Microsoft addressed 83 vulnerabilities that cut across its broad portfolio of enterprise software and underlying services in its latest security update. The company’s Patch Tuesday release contained no actively exploited zero-day vulnerabilities and six defects it described as more likely to be exploited. 

The vendor’s batch of patches marks the first monthly update without an actively exploited zero-day in six months.

The “lack of bugs under active attack is a nice change from last month,” when Microsoft reported six actively exploited vulnerabilities, Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said in a blog post Tuesday. 

Two vulnerabilities addressed this month — CVE-2026-21262 and CVE-2026-26127 — were listed as publicly known at the time of release. “These bugs are more bark than bite,” said Satnam Narang, senior staff research engineer at Tenable. 

More than half of the defects in this month’s update can trigger escalated privileges, and six of those vulnerabilities — CVE-2026-23668, CVE-2026-24289, CVE-2026-24291, CVE-2026-24294, CVE-2026-25187 and CVE-2026-26132 — were rated as more likely to be exploited, Narang added.

An information-disclosure defect in Microsoft Excel — CVE-2026-26144 — showcases an attack scenario that’s likely to occur more often, according to Childs. “An attacker could use it to cause the Copilot Agent to exfiltrate data off the target,” essentially making it a zero-click operation, he wrote.

Researchers also focused on a pair of defects in Microsoft Office with CVSS ratings of 8.4 — CVE-2026-26110 and CVE-2026-26113 — that attackers can trigger to execute arbitrary code. The preview plane in Microsoft Office can serve as the attack vector for both vulnerabilities.

“Remote-code execution vulnerabilities in Office applications pose significant risks for organizations, as documents are widely shared via email, file shares, and collaboration platforms,” Mike Walters, president and co-founder of Action1, said in an email. 

“If exploited, attackers could gain control of user systems, deploy ransomware, steal corporate data, or move laterally across internal networks,” he added. “Even a single malicious document could compromise an endpoint and give attackers a foothold inside the organization.”

The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft’s monthly Patch Tuesday is first in 6 months with no actively exploited zero-days appeared first on CyberScoop.

Microsoft’s latest security update is littered with zero-day vulnerabilities, actively exploited defects that account for more than 10% of the total CVEs the vendor addressed in this month’s Patch Tuesday update.

The vendor addressed 59 vulnerabilities affecting its various products for business operations and underlying systems, including six defects that were actively exploited prior to Microsoft’s release of its monthly batch of patches. Microsoft said three of the exploited vulnerabilities were publicly known, suggesting attackers already had details about the defects prior to Tuesday’s release.

“The number of bugs under active attack is extraordinarily high,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said in a blog post.

Microsoft’s February security update matched the high it reached last March when it disclosed six actively exploited zero-days.

The highest rated zero-days, a pair of defects with CVSS ratings of 8.8, include CVE-2026-21510 affecting Windows Shell 8.8 and CVE-2026-21513 affecting Internet Explorer. Both vulnerabilities require user interaction and could allow attackers to execute code.

Mike Walters, president and co-founder of Action1, said CVE-2026-21510 is caused by a protection mechanism failure that allows an attacker to bypass Windows protections by tricking a user to click on a single malicious link.

“Functional exploit techniques exist, demonstrating reliable bypass of Windows Shell and SmartScreen security prompts through crafted links or shortcut files. No privileges are required by the attacker, making this vulnerability highly attractive for phishing-based attacks,” Walters said in a blog post.

The remaining zero-days include three defects with CVSS ratings of 7.8: CVE-2026-21514 affecting Microsoft Office Word, CVE-2026-21519 affecting Desktop Window Manager, and CVE-2026-21533 affecting Windows Remote Desktop. CVE-2026-21525, which affects Windows Remote Access Connection Manager, has a CVSS rating of 6.2.

The Cybersecurity and Infrastructure Security Agency added all six of the zero-days to its known exploited vulnerabilities catalog Tuesday.

Three of the vulnerabilities — CVE-2026-21510, CVE-2026-21513 and CVE-2026-21514 — bear strong similarities as security feature bypasses, Satnam Narang, senior staff research engineer at Tenable, said in an email.

These security features protect users from opening malicious files, he said. “Users have grown accustomed to receiving these alerts, so when vulnerabilities can bypass those protection mechanisms, users are more at risk of compromise.”

Microsoft disclosed two critical vulnerabilities with CVSS ratings of 9.8 this month, including CVE-2026-21531 affecting Azure SDK and CVE-2026-24300 affecting Azure Front Door.

The vast majority of defects Microsoft addressed this month fell into the high-severity category, accounting for 43 vulnerabilities total. The vendor described five of those vulnerabilities as more likely to be exploited.

The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft Patch Tuesday matches last year’s zero-day high with six actively exploited vulnerabilities appeared first on CyberScoop.

Microsoft’s first security update of 2026 addressed 112 vulnerabilities affecting its products and underlying systems, including one actively exploited zero-day in Desktop Window Manager. 

The company’s latest Patch Tuesday update marks the second consecutive month with no critical vulnerabilities disclosed. The batch of patches also contains more than 110 CVEs for the second January in a row. 

The zero-day vulnerability — CVE-2026-20805 — is an information disclosure defect with a CVSS rating of 5.5 that can be exploited by an unauthorized attacker to expose sensitive information. The Cybersecurity and Infrastructure Security Agency added the defect to its known exploited vulnerabilities catalog Tuesday.

Information disclosure vulnerabilities are sporadically exploited in the wild, but not often, according to Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. “This shows how memory leaks can be as important as code execution bugs since they make the remote code executions reliable,” he wrote in a blog post.

Jack Bicer, director of vulnerability research at Action1, concurred, added that the memory exposed by exploitation of CVE-2026-20805 can undermine defenses and bolster additional exploits. 

“This vulnerability increases the risk of successful multi-stage attacks,” Bicer said in an email. “Leaked memory details can be combined with other vulnerabilities to achieve privilege escalation or data theft, potentially leading to broader system compromise, regulatory exposure and loss of trust.”

Microsoft did not say how many attacks are linked to the zero-day. Yet, exploitation requires an attacker to have local access on the targeted system, Satnam Narang, senior staff research engineer at Tenable, said in an email.

“While Desktop Window Manager is a frequent flyer on Patch Tuesday with 20 CVEs patched in this library since 2022, this is the first time we’ve seen an information disclosure bug in this component exploited in the wild,” he added. “Attackers have historically used it to climb the ladder of privileges.”

The most severe defects disclosed by Microsoft this month include CVE-2026-20947 and CVE-2026-20963 affecting Microsoft Office SharePoint, CVE-2026-20868 affecting Windows Routing and Remote Access Service, CVE-2026-20952 and CVE-2026-20955 affecting Microsoft Office, and CVE-2026-20944 affecting Microsoft Office Word. 

Microsoft also flagged eight vulnerabilities, each with a CVSS rating of 7.8, as more likely to be exploited this month. 

The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft Patch Tuesday addresses 112 defects, including one actively exploited zero-day appeared first on CyberScoop.

Cisco customers are confronting a fresh wave of attacks from a Chinese threat group that has actively exploited a critical zero-day vulnerability affecting the vendor’s software for email and web security since at least late November, the company said in an advisory Wednesday. 

Cisco said it became aware of the attacks Dec. 10. The defect CVE-2025-20393, which has a CVSS rating of 10, is an improper input validation vulnerability affecting Cisco AsyncOS software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager that allows attackers to execute commands with unrestricted privileges and implant persistent backdoors on compromised devices.

There is no patch for the vulnerability and Cisco declined to say when one would be made available. Cisco said “non-standard configurations” have been observed in compromised networks, specifically customer systems that are configured with a publicly exposed spam quarantine feature.

Cisco Talos researchers attributed the attacks to a Chinese advanced persistent threat group it tracks as UAT-9686, which has used tooling and infrastructure consistent with other China state-sponsored threat groups such as APT41 and UNC5174.

Cisco declined to answer questions about how many customers have been impacted. The company encouraged customers to follow guidance in its advisory to determine if they’re exposed and take steps to mitigate risk, including isolating or rebuilding affecting systems.

The spam quarantine feature, which must be on and publicly exposed for attackers to exploit the vulnerability, is not enabled by default, Cisco said. The Cybersecurity and Infrastructure Security Agency added the zero-day to its known exploited vulnerabilities catalog Thursday. 

“Highlighting non-standard configurations isn’t the same as blaming users — it’s a relevant technical detail that helps defenders assess exploitation likelihood,” Douglas McKee, director of vulnerability intelligence at Rapid7, told CyberScoop. 

“The core issue doesn’t change,” he added. “The software fails under certain conditions, and that’s on the vendor to fix. Secure design means accounting for edge cases, even when it’s hard, and not shifting responsibility when they’re exploited.”

Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said the non-standard configurations that trigger the defect is an indication attacks are targeting specific users. Yet, he added, it’s unknown how many Cisco customers have enabled the spam quarantine feature and exposed it to the internet.

Chinese threat groups have consistently exploited Cisco vulnerabilities. The latest attacks follow a widespread attack spree involving actively exploited zero-day vulnerabilities affecting Cisco firewalls. 

Federal cyber authorities issued an emergency directive in September about the attacks, which impacted multiple government agencies in May. CISA and Cisco did not at that time fully explain why they waited four months from initial response to the attacks to disclose the malicious activity, patch the zero-days and issue the emergency directive.

A spokesperson for Cisco said there’s no evidence the recent attacks are connected to the attacks earlier this year. Cisco attributed the previous attacks to the same threat group behind an early 2024 campaign targeting Cisco devices, which it dubbed “ArcaneDoor.”

The post Cisco customers hit by fresh wave of zero-day attacks from China-linked APT appeared first on CyberScoop.

Microsoft addressed 57 vulnerabilities affecting its various products for business operations and core systems, including one actively exploited zero-day, the company said in its latest monthly security update.

The zero-day vulnerability — CVE-2025-62221 — affects the Windows Cloud Files Mini Filter Driver and has a CVSS rating of 7.8. Attackers could exploit the use-after-free defect to gain system privileges, Microsoft said. 

“These types of bugs are often combined with a code execution bug to take over a system,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said in a blog post, adding that the vulnerability appears to affect every supported version of Windows.

The Cybersecurity and Infrastructure Security Agency added the zero-day to its known exploited vulnerabilities catalog Tuesday. 

Microsoft’s final Patch Tuesday release of the year brings the total number of vulnerabilities patched by the vendor in 2025 to 1,139 CVEs, according to Childs. “This makes 2025 the second-largest year in volume, trailing 2020 by a mere 11 CVEs. As Microsoft’s portfolio continues to increase and as AI bugs become more prevalent, this number is likely to go higher in 2026,” he said.

Microsoft disclosed no critical vulnerabilities this month. The most severe defects it disclosed include five high-severity vulnerabilities — CVE-2025-62456 and CVE-2025-64678 affecting the Windows Resilient File System, CVE-2025-62549 affecting the Windows Routing and Remote Access Service, CVE-2025-62550 affecting the Azure Monitor Agent, CVE-2025-64672 affecting Microsoft Office SharePoint — each with CVSS ratings of 8.8.

Microsoft flagged six vulnerabilities as more likely to be exploited this month, including the zero-day, CVE-2025-59516 and CVE-2025-59517 affecting the Windows Storage VSP Driver, CVE-2025-62458 affecting Windows Win32K, CVE-2025-62470 affecting the Windows Common Log File System Driver and CVE-2025-62472 affecting the Windows Remote Access Connection Manager.

The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft’s last Patch Tuesday of 2025 addresses 57 defects, including one zero-day appeared first on CyberScoop.

Attackers of different origins and motivations swiftly exploited a critical vulnerability dubbed React2Shell, affecting React Server Components shortly after Meta and the React team publicly disclosed the flaw with a patch Wednesday. 

Multiple security firms are responding to active exploitation in the wild as a scrum of reports conclude the malicious activity is limited to scanning and attempts instead of actual attacks. Yet, official word from the Cybersecurity and Infrastructure Security Agency is clear — the agency added CVE-2025-55182 to its known exploited vulnerabilities catalog Friday. 

Reaction to the deserialization vulnerability, which has a CVSS rating of 10 and allows unauthenticated attackers to achieve remote-code execution, has revealed a chasm in the cybersecurity research community. Threat analysts are mostly growing more concerned about downstream impacts, but some are urging defenders to respond with less urgency and restraint.

A debate over actual exploitation is muddying response efforts as some researchers say they’ve observed working proof of concepts and others assert legitimate PoCs are lacking. Nonetheless, real organizations have been impacted by attacks, according to multiple researchers investigating the fallout. 

Palo Alto Networks’ incident response firm Unit 42, watchTowr and Wiz told CyberScoop they’ve observed successful exploitation and follow-on malicious activity.

As of late Friday, Unit 42 has confirmed more than 30 organizations across various sectors are impacted. 

“Unit 42 observed threat activity we assess with high confidence is consistent with CL-STA-1015, also known as UNC5174, a group suspected to be an initial access broker with ties to the Chinese Ministry of State Security,” said Justin Moore, senior manager of threat intel research at Unit 42. 

“In this activity, we observed the deployment of Snowlight and Vshell malware, both highly consistent with Unit 42 knowledge of CL-STA-1015,” he added. 

More broadly, Moore said Unit 42 has “observed scanning for vulnerable remote-code execution, reconnaissance activity, attempted theft of Amazon Web Services configuration and credential files, as well installation of downloaders to retrieve payloads from attacker command and control infrastructure.”

Ben Harris, CEO and founder of watchTowr, said his team has observed indiscriminate exploitation, describing the malicious activity as rapid and prolific.

“Post-exploitation we’ve seen everything from basic extraction of credentials through to webshell deployments as a stepping stone to further activities,” Harris said. 

Multiple Wiz customer environments have been impacted by successful exploitation as well, according to Amitai Cohen, the company’s threat vector intel lead. 

“So far, we’ve observed deployments of cryptojacking malware and attempts to extract cloud credentials from compromised machines,” he said. “These early-stage activities are consistent with common post-exploitation objectives like resource hijacking and establishing further access.”

Researchers from multiple firms said attempted and successful exploitation has increased following the release of public PoCs. The potential scope of impact is significant, as 39% of cloud environments contain instances of React or Next.js, a separate open-source library that depends on React Server Components, running versions vulnerable to CVE-2025-55182, according to Wiz Research.

“The Next.js framework itself is present in 69% of environments, and 44% of all cloud environments have publicly exposed Next.js instances — regardless of the version running,” Cohen said.

Further complicating matters, Vercel, the company behind Next.js, disclosed and issued a patch Wednesday for its own maximum-severity vulnerability — CVE-2025-66478 — but the CVE was rejected because it’s a duplicate of the React defect, the root cause. 

Multiple threat groups are mobilizing resources to exploit the vulnerability for various objectives. 

“There are remote-code execution PoCs around now. It’s definitely already started, which means ransomware gangs follow. They don’t ignore opportunities for money,” Harris said.

Within hours of the public disclosure of the vulnerability, “Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda,” CJ Moses, chief information security officer of Amazon Integrated Security, said in a blog post Thursday.

Unit 42 said it, too, is tracking attempted exploitation from several possible China-linked threat actors and cybercriminals. 

Automated, opportunistic exploitation attempts based on a publicly released PoC have been widespread, said Noah Stone, head of content at GreyNoise Intelligence. The firm’s sensors have captured malicious traffic originating from infrastructure in China, Hong Kong, the United States, Japan and Singapore targeting services based in the United States, Pakistan, India, Singapore and the United Kingdom, he said. 

VulnCheck’s decoy systems, which act as an early warning sign of vulnerability exploitation, have also observed exploitative scanning, said Caitlin Condon, the company’s vice president of research. “VulnCheck has been looking at patch rates on exposed Next.js apps, and we didn’t see a lot of patched systems,” she added.

Patching and mitigating the vulnerability isn’t without risk, either. Cloudflare said it experienced a temporary outage that was triggered by changes it made to its body parsing logic to detect and mitigate the vulnerability Friday.

As security researchers debate the viability of PoCs for the React vulnerability and visibility into actual attacks differs across the community, there’s no doubt the defect, which affects one of the most extensively used application frameworks, has captured sweeping interest and attention.

“This whole story is wild,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. “This has been a real rollercoaster.”

The post Attackers hit React defect as researchers quibble over proof appeared first on CyberScoop.

Microsoft addressed 63 vulnerabilities affecting its underlying systems and core products, including one actively exploited zero-day, the company said in its latest monthly security update. 

The zero-day vulnerability — CVE-2025-62215 — affects the Windows Kernel and has a CVSS rating of 7.0 due to a high attack complexity, according to Microsoft. Exploitation, which could allow an attacker to gain system privileges, requires an attacker to win a race condition, the company said. Microsoft did not provide any further details about the scope of exploitation. 

The race condition is notable because it indicates some race conditions are more reliable than others, Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said in a blog post. Race conditions in vulnerabilities, which involve multiple simultaneous processes designed to trigger errors, often impede exploitation.

“Bugs like these are often paired with a code execution bug by malware to completely take over a system,” Childs added.

Mike Walters, president and co-founder at Action1, said a functional exploit for CVE-2025-62215 exists, but no public proof-of-concept has been released. “Exploitation is complex, but a functional exploit seen in the wild raises urgency, since skilled actors can reliably weaponize this in targeted campaigns,” he said in an email.

An attacker with low-privilege local access can trigger the race condition by running a specially crafted application, according to Ben McCarthy, lead cyber security engineer at Immersive. “The goal is to get multiple threads to interact with a shared kernel resource in an unsynchronized way, confusing the kernel’s memory management and causing it to free the same memory block twice,” he said in an email.

The most severe defect disclosed this month — CVE-2025-60724 — is a remote-code execution vulnerability affecting Microsoft Graphics Component with a CVSS rating of 9.8, but Microsoft designated the flaw as less likely to be exploited. 

Microsoft flagged five defects as more likely to be exploited this month, including three vulnerabilities — CVE-2025-60719, CVE-2025-62213 and CVE-2025-62217 — affecting Windows Ancillary Function Driver for WinSock with CVSS ratings of 7.0. 

The kernel-mode driver is fundamental to Windows, making defects in the component inherently high-risk, according to McCarthy. 

“Due to it being so intertwined with network-related functionality of Windows, it has the potential to be a way in for many applications in the Windows ecosystem. There have been many vulnerabilities in the past that have been weaponized in this kernel-mode driver,” he added.

The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft Patch Tuesday addresses 63 defects, including one actively exploited zero-day appeared first on CyberScoop.