
Coverage: Last 72 hours
Today’s Highlights
This past week highlights critical risks from actively exploited zero-days, new privilege escalation vectors in both Windows and Linux, and persistent misuse of trusted workflows such as OAuth in M365. Defenders should prioritize monitoring patch adoption in exposed infrastructure, closely scrutinize supply chain dependencies on developer endpoints, and proactively hunt for attacker activity in environments where exploit PoCs are already circulating. Key themes include the surge in active exploitation of enterprise products, lagging patch cycles, attackers leveraging developer and SaaS entry points, and escalated local privilege attacks on mainline OS platforms.
Table of Contents
- Microsoft testing adjustable taskbar, Start menu in Windows 11
- Microsoft confirms Windows 11 security update install issues
- Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing
- Microsoft rejects critical Azure vulnerability report, no CVE issued
- Russian hackers turn Kazuar backdoor into modular P2P botnet
- Microsoft Exchange, Windows 11 hacked on second day of Pwn2Own
- Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws
- Exploit available for new DirtyDecrypt Linux root escalation flaw
- Hackers earn $1,298,250 for 47 zero-days at Pwn2Own Berlin 2026
- New Windows ‘MiniPlasma’ zero-day exploit gives SYSTEM access, PoC released
- Funnel Builder WordPress plugin bug exploited to steal credit cards
Top Stories
Microsoft testing adjustable taskbar, Start menu in Windows 11
Source: BleepingComputer | Risk: Low | Impacted: Windows 11 test/beta fleets, User education/training owners, Detection content engineers
Summary: Microsoft is testing a resizable and movable taskbar along with a customizable Start menu in Windows 11 Insider Preview Build 26300.8493 on the Experimental channel. Users can adjust taskbar size, relocate it to any screen edge, toggle Start menu sections like Recommended, and choose between “Small” or “Large” Start menu layouts.
Why it matters: Changes to fundamental shell elements in Windows 11 Insider builds could modify the attack surface or user training baseline, increasing the chance of security tools missing unusual behavior and users falling for novel UI-based phishing techniques.
Practitioner Perspective
Organizations relying on Windows 11 must anticipate upcoming UI/UX changes that may affect both user workflows and detection logic in endpoint monitoring. Attackers have historically targeted inconsistencies or confusion in new OS features, especially where security overlays rely on position or predictable UI behavior. Security teams should evaluate Insider builds in lab environments to ensure monitoring and user awareness materials are updated before production adoption. The greatest risk will be to deployed environments where UX changes arrive abruptly via major updates.
Recommended Actions
- Deploy Windows 11 Insider Preview Build 26300.8493 to lab environments for compatibility and behavior analysis
- Update detection content to account for movable/resizable taskbar locations that may affect screenshot and clickstream-based telemetry
Microsoft confirms Windows 11 security update install issues
Source: BleepingComputer | Risk: High | Impacted: Windows 11 managed endpoints, Patch management operators, Compliance and vulnerability teams
Summary: Microsoft has confirmed that the May 2026 Windows 11 security update (KB5089549) fails to install on devices with limited EFI System Partition (ESP) space (10 MB or less), causing errors like 0x800f0922 and automatic rollback at about 35–36 percent. The issue can be mitigated via Known Issue Rollback or a Group Policy workaround that disables the problematic change.
Why it matters: Update failures stemming from small EFI System Partitions can delay critical patches, leaving endpoints susceptible to known threats due to missed or rolled-back security updates.
Practitioner Perspective
Environments with tightly partitioned system disks or legacy device management may not reliably apply KB5089549, leading to patch gaps. Failure at 35-36% of installation means systems could report partial compliance, misleading dashboard metrics. Relying solely on default update settings may blindside organizations with lingering exposures. Teams must check both patch status and partitioning schemes to ensure intended remediation is truly deployed.
Recommended Actions
- Audit EFI System Partition size for all Windows 11 systems to ensure at least 100MB available
- Inspect installation logs for KB5089549 (errors 0x800f0922/rollback) and confirm security update success beyond standard reporting
Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing
Source: BleepingComputer | Risk: High | Impacted: Microsoft 365 tenants, Users with delegated OAuth access, IT administrators with wide privileges
Summary: The Tycoon2FA phishing kit has resurfaced after a March takedown and now supports device‑code phishing, using Trustifi tracking URLs and a multi‑layered in‑browser flow to trick Microsoft 365 users into granting OAuth tokens that allow attackers unrestricted access to email, calendar, and cloud storage.
Why it matters: Device-code phishing attacks against Microsoft 365 using Tycoon2FA exploit user trust in authentication flows to harvest OAuth tokens, enabling persistent, broad access to mail, files, and calendars well beyond initial credential compromise.
Practitioner Perspective
The resurgence of Tycoon2FA shows that attackers are continually adapting device-code phishing to bypass MFA and security controls, gaining lasting footholds via OAuth grants. This attack is highly effective due to its use of trusted login URLs and multi-step in-browser tricks, making it difficult for average users to spot. Tooling that only alerts on credential theft, rather than token misuse, may miss the real threat. Defenders must pivot to proactive monitoring of OAuth consent events and anomalous delegated access in Microsoft 365.
Recommended Actions
- Monitor M365/Azure AD logs for suspicious consent grant activity, particularly device code logins initiated via external Trustifi URLs
- Review all OAuth tokens recently granted via device-code and revoke any that appear unnecessary or unsafe
Microsoft rejects critical Azure vulnerability report, no CVE issued
Source: BleepingComputer | Risk: High | Impacted: AKS (Azure Kubernetes Service) operators, Cloud security engineers, Azure Backup users
Summary: A security researcher says Microsoft rejected his report of a critical privilege escalation flaw in Azure Backup for AKS, opting not to issue a CVE, despite independent validation by CERT/CC and evidence of a silent patch. Microsoft maintains no changes were made, while the researcher documents altered behavior suggesting otherwise.
Why it matters: Silent patching and lack of coordinated disclosure for critical privilege escalation in Azure Backup for AKS creates uncertainty for defenders, potentially leaving organizations unaware of residual or unmitigated risk in production clusters.
Practitioner Perspective
Microsoft’s decision not to issue a CVE and the inconsistent status of the Azure Backup for AKS flaw means that standard vulnerability tracking tools may not flag affected clusters. Security teams must not rely solely on vendor bulletins and should consult both CERT/CC advisories and independent researcher findings for evidence of behavior changes. Absence of transparent disclosure creates a blind spot in threat modeling and verification; presume risk remains until validated fixes are confirmed in your environment.
Recommended Actions
- Audit all AKS clusters using Azure Backup for evidence of privilege escalation vectors as reported by researchers
- Monitor for changes in Azure Backup behavior post-incident, documenting any unexplained permission levels or attack surface reduction
Russian hackers turn Kazuar backdoor into modular P2P botnet
Source: BleepingComputer | Risk: High | Impacted: Enterprises with Eastern European exposure, Organizations previously targeted by APT29/Secret Blizzard, Networks with legacy EDR, OT/ICS environments
Summary: Russian hackers from the FSB‑linked Secret Blizzard group have upgraded their longstanding Kazuar backdoor into a stealthy, modular peer‑to‑peer botnet featuring kernel, bridge, and worker modules that elect a leader for C2 communication and support advanced espionage functions, persistence, and security bypasses.
Why it matters: A stealthy, modular P2P botnet variant of Kazuar increases evasion and persistence, complicating detection and removal efforts in environments targeted by advanced, state-aligned actors.
Practitioner Perspective
Organizations in sectors frequently targeted by APTs need to assume that custom tooling, such as the upgraded Kazuar platform, can bypass legacy network and host defenses through kernel-level modules, lateral movement, and encrypted/peer-to-peer C2. Standard incident response procedures may miss these modular implants, which can delegate roles and self-repair compromised nodes within the botnet. Heightened vigilance for suspicious kernel activity and cross-host process relationships is required where this actor operates.
Recommended Actions
- Proactively hunt for Kazuar-specific IOCs, including kernel module anomalies, bridge/worker processes, and ephemeral C2 domains
- Implement advanced EDR with kernel sensor capability to spot P2P botnet behaviors
Microsoft Exchange, Windows 11 hacked on second day of Pwn2Own
Source: BleepingComputer | Risk: High | Impacted: Organizations running Microsoft Exchange, Windows 11 and Red Hat Enterprise Linux enterprises, Hybrid infrastructure operators
Summary: On the second day of Pwn2Own Berlin 2026, researchers exploited 15 unique zero-day vulnerabilities across multiple enterprise technologies. The notable results included a $200,000 win by Orange Tsai for chaining three bugs to run SYSTEM‑level code on Microsoft Exchange, a $7,500 Windows 11 integer‑overflow hack, and other successful exploits in Red Hat Enterprise Linux and the NVIDIA Container Toolkit.
Why it matters: Chained exploitation and SYSTEM-level access on enterprise platforms such as Microsoft Exchange and Windows 11 highlight the need for defense-in-depth, as layered vulnerabilities can bypass single-point mitigation in core infrastructure.
Practitioner Perspective
Successful SYSTEM-level compromise of Exchange via a three-bug chain, along with exploitation of Windows 11 and Red Hat Enterprise Linux, illustrate continued systematic weaknesses in complex, integrated enterprise stacks. Patch velocity is critical, but organizations also require layered controls and monitoring to catch attack sequences that evade single-service hardening. These multi-vector exploit chains are prioritized by capable adversaries for high-value targets, so holistic, cross-stack visibility and rapid patch uptake are non-negotiable.
Recommended Actions
- Track and deploy patches for Microsoft Exchange, Red Hat Enterprise Linux, and Windows 11 as released post-Pwn2Own
- Hunt for post-exploitation activity matching multistage exploit chains validated by contest researchers
Emerging Signals
Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws
Source: The Hacker News | Risk: Critical | Impacted: Enterprises running Ivanti, Fortinet, SAP, VMware, n8n, Critical infrastructure operators, Hybrid cloud environments
Summary: Ivanti, Fortinet, SAP, VMware, and n8n released security updates on May 18, 2026, to address critical vulnerabilities, ranging from remote code execution and SQL injection to privilege escalation, that could allow attackers to bypass authentication, execute code, or escalate privileges.
Why it matters: Critical vulnerabilities affecting widely used enterprise products increase the window for attackers to execute RCE, bypass authentication, or escalate privileges across multiple environments if left unpatched.
Practitioner Perspective
The simultaneous release of fixes by Ivanti, Fortinet, SAP, VMware, and n8n underscores a trend: attackers gain advantage when organizations delay patch deployment across heterogeneous infrastructure. Exploitable flaws in key products are a prime target for ransomware and initial access brokers. Patch cycles must be aligned across technology silos, and vulnerability context, RCE versus SQL injection versus privilege escalation, matters for prioritization. The single most important step is to close the patching gap before proof-of-concept and botnet-driven exploitation scales.
Recommended Actions
- Apply May 18, 2026, security updates to all Ivanti, Fortinet, SAP, VMware, and n8n assets in production
- Monitor for exploit attempts targeting RCE, SQL injection, or privilege escalation through recently patched vectors
Exploits & CVEs
Exploit available for new DirtyDecrypt Linux root escalation flaw
Source: BleepingComputer | Risk: High | Impacted: Linux hosts running rxgk module, Multi-tenant Linux VMs, Unprivileged user environments, OpenSUSE Tumbleweed deployments
Summary: A proof‑of‑concept exploit for DirtyDecrypt (also known as DirtyCBC), a recently patched local privilege‑escalation flaw in the Linux kernel’s rxgk module, now allows attackers to gain root access on affected systems, particularly those using the CONFIG_RXGK option in distros like Fedora, Arch Linux, and openSUSE Tumbleweed; users are urged to apply the latest kernel updates or use mitigation measures.
Why it matters: A proof-of-concept exploit for DirtyDecrypt empowers local attackers to escalate to root on unpatched Linux systems using the rxgk module, compounding risk for environments relying on unprivileged containers or multi-tenant hosts.
Practitioner Perspective
Fedora, Arch Linux, and openSUSE Tumbleweed systems using CONFIG_RXGK remain directly vulnerable to local privilege escalation until recent kernel patches are applied. Given PoC exploit availability, attackers, including low-sophistication insiders, may rapidly weaponize this flaw in shared or exposed Linux infrastructure. Detection may be difficult as the exploit only requires local access, so defenders should act with urgency. The most important mitigation is to patch all systems using vulnerable kernels before this becomes part of automated attack playbooks.
Recommended Actions
- Inventory all Linux systems for active CONFIG_RXGK/rxgk module usage, particularly Fedora, Arch Linux, and openSUSE Tumbleweed
- Apply the latest kernel patches addressing the DirtyDecrypt/DirtyCBC flaw immediately
Hackers earn $1,298,250 for 47 zero-days at Pwn2Own Berlin 2026
Source: BleepingComputer | Risk: High | Impacted: Enterprises running browsers or virtualization platforms, Cloud infrastructure operators, Security operations/patch management teams
Summary: The Pwn2Own Berlin 2026 hacking contest concluded at OffensiveCon (May 14–16), with researchers earning a total of $1,298,250 by discovering and exploiting 47 zero‑day vulnerabilities across browsers, enterprise applications, AI platforms, virtualization, operating systems, containers, and cloud infrastructure. Vendors now have 90 days to issue patches before public disclosure.
Why it matters: Mass discovery and exploitation of dozens of zero-days signals an urgent need for accelerated patch uptake, as public exploitability is now likely on major enterprise software in the coming months.
Practitioner Perspective
Vendors have a 90-day window before full public disclosure of Pwn2Own vulnerabilities, but threat actors routinely reverse engineer patch rollouts and researcher clues to build exploits faster. Any organization using browsers, AI platforms, hypervisors, or cloud infrastructure featured in the contest is likely already in the crosshairs. Prioritizing pre-release vendor bulletins and automating patch management is vital during this window. Do not assume ‘won’t affect us’, most organizations run some targeted stack.
Recommended Actions
- Track vendor advisories for Pwn2Own-participating products, especially browsers, enterprise apps, hypervisors, and cloud stacks
- Test and pre-stage emergency updates for all identified platforms
New Windows ‘MiniPlasma’ zero-day exploit gives SYSTEM access, PoC released
Source: BleepingComputer | Risk: Critical | Impacted: Windows 10 and 11 endpoints, Shared workstation environments, High-privilege Windows accounts
Summary: A researcher known as Chaotic Eclipse published a proof‑of‑concept exploit called “MiniPlasma” that enables SYSTEM‑level access on fully patched Windows systems by targeting a long‑reported vulnerability in the ‘cldflt.sys’ cloud filter driver. Despite being assigned CVE‑2020‑17103 and reportedly patched in December 2020, the flaw remains unpatched and was confirmed to work on the latest Windows 11 builds.
Why it matters: A previously patched Windows kernel driver flaw (CVE-2020-17103) remains exploitable on fully updated Windows 11, giving local attackers reliable SYSTEM-level access despite supposed remediation.
Practitioner Perspective
Any environment running the ‘cldflt.sys’ cloud filter driver, standard on most Windows installations, remains vulnerable to local privilege escalation with a public proof-of-concept now circulating. This represents an immediate operational gap, particularly on high-value endpoints (server admins, helpdesk, shared workstations). With exploitation trivialized, attackers, including malware or insider threats, can escalate privileges and bypass endpoint controls. Until a verified fix is available, monitor closely and consider temporary access restrictions on critical assets.
Recommended Actions
- Identify systems running vulnerable cldflt.sys versions despite prior patching for CVE-2020-17103
- Monitor for indicator processes and privilege escalation attempts leveraging MiniPlasma PoC
Funnel Builder WordPress plugin bug exploited to steal credit cards
Source: BleepingComputer | Risk: Critical | Impacted: WordPress e-commerce websites, Merchants using Funnel Builder and WooCommerce, Online payment processors
Summary: A critical, unauthenticated vulnerability in the Funnel Builder plugin for WordPress was actively exploited to inject malicious JavaScript into WooCommerce checkout pages, enabling attackers to skim credit card data such as numbers, CVVs, billing addresses and other customer details. The issue affects versions prior to 3.15.0.3 and has been patched.
Why it matters: Active exploitation of a critical vulnerability in Funnel Builder for WordPress directly enables theft of customer payment data via injected code, placing businesses at immediate financial and regulatory risk.
Practitioner Perspective
E-commerce operators relying on Funnel Builder and WooCommerce inherit a real-time data leakage threat: attackers can exfiltrate payment and PII until every vulnerable site is fully patched. Given automated mass exploitation, threat actors likely already have persistent access to sites lagging behind version 3.15.0.3. Standard file integrity and AV monitoring are insufficient here; prioritize patching and rapid compromise assessment for any site still running older plugin versions.
Recommended Actions
- Patch Funnel Builder to version 3.15.0.3 or later across all production WordPress properties
- Scan for and remove injected JavaScript and web skimmer IOCs in WooCommerce checkout code
Defensive Actions
- Rapidly apply May 18, 2026 security patches to Ivanti, Fortinet, SAP, VMware, and n8n
- Audit for Windows 11 endpoints with limited EFI System Partition and remediate to avoid stuck security updates
- Monitor for M365 OAuth consent grants and revoke unsafe tokens; restrict device-code initiated logins where feasible
- Inventory Linux systems for CONFIG_RXGK, apply DirtyDecrypt patch, and restrict local shell access until finalized
- Identify and isolate Windows systems using cldflt.sys pending a lasting fix for CVE-2020-17103; increase monitoring of privilege escalations
- Proactively hunt for Kazuar botnet modules and peer-to-peer traffic signatures across enterprise networks
- Prioritize detection and patching for e-commerce WordPress sites using vulnerable Funnel Builder plugin versions
- Regularly monitor for post-exploitation activity and table-top cross-platform SYSTEM-level attack scenarios as surfaced in recent contests and zero-day disclosures
- Push cloud vendors for coordinated disclosure and remediation transparency for recently identified privilege escalation vectors
- Use advanced EDR and create updated detection logic for new UI/UX changes in Windows 11 Insider builds
What We’re Watching
- Large waves of targeted phishing using device-code/OAuth flows against Microsoft 365, with potential for new lateral movement techniques.
- Vendor updates following Pwn2Own Berlin, with focus on the 90-day disclosure window before mass exploitability.
- Ongoing exploitation attempts against recently patched Funnel Builder WordPress plugin vulnerabilities in e-commerce environments.
- Progress on upstream patches for Windows ‘cldflt.sys’ and Linux DirtyDecrypt flaws, and any new PoCs in the wild.
- Disclosures and patch adoption rates for Ivanti, Fortinet, SAP, VMware, and n8n across varied enterprise verticals.
Categories: Cybersecurity Blog, Cybersecurity News
Leave a comment