Attackers are hitting Ivanti customers yet again — circling back to a common target and consistently susceptible vendor in the network edge space — by exploiting a zero-day vulnerability in one of the company’s most besieged products. 

Ivanti warned customers that attackers have successfully exploited CVE-2026-6973, an improper input validation defect in Ivanti Endpoint Manager Mobile (EPMM) that allows authenticated users with administrative privileges to run code remotely. The company alerted customers to the threat in a security advisory Thursday while also disclosing four additional high-severity vulnerabilities in the same product.

“At the time of disclosure, Ivanti is aware of very limited exploitation in the wild of CVE-2026-6973, which requires authenticated administrative access to implement,” a spokesperson for Ivanti said in a statement.

Ivanti did not say when the first instance of exploitation occurred, or precisely how many customers have already been impacted.

The Cybersecurity and Infrastructure Security Agency added the zero-day to its known exploited vulnerabilities catalog within hours of Ivanti’s disclosure.

The company released patches for all five vulnerabilities Thursday, including the four additional defects — CVE-2026-5787, CVE-2026-5788, CVE-2026-6973 and CVE-2026-7821 — which it said haven’t been exploited in the wild.

“Ivanti discovered these vulnerabilities in recent weeks through internal detection processes which are supported by advanced AI, customer collaboration, and responsible disclosure,” the company spokesperson said. One of the defects was discovered and responsibly reported to Ivanti by a former employee.

The company suggested at least one of the root causes for the latest zero-day may be traced to lingering risk posed by a pair of separate, critical zero-days — CVE-2026-1281 and CVE-2026-1340 — that were exploited starting in late January. The fallout from those exploited vulnerabilities in Ivanti EPMM spread to nearly 100 victims, including The Netherlands’ Dutch Data Protection Authority and the Council for the Judiciary, by early February.

The latest Ivanti EPMM zero-day “requires authenticated administrative access to exploit, which is why customers who followed Ivanti’s recommendation in January to rotate EPMM credentials are at significantly reduced risk. Customers unaffected by the prior vulnerability are also at a much lower risk,” the company spokesperson said.

Caitlin Condon, vice president of security research at VulnCheck, said the administrative privileges required to exploit CVE-2026-6973 indicates it was possibly exploited as part of an attack chain relying on another method for initial access. 

“No attribution was shared on threat actor exploitation of CVE-2026-6973, but two other 2026 CVEs in Ivanti EPMM — CVE-2026-1281 and CVE-2026-1340 — have been exploited by a range of threat actors, including China- and Iran-attributed groups,” Condon told CyberScoop. 

“Those vulnerabilities notably were code-injection vulnerabilities that were remotely exploitable without authentication, unlike CVE-2026-6973,” she added. “Both CVE-2026-1281 and CVE-2026-1340 appear to have been fixed in today’s Ivanti release. Comparatively, these earlier vulns were of higher initial concern than today’s fresh zero-day vulnerability, which requires admin authentication.”

Attacks involving Ivanti defects are a recurring problem for the vendor’s customers and security practitioners at large, including many vulnerabilities that attackers exploited before the company caught or fixed the errors. 

The Cybersecurity and Infrastructure Security Agency has flagged 34 Ivanti defects on its known exploited vulnerabilities catalog since late 2021. At least 22 defects across Ivanti products have been exploited in the past two years, including five vulnerabilities in Ivanti EPMM in the last year.

During an interview with CyberScoop in March at the RSAC Conference, Ivanti Chief Security Officer Daniel Spicer said the company’s transparency partly explains the high number of vulnerabilities reported and disclosed in its products. 

“My position here at Ivanti is it doesn’t do our customers any good to be quiet about this,” he said, describing the company’s communication stance with the public, CISA and global partners as “very aggressive.”

That’s not always the case with other vendors, Spicer said. “I don’t know that transparency is a core tenant of all other organizations.”

The company, which serves many government agencies and critical infrastructure operators, also routinely notes that highly skilled and resourced attackers, including those backed by nation-states, are often responsible for these waves of attacks on its customers.

Ivanti maintains that it’s trying to consistently improve the security of its products. “Through continued investment in its product security program, including the use of advanced AI paired with human verification, Ivanti is strengthening its ability to identify, remediate, and disclose issues quickly, helping customers stay ahead of an increasingly compressed threat landscape,” the spokesperson said.

The way Spicer put it in March: “We want to make sure that people understand that we are trying to do the right thing.”

The post Ivanti customers confront yet another actively exploited zero-day appeared first on CyberScoop.

CVE-2026-6973 is a high-severity vulnerability that allows an attacker who has admin privileges to execute arbitrary code.

The post Ivanti Patches EPMM Zero-Day Exploited in Targeted Attacks appeared first on SecurityWeek.

Attackers rarely exploit an edge-device vulnerability indiscriminately. Typically, they first test how widely the flaw can be used and how much access it can provide, then move on to steal data or disrupt operations.

Pre-attack surveillance and planning leaves a lot of noise in its wake. These signals — particularly spikes in traffic that are hitting specific vendors — can act as an early-warning system, often preceding public vulnerability disclosures, according to research GreyNoise shared exclusively with CyberScoop prior to its release. 

Roughly half of every activity surge GreyNoise detected during a 103-day study last winter was followed by a vulnerability disclosure from the same targeted vendor within three weeks, GreyNoise said in its report.

Researchers determined that the median warning of an impending vulnerability disclosure arrived nine days before the targeted vendor issued a public alert to its customers.

“Virtually every time we see large scale spikes in reconnaissance and inventory activity looking for a certain device, it’s because somebody knows about a vulnerability,” Andrew Morris, founder and chief architect at GreyNoise, told CyberScoop.

“Within a few days or weeks — usually within the responsible disclosure timeline — a new very bad vulnerability comes out,” he added.

GreyNoise insists that every day of advance notice matters, giving defenders an opportunity to defend against and thwart potential attacks before they occur. 

The real-time network edge scanning platform spotted 104 distinct activity surges across 18 vendors during its study period. These embedded systems, including routers, VPNs, firewalls and other security systems, consistently account for the most commonly exploited vulnerabilities.

“Attackers love hacking security devices like security appliances. The irony of that is just not lost on me at all,” Morris said.

“It hasn’t gotten bad enough for us to start taking the security of these devices seriously,” he added. “It’s not bad enough for us to take it seriously enough to start ripping these things out and replacing them with new devices or new vendors.”

GreyNoise linked traffic surges to a swarm of vulnerabilities disclosed by vendors across the market, including Cisco, Palo Alto Networks, Fortinet, Ivanti, HPE, MicroTik, TP-Link, VMware, Juniper, F5, Netgear and others.

“It’s becoming scientifically empirical, and it’s becoming more like meteorology than mysticism,” Morris said. “This is like clockwork now.”

GreyNoise breaks these traffic surges down to measure intensity and breadth. Session counts indicate how hard existing sources are hammering a specific vendor and unique source IP counts demonstrate how widely new infrastructure is joining the activity, researchers wrote in the report.

“When both the intensity and breadth of targeting increase simultaneously, it signals a coordinated escalation,” the report said. 

“When you see a session spike against one of your vendors and new source IPs joining at the same time, treat it as a high-confidence reason to look harder. When you see only an IP spike, do not assume a vulnerability is coming,” researchers added. 

The study bolsters other research from Verizon, Google Threat Intelligence Group and Mandiant — landing during what GreyNoise calls “the most aggressive period of edge device exploitation on record.”

This activity doesn’t happen in a vacuum and threat groups aren’t flooding edge devices with traffic for free or for fun, according to Morris.

“People tend to treat internet background noise like it’s this unexplainable phenomenon,” he said. “They’re clearly trying to test the existence of a vulnerability in order to compromise the systems.”

The post Network ‘background noise’ may predict the next big edge-device vulnerability appeared first on CyberScoop.

The flaws could allow a remote attacker to maintain access after their account has been disabled and to access information from other user sessions.

The post Two Vulnerabilities Patched in Ivanti Neurons for ITSM  appeared first on SecurityWeek.

Would-be attackers spent 2025 swimming in a sea of more than 40,000 newly published vulnerabilities, VulnCheck said in a report released Wednesday, but only 1% of those defects, just 422, were exploited in the wild.

As the deluge of vulnerabilities grows every year, and CVSS ratings lose significance for vulnerability management prioritization, some defenders are turning to research on known exploited vulnerabilities to narrow their scope of work and place more emphasis on verified risks. 

“The growth in CVE volume is ludicrous, not necessarily unfounded, but it’s large. Defenders don’t know what to pay attention to,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop. “Prioritization is still a huge problem.”

Too many defenders and researchers are paying attention to defects and unsubstantiated exploit concepts that aren’t worth their time, Condon added. “The indicators of risk that used to be semi reliable, now no longer are.”

The technologies exploited by attackers are developed and sold by many repeat offenders. Some of the vendors on VulnCheck’s list of the most routinely targeted vulnerabilities enjoy large market shares.

Other vendors, especially those in network edge device space, have been inundated with malicious activity for years and remain the preferred intrusion point for all attacks.

Network edge devices were responsible for 191 of the 672 products impacted by new known exploited vulnerabilities last year, representing 28% of the top targeted technologies in 2025, according to VulnCheck. 

“Anything that’s in that position of being at the network edge, guarding access to corporate networks, often in a privileged place for secure communication,” is naturally a large target, Condon said. 

This problem is exacerbated by the fact many network devices are running on code bases that haven’t been radically changed in about a decade. Meanwhile, attackers have copies of that software and use fully automated analysis pipelines to quickly identify new vulnerabilities.

“Threat actors are much more organized presently than we all collectively are on defense,” Condon said. Defenders have to assume there’s going to be a new zero-day in any network edge device at any time, and patches will be reversed for exploit development in short order, she added.

Each of the top 50 vulnerabilities VulnCheck flagged in its report were exploited in the wild last year with at least 20 working public exploits, attacks originating from at least two state-sponsored or cybercrime threat groups. The top exploited vulnerabilities were also linked to least one ransomware variant and appeared in at least two instances of known botnet activity.

Four of the 10 most routinely targeted vulnerabilities last year — CVE-2025-53770 and CVE-2025-53771, which are variants of previously disclosed vulnerabilities CVE-2025-49706 and CVE-2025-49704 — were contained in Microsoft SharePoint. All four of the zero-day vulnerabilities were exploited en masse and initially compromised more than 400 organizations, including the Departments of Energy, Homeland Security and Health and Human Services.

VulnCheck confirmed a combined 69 known exploits for the quartet of SharePoint vulnerabilities. Researchers attributed the exploited vulnerabilities to a collective 29 threat groups and 18 ransomware variants, yet the attackers involved likely targeted more than one of the zero-days, resulting in some overlap.

Microsoft topped the list with nine of the 50 routinely targeted vulnerabilities appearing in its products last year. Ivanti was responsible for five, or 10% of the most targeted vulnerabilities last year. Fortinet ranked third on VulnCheck’s list with four vulnerabilities, followed by VMware with three, while SonicWall and Oracle each ranked high on the list with two exploited defects. 

The most targeted vulnerability of 2025 belongs to React2Shell, a maximum-severity defect in React Server Components that racked up 236 valid public exploits before the end of the year, less than a month after it was publicly disclosed by Meta and React. 

More than 200 of those public exploits were validated by VulnCheck by mid-December, as Palo Alto Networks Unit 42 confirmed more than 60 organizations were impacted by an initial wave of attacks.

VulnCheck’s research underscores that technology, ultimately in all of its forms, is the problem. 

“We are at a point here where we’re not talking about a single vendor or technology. We are talking about writ large, we are getting creamed. We’ve got to start assessing ruthlessly and immediately how technology needs to evolve to be more resilient to these attacks over the long term,” Condon said. 

“We need to start being much more realistic about the state of our tech and what that means for cybersecurity.”

The post Vulnerabilities grew like weeds in 2025, but only 1% were weaponized in attacks appeared first on CyberScoop.

Microsoft today released updates to fix more than 50 security holes in its Windows operating systems and other software, including patches for a whopping six “zero-day” vulnerabilities that attackers are already exploiting in the wild.

Zero-day #1 this month is CVE-2026-21510, a security feature bypass vulnerability in Windows Shell wherein a single click on a malicious link can quietly bypass Windows protections and run attacker-controlled content without warning or consent dialogs. CVE-2026-21510 affects all currently supported versions of Windows.

The zero-day flaw CVE-2026-21513 is a security bypass bug targeting MSHTML, the proprietary engine of the default Web browser in Windows. CVE-2026-21514 is a related security feature bypass in Microsoft Word.

The zero-day CVE-2026-21533 allows local attackers to elevate their user privileges to “SYSTEM” level access in Windows Remote Desktop Services. CVE-2026-21519 is a zero-day elevation of privilege flaw in the Desktop Window Manager (DWM), a key component of Windows that organizes windows on a user’s screen. Microsoft fixed a different zero-day in DWM just last month.

The sixth zero-day is CVE-2026-21525, a potentially disruptive denial-of-service vulnerability in the Windows Remote Access Connection Manager, the service responsible for maintaining VPN connections to corporate networks.

Chris Goettl at Ivanti reminds us Microsoft has issued several out-of-band security updates since January’s Patch Tuesday. On January 17, Microsoft pushed a fix that resolved a credential prompt failure when attempting remote desktop or remote application connections. On January 26, Microsoft patched a zero-day security feature bypass vulnerability (CVE-2026-21509) in Microsoft Office.

Kev Breen at Immersive notes that this month’s Patch Tuesday includes several fixes for remote code execution vulnerabilities affecting GitHub Copilot and multiple integrated development environments (IDEs), including VS Code, Visual Studio, and JetBrains products. The relevant CVEs are CVE-2026-21516, CVE-2026-21523, and CVE-2026-21256.

Breen said the AI vulnerabilities Microsoft patched this month stem from a command injection flaw that can be triggered through prompt injection, or tricking the AI agent into doing something it shouldn’t — like executing malicious code or commands.

“Developers are high-value targets for threat actors, as they often have access to sensitive data such as API keys and secrets that function as keys to critical infrastructure, including privileged AWS or Azure API keys,” Breen said. “When organizations enable developers and automation pipelines to use LLMs and agentic AI, a malicious prompt can have significant impact. This does not mean organizations should stop using AI. It does mean developers should understand the risks, teams should clearly identify which systems and workflows have access to AI agents, and least-privilege principles should be applied to limit the blast radius if developer secrets are compromised.”

The SANS Internet Storm Center has a clickable breakdown of each individual fix this month from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on askwoody.com, which often has the skinny on wonky updates. Please don’t neglect to back up your data if it has been a while since you’ve done that, and feel free to sound off in the comments if you experience problems installing any of these fixes.

Ivanti customers, including major government agencies, face mounting pressure as attackers expand their scope of targets to exploit a pair of vulnerabilities the vendor disclosed late January after in-the-wild attacks already occurred.

The Netherlands’ Dutch Data Protection Authority and the Council for the Judiciary confirmed both agencies were impacted by attacks linked to the Ivanti Endpoint Manager Mobile (EPMM) zero-day vulnerabilities, according to a notice sent to the country’s parliament Friday. The European Commission also said it found evidence of a cyberattack on its “central infrastructure managing mobile devices,” but it did not identify the vendor in a statement Thursday.

The attacks were publicly disclosed as researchers and threat hunters scrambled to assess the fallout and observed consistent waves of attacks linked to the Ivanti defects. As of Monday afternoon, Shadowserver scans identified 86 compromised instances based on artifacts of exploitation, Piotr Kijewski, CEO of the nonprofit, told CyberScoop.

Researchers last week warned that attacks involving the Ivanti zero-days would spread, repeating a common pattern following the vendor’s disclosure and a third party’s release of exploit code. The vulnerabilities — CVE-2026-1281 and CVE-2026-1340 — each carry a CVSS rating of 9.8 and allow unauthenticated users to execute code remotely in Ivanti EPMM.

Ivanti said a “very limited number of customers” were exploited before it disclosed the defects in a Jan. 29 security advisory, but has declined multiple requests to provide an updated victim count. 

The company released indicators of compromise and a detection script Friday to help customers hunt for potential impact, and thanked The Netherlands’ National Cyber Security Centre for contributing to the script’s development. “We are collaborating closely with our customers as well as trusted government and security partners,” a spokesperson for Ivanti said in a statement.

Attackers of various intents and origins are still compromising additional Ivanti EPMM instances, Kijewski said. Shadowserver is using initial artifacts provided by Saudi Arabia’s National Cybersecurity Authority to scan for webshells and other signs of exploitation, including system commands.

“These artifacts are likely not linked to the initial threat actor targeting the vulnerability. It is likely, however, these instances were compromised by multiple actors by now,” Kijewski said. “More is happening than what we are able to observe.”

Nearly 1,300 instances of Ivanti EPMM are still exposed to the internet, but it’s unknown how many of those are vulnerable or already compromised, according to Shadowserver.

Other researchers that have been tracking the vulnerabilities have also found evidence of heightened malicious activity targeting potential victims. 

During a 24-hour period, Rapid7’s Ivanti EPMM honeypot “recorded hundreds of inbound traffic connections from more than 130 unique IP addresses, with 58% directly attempting exploitation of the latest Ivanti EPMM vulnerabilities,” said Christiaan Beek, the company’s senior director of threat intelligence and analytics. 

Beek emphasized that the dominant payloads observed by Rapid7’s honeypot were not attributed to researchers, but rather built to gain rapid control via reverse shells, webshell deployment attempts and automated payload droppers. 

Ivanti has thus far declined to say when and how it first became aware of the vulnerabilities or when the first known date of exploitation occurred.

Attacks involving Ivanti defects are a recurring problem for the vendor’s customers and security practitioners at large.

The Cybersecurity and Infrastructure Security Agency has flagged 31 Ivanti defects on its known exploited vulnerabilities catalog since late 2021. At least 19 defects across Ivanti products have been exploited in the past two years.

The post Fallout from latest Ivanti zero-days spreads to nearly 100 victims appeared first on CyberScoop.

Attackers are again focusing on a familiar target in the network edge space, actively exploiting two critical zero-day vulnerabilities in Ivanti software that allows administrators to set mobile device and application controls. 

The vulnerabilities — CVE-2026-1281 and CVE-2026-1340 — each carry a CVSS rating of 9.8 and allow unauthenticated users to execute code remotely in Ivanti Endpoint Manager Mobile (EPMM). Ivanti did not say when the earliest known date of exploitation occurred but warned that a “very limited number of customers” were attacked before it disclosed and addressed the defects Thursday.

Ivanti’s post-attack warning marks a frequent occurrence for its customers, involving yet again highly destructive defects in its code that attackers exploited before the vendor caught or fixed the errors. 

The Cybersecurity and Infrastructure Security Agency has flagged 31 Ivanti defects on its known exploited vulnerabilities catalog since late 2021. At least 19 defects across Ivanti products have been exploited in the past two years. 

The agency added CVE-2026-1281 to the catalog Thursday, but not CVE-2026-1340. Both defects have been exploited, according to watchTowr. Yet, a spokesperson for Ivanti said the vulnerabilities have not been chained together for exploitation.

The latest code-injection vulnerabilities demonstrate attackers are focusing on EPMM in particular of late. Ivanti disclosed a separate pair of vulnerabilities in the same product in May 2025. 

Ivanti declined to say how many customers have been impacted by the recent zero-day attacks, but researchers warn a recurring pattern is emerging with mass exploitation observed shortly after public disclosure and the release of exploit code.

“This started as tightly scoped zero-day exploitation,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, told CyberScoop. “It has since devolved into global mass exploitation by a wide mix of opportunistic actors. That arc is depressingly predictable.”

Shadowserver said it observed a spike in CVE-2026-1281 exploitation attempts from at least 13 source IPs by Saturday. More than 1,400 instances of Ivanti EPMM are still exposed to the internet, according to Shadowserver scans, but it’s unknown how many of those are vulnerable or already compromised. 

“It’s important to remember that exposure does not equal exploitation,” Dewhurst said. “But any organization exposing vulnerable instances to the internet must consider them compromised, tear down infrastructure and instigate incident response processes.”

Ivanti advised all on-premises EPMM customers to apply patches, but warned that the script is temporary and will be overridden when customers upgrade software to a new version. The software packages that address the defects “takes only seconds to apply, does not cause downtime and significantly increases adoption and protection rates for customers,” a company spokesperson said. 

Ivanti said it will issue a permanent fix for the vulnerability in a future update that it plans to release by April.

The new Ivanti zero-days share many similarities to previous EPMM vulnerabilities, said Ryan Emmons, staff security researcher at Rapid7. “The line between attacker input and trusted code is blurred, resulting in the ability to execute malicious payloads.”

Remotely exploitable vulnerabilities in network edge devices are an appealing and effective attack vector for hackers looking to break into targeted networks. Multiple threat groups last year, including some linked to China, exploited another zero-day defect in Ivanti EPMM — CVE-2025-4428 — and a string of vulnerabilities in other Ivanti products.

“State-sponsored adversaries have generally made strong use of remotely exploitable vulnerabilities in Ivanti kit, which isn’t surprising,” said Caitlin Condon, vice president of security research at VulnCheck.

The latest actively exploited defects affecting Ivanti products reflect a continuation of a years-long battle between the vendor and threat groups that poses a consistent risk for customers. 

Some security researchers are more inclined to pin the blame for this sustained security problem on Ivanti itself, yet there is broad agreement these vulnerabilities were not easy for the company to discover prior to exploitation. 

Emmons described the defects as nuanced with an odd path to code injection. “With these vulnerable code patterns now known, the vendor’s security teams can more effectively hunt for these sorts of bugs in the future,” he added.

Dewhurst concurred the vulnerabilities were not easy to spot, but said that does not excuse the outcome. “Defensive engineering needs to assume attackers will find the non-obvious paths eventually, because they always do,” he said. 

Ivanti’s spokesperson said these types of vulnerabilities are difficult to find, and insisted the company’s security and engineering teams acted quickly to address the defects once they were identified.

The post Ivanti’s EPMM is under active attack, thanks to two critical zero-days appeared first on CyberScoop.

Microsoft today issued patches to plug at least 113 security holes in its various Windows operating systems and supported software. Eight of the vulnerabilities earned Microsoft’s most-dire “critical” rating, and the company warns that attackers are already exploiting one of the bugs fixed today.

January’s Microsoft zero-day flaw — CVE-2026-20805 — is brought to us by a flaw in the Desktop Window Manager (DWM), a key component of Windows that organizes windows on a user’s screen. Kev Breen, senior director of cyber threat research at Immersive, said despite awarding CVE-2026-20805 a middling CVSS score of 5.5, Microsoft has confirmed its active exploitation in the wild, indicating that threat actors are already leveraging this flaw against organizations.

Breen said vulnerabilities of this kind are commonly used to undermine Address Space Layout Randomization (ASLR), a core operating system security control designed to protect against buffer overflows and other memory-manipulation exploits.

“By revealing where code resides in memory, this vulnerability can be chained with a separate code execution flaw, transforming a complex and unreliable exploit into a practical and repeatable attack,” Breen said. “Microsoft has not disclosed which additional components may be involved in such an exploit chain, significantly limiting defenders’ ability to proactively threat hunt for related activity. As a result, rapid patching currently remains the only effective mitigation.”

Chris Goettl, vice president of product management at Ivanti, observed that CVE-2026-20805 affects all currently supported and extended security update supported versions of the Windows OS. Goettl said it would be a mistake to dismiss the severity of this flaw based on its “Important” rating and relatively low CVSS score.

“A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned,” he said.

Among the critical flaws patched this month are two Microsoft Office remote code execution bugs (CVE-2026-20952 and CVE-2026-20953) that can be triggered just by viewing a booby-trapped message in the Preview Pane.

Our October 2025 Patch Tuesday “End of 10” roundup noted that Microsoft had removed a modem driver from all versions after it was discovered that hackers were abusing a vulnerability in it to hack into systems. Adam Barnett at Rapid7 said Microsoft today removed another couple of modem drivers from Windows for a broadly similar reason: Microsoft is aware of functional exploit code for an elevation of privilege vulnerability in a very similar modem driver, tracked as CVE-2023-31096.

“That’s not a typo; this vulnerability was originally published via MITRE over two years ago, along with a credible public writeup by the original researcher,” Barnett said. “Today’s Windows patches remove agrsm64.sys and agrsm.sys. All three modem drivers were originally developed by the same now-defunct third party, and have been included in Windows for decades. These driver removals will pass unnoticed for most people, but you might find active modems still in a few contexts, including some industrial control systems.”

According to Barnett, two questions remain: How many more legacy modem drivers are still present on a fully-patched Windows asset; and how many more elevation-to-SYSTEM vulnerabilities will emerge from them before Microsoft cuts off attackers who have been enjoying “living off the land[line] by exploiting an entire class of dusty old device drivers?”

“Although Microsoft doesn’t claim evidence of exploitation for CVE-2023-31096, the relevant 2023 write-up and the 2025 removal of the other Agere modem driver have provided two strong signals for anyone looking for Windows exploits in the meantime,” Barnett said. “In case you were wondering, there is no need to have a modem connected; the mere presence of the driver is enough to render an asset vulnerable.”

Immersive, Ivanti and Rapid7 all called attention to CVE-2026-21265, which is a critical Security Feature Bypass vulnerability affecting Windows Secure Boot. This security feature is designed to protect against threats like rootkits and bootkits, and it relies on a set of certificates that are set to expire in June 2026 and October 2026. Once these 2011 certificates expire, Windows devices that do not have the new 2023 certificates can no longer receive Secure Boot security fixes.

Barnett cautioned that when updating the bootloader and BIOS, it is essential to prepare fully ahead of time for the specific OS and BIOS combination you’re working with, since incorrect remediation steps can lead to an unbootable system.

“Fifteen years is a very long time indeed in information security, but the clock is running out on the Microsoft root certificates which have been signing essentially everything in the Secure Boot ecosystem since the days of Stuxnet,” Barnett said. “Microsoft issued replacement certificates back in 2023, alongside CVE-2023-24932 which covered relevant Windows patches as well as subsequent steps to remediate the Secure Boot bypass exploited by the BlackLotus bootkit.”

Goettl noted that Mozilla has released updates for Firefox and Firefox ESR resolving a total of 34 vulnerabilities, two of which are suspected to be exploited (CVE-2026-0891 and CVE-2026-0892). Both are resolved in Firefox 147 (MFSA2026-01) and CVE-2026-0891 is resolved in Firefox ESR 140.7 (MFSA2026-03).

“Expect Google Chrome and Microsoft Edge updates this week in addition to a high severity vulnerability in Chrome WebView that was resolved in the January 6 Chrome update (CVE-2026-0628),” Goettl said.

As ever, the SANS Internet Storm Center has a per-patch breakdown by severity and urgency. Windows admins should keep an eye on askwoody.com for any news about patches that don’t quite play nice with everything. If you experience any issues related installing January’s patches, please drop a line in the comments below.

Microsoft this week pushed security updates to fix more than 60 vulnerabilities in its Windows operating systems and supported software, including at least one zero-day bug that is already being exploited. Microsoft also fixed a glitch that prevented some Windows 10 users from taking advantage of an extra year of security updates, which is nice because the zero-day flaw and other critical weaknesses affect all versions of Windows, including Windows 10.

Affected products this month include the Windows OS, Office, SharePoint, SQL Server, Visual Studio, GitHub Copilot, and Azure Monitor Agent. The zero-day threat concerns a memory corruption bug deep in the Windows innards called CVE-2025-62215. Despite the flaw’s zero-day status, Microsoft has assigned it an “important” rating rather than critical, because exploiting it requires an attacker to already have access to the target’s device.

“These types of vulnerabilities are often exploited as part of a more complex attack chain,” said Johannes Ullrich, dean of research for the SANS Technology Institute. “However, exploiting this specific vulnerability is likely to be relatively straightforward, given the existence of prior similar vulnerabilities.”

Ben McCarthy, lead cybersecurity engineer at Immersive, called attention to CVE-2025-60274, a critical weakness in a core Windows graphic component (GDI+) that is used by a massive number of applications, including Microsoft Office, web servers processing images, and countless third-party applications.

“The patch for this should be an organization’s highest priority,” McCarthy said. “While Microsoft assesses this as ‘Exploitation Less Likely,’ a 9.8-rated flaw in a ubiquitous library like GDI+ is a critical risk.”

Microsoft patched a critical bug in Office — CVE-2025-62199 — that can lead to remote code execution on a Windows system. Alex Vovk, CEO and co-founder of Action1, said this Office flaw is a high priority because it is low complexity, needs no privileges, and can be exploited just by viewing a booby-trapped message in the Preview Pane.

Many of the more concerning bugs addressed by Microsoft this month affect Windows 10, an operating system that Microsoft officially ceased supporting with patches last month. As that deadline rolled around, however, Microsoft began offering Windows 10 users an extra year of free updates, so long as they register their PC to an active Microsoft account.

Judging from the comments on last month’s Patch Tuesday post, that registration worked for a lot of Windows 10 users, but some readers reported the option for an extra year of updates was never offered. Nick Carroll, cyber incident response manager at Nightwing, notes that Microsoft has recently released an out-of-band update to address issues when trying to enroll in the Windows 10 Consumer Extended Security Update program.

“If you plan to participate in the program, make sure you update and install KB5071959 to address the enrollment issues,” Carroll said. “After that is installed, users should be able to install other updates such as today’s KB5068781 which is the latest update to Windows 10.”

Chris Goettl at Ivanti notes that in addition to Microsoft updates today, third-party updates from Adobe and Mozilla have already been released. Also, an update for Google Chrome is expected soon, which means Edge will also be in need of its own update.

The SANS Internet Storm Center has a clickable breakdown of each individual fix from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on askwoody.com, which often has the skinny on any updates gone awry.

As always, please don’t neglect to back up your data (if not your entire system) at regular intervals, and feel free to sound off in the comments if you experience problems installing any of these fixes.

[Author’s note: This post was intended to appear on the homepage on Tuesday, Nov. 11. I’m still not sure how it happened, but somehow this story failed to publish that day. My apologies for the oversight.]