Unpatched Windows search: URI handler NTLMv2 leak; Microsoft declined to patch

UPDATE (originally covered 2026-W21): Microsoft's Digital Crimes Unit issued a formal public statement on 28–29 May 2026 calling uncoordinated zero-day releases "never justifiable" and warning its DCU would "continue bringing cases against these actors and those that enable their criminal activity" (The Record, 2026-05-29). The pseudonymous researcher Nightmare Eclipse / Chaotic Eclipse responded by threatening a new vulnerability release on 14 July 2026 (the next Patch Tuesday).

Of the six Windows vulnerabilities the researcher has released since early April: BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091) are patched and saw confirmed in-the-wild exploitation following PoC publication. YellowKey (CVE-2026-45585 — BitLocker bypass via Windows Recovery Environment, requiring physical access), GreenPlasma (LPE class), and MiniPlasma remain unpatched as of 30 May 2026. MiniPlasma specifically abuses the Windows Cloud Files Mini Filter Driver (cldflt.sys) to achieve a SYSTEM shell from a standard user session on fully-patched Windows 11; the root cause is assessed as an incomplete remediation of CVE-2020-17103 (no CVE yet assigned to MiniPlasma itself).

The July 14 release deadline should be treated as a hard date for resolving any outstanding Windows LPE chain gaps. Defenders on Windows 11 estates should monitor for cldflt.sys-related anomalies and consider AppLocker/WDAC policies blocking unsigned executables from low-privileged user sessions while patches are pending. Next Patch Tuesday: 10 June 2026.

Rapid7 Labs disclosed on 2026-05-28 an authenticated-RCE zero-day in Gogs, the open-source self-hosted Git service. The root cause is in the Merge() function inside internal/database/pull.go: when the "Rebase before merging" strategy is invoked on a pull request, Gogs passes the source-branch name unsanitised to process.ExecDir, bypassing the safer git-module wrappers. An attacker creates a branch named e.g. --exec=<command>; when git rebase runs, that flag is interpreted as a --exec argument and the command executes under the Gogs service account. Affected: Gogs 0.14.2 and 0.15.0+dev (commit b53d3162); all prior versions that support the rebase-merge strategy are likely affected too. The maintainer acknowledged the report on 2026-03-28 (reported 2026-03-17) but has not shipped a fix; Rapid7 published after the standard 90-day window expired. Rapid7 also released a full Metasploit module covering Windows and Linux targets. Shodan shows ~1,141 internet-facing Gogs instances. Class is CWE-88 argument injection — same technique family as CVE-2024-39930 / 39932 / 39933 in prior Gogs disclosures. The Hacker News writeup corroborates and adds that no admin privileges are required, only account creation and repository access.

Why it matters to us: Self-hosted Gogs is common in European public-sector code and research infrastructure as a lightweight GitHub alternative. Until a patched fork (Gitea / Forgejo) is adopted, set DISABLE_REGISTRATION = true in app.ini, disable the Rebase before merging strategy under instance settings, and watch for git child processes carrying --exec under the Gogs binary's process tree (Sysmon EID 1 / auditd EXECVE).

HiddenLayer / Hadrian researchers disclosed CVE-2026-45829, a CVSS 4.0 = 10.0 pre-authentication RCE in ChromaDB's Python FastAPI server (affected from v1.0.0) (Hadrian Security, 2026-05-19; BleepingComputer, 2026-05-19). The vulnerable endpoint is POST /api/v2/tenants/{tenant}/databases/{db}/collections: when the request body sets trust_remote_code: true with an attacker-controlled HuggingFace model identifier (or a local path), the server fetches and executes the attacker-supplied Python code before the auth check fires, then politely returns 403 Forbidden after the code has run. The flaw exists only in the Python FastAPI server (chromadb[server] pip package) — the default Rust server (chroma run) does not traverse this code path. Per BleepingComputer's reporting of Shodan queries, approximately 73 % of internet-exposed ChromaDB instances are running a vulnerable version of the software. As of disclosure, ChromaDB v1.5.9 (latest) is unpatched. Mitigations: disable the Python FastAPI server and migrate to the Rust server; alternatively, block network-level access to the ChromaDB API (it should never be internet-exposed in the first place); if internal, set trust_remote_code: false server-wide via config. Detection concept — unexpected outbound network connections from ChromaDB Python server processes; child processes spawned by uvicorn / gunicorn workers with non-default lineage; access logs showing POST /api/v2/.../collections bodies referencing HuggingFace repository slugs with attacker-controlled patterns. T1190 Exploit Public-Facing Application; the impact maps to T1059.006 Python execution under the server context.

HiddenLayer / Hadrian researchers disclosed a CVSS 10.0 pre-authentication RCE in ChromaDB's Python FastAPI server (affected from v1.0.0): the embedding-function model is loaded before the authentication check runs, so an unauthenticated request reaches code execution "before it asks who you are." Public PoC, still unpatched in v1.5.9. ChromaDB is a common vector-store backend for retrieval-augmented-generation stacks now appearing in public-sector AI pilots; any internet-reachable instance is exposed. Take ChromaDB off the public internet and front it with an authenticating reverse proxy until a fix ships.

BSI published WID-SEC-2026-1435 on 2026-05-08 rating two authenticated remote code execution vulnerabilities in Netgate pfSense Community Edition as kritisch and explicitly UNGEPATCHT in the BSI advisory feed (BSI WID-SEC-2026-1435, 2026-05-08). CVE-2025-69691 (CVSS 9.9) affects pfSense CE 2.8.0: the XMLRPC API endpoint /xmlrpc.php exposes the pfsense.exec_php method, which executes arbitrary PHP as root when invoked with any Basic Auth credentials — including default admin passwords on Internet-exposed deployments (Full Disclosure, 2026-02-16; cve.news analysis of CVE-2025-69691, 2026-05-08). CVE-2025-69690 (CVSS 8.8) affects pfSense CE 2.7.2 via unsafe deserialization in the configuration backup/restore path — uploading a crafted backup containing a serialized PHP object with a malicious post_reboot_commands property yields root RCE on restore (same primary disclosure thread).

Netgate's position, restated in the Full Disclosure thread, is that both behaviours are expected for authenticated administrators and that no patch will be issued. BSI taking a national-CERT position on the unpatched state three months after researcher disclosure is the in-window signal: this elevates pfSense CE from "vendor accepts behaviour" to "EU national authority recommends mitigation." pfSense Community Edition is licence-free and commonly deployed at the perimeter of Swiss cantonal, municipal, healthcare, education and SME networks where commercial pfSense+ subscriptions are out of reach. The pfSense+ commercial product is reportedly not affected by the same code paths.

Why it matters to us: Treat any Internet-exposed pfSense CE management interface (HTTPS web GUI, XMLRPC endpoint, SSH) as a credential-theft single-point-of-failure rather than a hardened control plane. Block the XMLRPC interface at the network level for any CE 2.8.0 deployment that cannot disable it administratively, restrict the web GUI to a management VLAN, rotate any admin passwords that ever traversed unencrypted networks, and audit system.xml for unexplained post_reboot_commands entries (CVE-2025-69690 persistence indicator). Because exploitation requires existing admin credentials, the operative attack chain is T1078 Valid Accounts (after credential theft) → T1059.004 Unix Shell; for an Internet-exposed management plane, T1190 Exploit Public-Facing Application remains the framing for the initial brute-force / credential-stuffing pivot. See § 7 reduced-confidence note on BSI sourcing.