2016, 2019, and Subscription Edition exposing Outlook Web Access (CVE-2026-42897), a spoofing and cross-site scripting flaw exploited in attacks since May.
Fix
Apply the June 2026 Exchange security update now to replace the earlier mitigation-only guidance, then reset potentially exposed OWA sessions and rotate credentials for affected mailboxes.

Microsoft ships record 200-plus June patches, including three zero-days

Microsoft's June 2026 Patch Tuesday is the largest on record, fixing more than 200 vulnerabilities (independent counts put the total above 206), including three publicly disclosed zero-days that are not yet being exploited. The standout is CVE-2026-45586, a Windows CTFMON elevation-of-privilege flaw that grants SYSTEM access, which matches the GreenPlasma bug a researcher dropped in protest of Microsoft's bug-bounty handling; a BitLocker bypass called YellowKey was also fixed. The update includes 33 critical flaws, most of them remote code execution, hitting Remote Desktop, Hyper-V, Office, and cryptographic services. Microsoft flagged 15 issues as more likely to be exploited soon.

Check
Inventory Windows endpoints and servers against the June 2026 update level, and prioritize systems exposed to Remote Desktop, Hyper-V hosts, and anything processing untrusted Office documents.
Affected
Windows, Office, Remote Desktop Client, Hyper-V, Secure Boot, BitLocker, and Exchange. Three publicly disclosed zero-days (CVE-2026-45586, CVE-2026-50507, CVE-2026-49160) and 33 critical flaws, mostly remote code execution.
Fix
Test and deploy the June 2026 security updates promptly, prioritizing the publicly disclosed zero-days and critical RCE flaws. Where patching lags, restrict RDP exposure and segment Hyper-V hosts.

Unpatched Defender zero-day RoguePlanet gives SYSTEM on current Windows

Hours after Patch Tuesday, the researcher known as Nightmare Eclipse published a working exploit, dubbed RoguePlanet, for an unpatched Microsoft Defender flaw that opens a command prompt with full SYSTEM privileges on fully updated Windows 10 and 11. The bug is a race condition, so the exploit is hit or miss, but the researcher reports a 100 percent success rate on some machines. They posted the proof-of-concept on a self-hosted Git server after Microsoft had earlier taken down their GitHub and GitLab repositories. It is the latest in a string of Windows zero-days (BlueHammer, RedSun, YellowKey, GreenPlasma) the researcher has released in protest of Microsoft's disclosure practices.

Check
Confirm Microsoft Defender real-time and tamper protection are enabled and current on Windows 10 and 11 endpoints, and watch for unexpected SYSTEM-level command shells spawned from Defender processes.
Affected
Fully patched Windows 10 and Windows 11 systems, including current and Canary builds, running Microsoft Defender; a public proof-of-concept exists and no fix is available yet.
Fix
No patch exists yet; watch for a Microsoft advisory and apply it when released. Meanwhile, rely on EDR behavioral detection and least-privilege controls to limit privilege-escalation impact.

Critical Windows Netlogon RCE CVE-2026-41089 now exploited - unauthenticated code execution on domain controllers, all Server versions, CCB Belgium warns

The Centre for Cybersecurity Belgium (CCB) has warned that threat actors are now exploiting CVE-2026-41089, a critical Windows Netlogon vulnerability that Microsoft patched during the May 2026 Patch Tuesday. Netlogon is a core Windows Server RPC service that authenticates users and services on domain-based networks. The flaw is a stack-based buffer overflow that lets an unauthenticated attacker send a specially crafted network request to a domain controller and gain remote code execution without signing in or any prior access. It impacts all currently supported Windows Server versions, including the latest release. Because domain controllers are high-value targets, successful exploitation can lead to full domain compromise.

Check
Inventory all domain controllers and confirm the May 2026 Patch Tuesday update (CVE-2026-41089) is applied. Review Netlogon RPC traffic and DC event logs for anomalous unauthenticated requests.
Affected
All currently supported Windows Server versions acting as domain controllers, unpatched against the May 2026 fix. Unauthenticated attackers can gain RCE on a DC, enabling full domain compromise.
Fix
Apply the May 2026 Patch Tuesday update to every domain controller immediately. Restrict Netlogon RPC exposure to trusted networks. Monitor for post-exploitation lateral movement from DCs.

Microsoft denounces uncoordinated zero-day disclosures after Chaotic Eclipse (Nightmare Eclipse) drops 6 CVEs - GitHub and GitLab accounts removed

Microsoft has come out strongly against uncoordinated zero-day disclosures after researcher Chaotic Eclipse (also Nightmare-Eclipse) dropped technical details of six Windows zero-days over the past month, citing a breakdown in Microsoft's disclosure process. The CVEs include BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma; BlueHammer, RedSun, and UnDefend are now under active exploitation. GitHub removed the researcher's account; a GitLab re-upload account was also blocked. Microsoft is urging coordinated vulnerability disclosure but the researcher publicly disputes Microsoft's responsiveness, citing months of waiting for fixes. The incident highlights ongoing friction between solo researchers and large vendor PSIRTs.

Check
Apply the Microsoft patches for BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), and YellowKey (CVE-2026-45585) immediately. Monitor for further leaked PoC code.
Affected
Windows endpoints unpatched against the six Nightmare Eclipse zero-days. Three (BlueHammer, RedSun, UnDefend) are confirmed under active exploitation. GreenPlasma and MiniPlasma also have public details.
Fix
Patch all six CVEs via current Windows updates. Block known exploit-PoC mirrors at egress. Watch GitHub/GitLab for re-uploaded code and add the corresponding hashes to detection rules.