CVE-2026-32202 Exploitation Confirmed: Validate Patching with CloudShieldSecure

Seeing a spike in Defender alerts for Trojan:Win32/Cerdigent.A!dha today. Based on public reporting and what’s being discussed across the community: * Alerts started appearing shortly after a recent Defender intelligence update * Detections seem to be hitting DigiCert root certificates (Assured ID Root CA / Trusted Root G4) * These are long-trusted root CAs present on most Windows systems From what’s being shared, it looks like Defender may be misidentifying these certificates due to a signature/hash match tied to the Cerdigent detection. Result: * Certificates being quarantined * High-severity alerts across multiple environments * A lot of noise in a short period of time At this point, it’s widely being reported as a false positive, but I haven’t seen anything official from Microsoft yet. There are also claims that a fix is rolling out, though that remains unconfirmed. Worth watching. Technical Details for Admins: Trigger Version: Security Intelligence Update 1.449.424.0. Mechanism: The detection flags registry keys in AuthRoot\Certificates. The Fix: Early reports suggest that checking for updates and moving to version 1.449.430.0 (or later) resolves the false positive and stops the alerts. #CyberSecurity #MicrosoftDefender #InfoSec #FalsePositive

This week in cybersecurity, the common thread wasn't a single flaw or a single threat actor — it was time. → cPanel's authentication bypass had been actively exploited for two months before a patch landed. By the end of last week, attackers had spawned "Sorry" ransomware, Mirai botnets, and a Southeast Asia espionage campaign in parallel on the same flaw. → A nine-year-old Linux kernel bug ("Copy Fail") grants any local user root in 732 bytes — and breaks container isolation on essentially every major distribution. → Microsoft's February patch for an APT28-exploited Windows Shell flaw left the credential-leak path wide open. Fancy Bear walked back in for ten more weeks. → Trellix disclosed a source code repository breach with dwell time and attribution still undisclosed. → And Vect 2.0 ransomware affiliates have been destroying victim data they thought they were holding hostage — even paying victims can't recover files larger than 128 KB. The takeaway for security leaders: better patching alone doesn't close any of these windows. Egress controls, kernel isolation, immutable backups, and a real inventory of every AI tool with access to a developer environment are what stand between a single compromise and a bad week. Full breakdown: https://openv.pn/4tWjd7E #Cybersecurity #InfoSec #CISO #ZeroTrust #VulnerabilityManagement

Pre-auth RCE on every Domain Controller in your forest. No credentials needed. CVE-2026-41089 (Netlogon) + CVE-2026-41096 (DNS Client) just dropped — if you have not patched from May Patch Tuesday, your entire Active Directory is wide open. What you need to know: 🔴 CVE-2026-41089: Pre-auth RCE via Netlogon — one packet, DC compromised, entire forest falls 🔴 CVE-2026-41096: Unauthenticated RCE in Windows DNS Client — hits every endpoint, not just servers ⚡ Chained: attacker goes from zero foothold → full forest takeover, no lateral movement required 🕐 Mean time to exploit after Patch Tuesday: historically under 72 hours 🏢 Every unpatched Windows Server 2019/2022/2025 is exposed RIGHT NOW This is the Netlogon legacy all over again. The vulnerability class that handed attackers domain dominance in 2020 never went away — it just got renamed. At Lyrie, our agentic threat detection catches Netlogon anomalies and DNS exploitation patterns before the chain completes. Patch first. Then build detection that assumes patching will be late. Full breakdown → research.lyrie.ai Follow Lyrie.ai → https://lnkd.in/dj-zbPYV #CyberSecurity #AIDefense #ZeroDay #ThreatIntelligence #Lyrie #ActiveDirectory #PatchTuesday

Do not trust always verify. Keep your team on toes. Keep experienced wisdom specialist to handle such events. Keep professional architect to redesign your strategy in such situation. Everyone needs help.

🚨 New Attacks Weaponize Windows BitLocker & WDAC Zero-Days 🔒 Security researchers have uncovered active exploits targeting two unpatched Windows vulnerabilities, putting enterprise encryption and application controls at risk. - 🛡️ BitLocker Bypass in the Wild : A zero-day flaw allows attackers to decrypt BitLocker-protected drives without authentication, bypassing full-disk encryption on vulnerable systems—no physical access or admin rights required. - ⚙️ WDAC Code Integrity Evaded : A separate vulnerability in Windows Defender Application Control WDAC lets threat actors execute unsigned, malicious code, dismantling a critical trust boundary for enterprise endpoints. - ⏳ No Patch Available, CISA Monitoring : Microsoft has not yet released fixes, and CISA is assessing the active threat. Mitigation currently requires manual configuration changes or disabling specific features, escalating operational risk for security teams. - 🌐 Implications for Zero Trust Architectures : These exploits highlight the fragility of relying on built-in OS security controls as enforcement points, demanding a shift toward layered, behavior-based detection and hardware-rooted trust. What is the most critical vulnerability in your current defense—the technology you trust, or the assumption that it will always be there? https://lnkd.in/ddEDGcV7 Link:https://lnkd.in/ddEDGcV7

🚀 New Lab Writeup: Compounding Wins in Active Directory (DC01) I just wrapped up DC01 from HackMyVM, a high-fidelity lab featuring a Windows Server 2022 Domain Controller. This machine was a fantastic reminder that in Active Directory environments, enumeration is king and technical hurdles are just part of the process. The Attack Path: Initial Foothold: Started with zero credentials. Found an anonymous SMB access which allowed me to harvest a clean list of domain users. Password Spraying: After AS-REP Roasting failed (pre-auth was enforced), I pivoted to a password spray. By testing the user list against itself, I gained access as ybob317. The Kerberos Wall: Hit a major roadblock with a 2-hour clock skew. Since Kerberos enforces a strict 5-minute tolerance, I had to manually sync my attack box to the DC before any TGS operations would work. Lateral Movement: Post-sync, I was able to enumerate deeper, eventually discovering a backup share containing NTLM hashes. Domain Compromise: Instead of fighting to crack complex passwords, I used a Pass-the-Hash (PtH) strategy to authenticate via WinRM, landing me a shell as a privileged user and full control of the SOUPEDECODE.LOCAL domain. Key Takeaway: AD security isn't just about patching CVEs; it's about managing identity and privilege. This lab perfectly demonstrated how a simple anonymous share can be the first domino in a total domain collapse. Check out my writeup 👇 https://lnkd.in/dvs8WrBD #CyberSecurity #PenetrationTesting #ActiveDirectory #EthicalHacking #HackMyVM #RedTeaming #InfoSec #WindowsServer2022

🚨 New Lab Breakdown: Total Active Directory Compromise on DC02 I just finished documenting my latest walkthrough of the DC02 laboratory from HackMyVM, and it serves as a textbook example of how a chain of minor misconfigurations can lead to a total forest-wide compromise. In a modern Windows Server 2022 environment, you might expect robust defenses, but this lab proves that identity is the new perimeter. The Attack Path:   Initial Foothold: Started with zero credentials, using Kerbrute for user enumeration followed by a successful password spray to land our first low-privilege shell.   Lateral Movement: Leveraged AS-REP Roasting against accounts with Kerberos Pre-Authentication disabled, allowing us to pivot to the zximena448 user.   Privilege Escalation: Discovered zximena448 was a member of the Backup Operators group. I leveraged this to bypass NTFS permissions and remotely exfiltrate the SAM, SYSTEM, and SECURITY registry hives.   Domain Domination: Using the recovered machine account hash ($DC01), I performed a DCSync (DRSUAPI) attack to dump every credential in the domain, including the Administrator and krbtgt hashes. Key Takeaways:   Least Privilege is Mandatory: A single user in a "Backup" group was the catalyst for the entire domain falling.   Legacy Settings Kill: Kerberos Pre-Auth is often overlooked but remains a massive target for attackers.   Machine Accounts are High-Value: Compromising a Domain Controller's machine account is game over for the forest. Full write-up : https://lnkd.in/dYjUNe6S #CyberSecurity #PenetrationTesting #ActiveDirectory #RedTeaming #HackMyVM #Infosec #EthicalHacking

🚨 CVE-2026-41096: Critical RCE Vulnerability in Windows DNS Client A maximum-severity vulnerability has been identified in the Microsoft Windows DNS Client, which processes DNS responses across millions of Windows endpoints and servers. This flaw allows an unauthenticated, remote attacker to execute arbitrary code with elevated privileges by delivering a specially crafted DNS response. 💡 Why it matters: ☠️ Privilege escalation across corporate domains. ☠️ Installation of malware, ransomware, or unauthorized extraction of sensitive data. 🛡️ Recommended actions: ✅ Immediately deploy Microsoft's May 2026 Patch Tuesday security updates to all Windows servers and workstations. ✅ Ensure all Windows hosts are locked down to use only trusted, authenticated internal DNS resolvers, and block unapproved outbound DNS traffic at your network boundary. We got your back! Use these scripts from the Vicarius research team: 🔍 Detection script: https://lnkd.in/d66HzdhE 🩹 Remediation script: https://lnkd.in/duxTNk8H Stay proactive! Let us know if you need help securing your systems

Here is the LinkedIn post based on your request. Your BitLocker is a lie. Attackers crack it in 5 minutes. We all trust encryption to protect our data. But the new BitUnlocker downgrade attack CVE-2025-48804 proves that trust is fragile. Here is the Problem : The attack exploits a critical infrastructure flaw: the unrevoked Microsoft Windows PCA 2011 certificate. Because Microsoft feared disrupting enterprise networks, this legacy certificate remains valid in Secure Boot. Here is the Agitation : An attacker with physical access uses a simple USB drive. They downgrade the boot manager to an old, vulnerable version signed by the trusted 2011 certificate. The Trusted Platform Module TPM sees a valid signature and happily releases the decryption keys. The Result: A terminal opens in minutes, exposing your entire operating system volume. The Root Cause: Your Secure Boot is blind to the downgrade because the old certificate is still valid. The Solution Mitigation : We cannot rely on incomplete patches. We need proactive defense. Enable TPM + PIN: A pre-boot PIN stops automatic key release. Revoke the PCA 2011 Certificate: Use the DBX database to explicitly block the old boot manager. Modify PCR Policies: Set PCRs to 0, 2, or 4 to detect unauthorized boot path changes. This is a wake-up call. We must stop assuming default configurations are safe. How is your team securing your infrastructure against this type of exploitation? Let’s discuss in the comments below. #CyberSecurity #Vulnerability #Windows11

#500DaysCyberSec [Restarted] ☑️ Day 43 of #Challenge :- SSH Hardenings That an Stop Almost All Attacks At Your Server Part 1 📌 Most attackers don’t “hack” SSH instantly. They abuse weak configurations that admins forget to secure. 📌 In this deep dive, explored how simple SSH hardening techniques can drastically reduce brute-force attacks, credential stuffing, password guessing, and automated bot scanning. 📌 The real danger? Default SSH settings running on internet-facing servers. 📌 Covered critical defenses like: → Disabling root login → Replacing passwords with SSH keys → Changing the default SSH port → Restricting unauthorized access 📌 And the scariest part… Most attackers are not manually targeting servers. Bots scan the internet 24/7 searching for systems with weak SSH configurations. 📌 One small hardening mistake can expose the entire server. Happy Hacking 😃