Microsoft issued a security advisory for CVE-2026-53045, a high-severity Linux kernel flaw in the NVIDIA Tegra124 memory controller driver (CVSS 7.8). The vulnerability, a reversed bit check in the EMC driver, affects Windows Subsystem for Linux 2 (WSL2) and Azure Linux VMs with Tegra124 hardware. Exploitation can cause kernel panics, data corruption, and potentially privilege escalation. Microsoft advises updating WSL kernels and Azure container images.
Microsoft Azure
Microsoft's cloud platform — Entra ID, AKS, Storage, and the broader Azure stack.
Recent threats
CISA confirmed on July 2, 2026, that attackers are actively exploiting CVE-2026-45659, a high-severity remote code execution vulnerability in Microsoft SharePoint. The deserialization flaw requires only basic authenticated access (Site Member permissions) and was patched in May 2026. Over 10,000 SharePoint servers remain exposed online, with no visibility into remediation coverage.
- CISA: Microsoft SharePoint RCE flaw now actively exploited(opens in a new tab)
- U.S. CISA adds a Microsoft SharePoint Server flaw to its Known E(opens in a new tab)
- CISA Warns of Actively Exploited Microsoft SharePoint Vulnerabil(opens in a new tab)
- SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exp(opens in a new tab)
- CISA adds SharePoint flaw to known exploited vulnerabilities lis(opens in a new tab)
- CISA Warns of Actively Exploited Microsoft SharePoint Vulnerabil(opens in a new tab)
Microsoft released patches for CVE-2026-33825 (BlueHammer), a Microsoft Defender privilege escalation vulnerability, on April 14, 2026. CISA added the flaw to its Known Exploited Vulnerabilities catalog on April 22 and has now updated the entry to confirm active exploitation in ransomware campaigns. Authenticated attackers can escalate privileges to disable defenses, move laterally, or prepare systems for encryption. No details on specific ransomware groups have been publicly disclosed.
Threat actors conducted a large-scale password spray campaign targeting Azure CLI between June 12 and 21, 2026, making over 81 million login attempts originating primarily from LSHIY LLC infrastructure. Huntress detected 78 user account compromises across 64 customer organizations, with 2-4 accounts typically breached daily. The attack represents part of a broader surge in credential spray attacks across the cloud services landscape.
Microsoft disclosed CVE-2026-52930, a Linux kernel race condition in System V shared-memory cleanup affecting Azure Kubernetes Service (AKS), Windows Subsystem for Linux 2 (WSL2), and hybrid cloud workloads. A race window during shared-memory segment destruction allows local attackers to corrupt kernel memory and achieve privilege escalation within the guest. CVSS score is 7.8 (Important). Microsoft has published patches; administrators must apply kernel updates immediately.
Microsoft released patches for CVE-2026-53225, a Linux kernel SCTP vulnerability that leaks uninitialized kernel memory through malformed ASCONF chunks. The flaw affects Azure Linux VMs with SCTP enabled and WSL2 deployments. Successful exploitation may expose encryption keys, credentials, or other sensitive kernel heap data. CVSS rating is 5.6 Medium; no active exploits reported but low attack complexity makes exploitation feasible.
Microsoft released patches for CVE-2026-53297, a high-severity flaw in the Azure MANA (Network Adapter) driver for Linux that causes kernel panics via NULL pointer dereference during power-management resume failures. The vulnerability affects Azure Linux VMs with Accelerated Networking enabled. An attacker with local access can trigger repeated crashes, causing denial of service and potential data loss.
Microsoft issued an advisory for CVE-2026-45850, a critical Linux kernel IPVS vulnerability affecting IPv6 checksum calculations. The flaw allows remote attackers to manipulate TCP, UDP, and SCTP checksums, enabling security bypasses and denial-of-service attacks in load-balanced environments. The vulnerability impacts Azure Linux workloads, WSL2 deployments, and systems running affected Linux kernels (4.15–6.6). Patches are available from kernel.org and Microsoft; immediate remediation is advised.
Linux kernel CVE-2025-10263, a critical TLB invalidation errata affecting ARM processors, impacts Microsoft Azure Cobalt 100 custom chips deployed in Azure infrastructure. The vulnerability allows local attackers to read sensitive memory or escalate privileges in multi-tenant cloud environments. Linux kernel 7.1.1 patch released June 19, 2026, requires immediate deployment across affected Azure Arm-based systems.
Microsoft disclosed CVE-2026-42015, a critical off-by-one memory corruption vulnerability in GnuTLS PKCS#12 parsing affecting Azure Kubernetes Service (AKS) hybrid nodes, Windows Subsystem for Linux (WSL), and containerized workloads. The flaw enables remote code execution when processing specially crafted certificate files. Patches are available via GnuTLS 3.8.9 and Windows Update, but administrators must update both host and all container/WSL instances to fully mitigate risk.
Microsoft Defender privilege-escalation vulnerability CVE-2026-50656 (RoguePlanet), exploiting a race condition, has public proof-of-concept code available enabling attackers to spawn processes with SYSTEM privileges on Windows systems. Microsoft acknowledged the flaw and is developing a patch.
- Microsoft Working on Patch for 'RoguePlanet' Zero-Day - Security(opens in a new tab)
- CVE-2026-50656 RoguePlanet Zero-Day Hits Windows Defender(opens in a new tab)
- Microsoft working on patch for RoguePlanet Defender zero-day (CV(opens in a new tab)
- Microsoft Confirms RoguePlanet Zero-Day Exploit Targeting Defend(opens in a new tab)
SearchLeak vulnerability in Microsoft 365 Copilot Enterprise enabled attackers to steal sensitive data via specially crafted URLs before Microsoft patched the flaw as CVE-2026-42824. The vulnerability allowed unauthorized access to confidential enterprise information.
Microsoft disabled at least 70 open-source GitHub repositories, many related to Azure cloud platform and AI development tools, after attackers compromised them to inject malicious code designed to steal developer credentials. The supply-chain attack affected projects including Claude Code, Gemini CLI, and VS Code extensions. Microsoft confirmed malware injection and notified a small number of affected customers who downloaded compromised code. This marks the second known GitHub compromise of Microsoft repositories within weeks.
CVE-2026-48567 is an elevation-of-privilege vulnerability in Azure HorizonDB, a preview PostgreSQL-compatible database for AI workloads. The flaw allows low-privilege users with credentialed access to escalate to administrative control, potentially exposing AI training data, vector indexes, and pipeline credentials. Microsoft disclosed the vulnerability via MSRC; preview service status may affect automatic patching availability. Affected organizations should immediately audit HorizonDB instances, rotate credentials, and revoke over-privileged service principals.
Security researcher Wahid Fayad discovered a dependency confusion vulnerability in Azure Portal assets on June 2, 2026. An internal Node.js package, FxInternal/NetDiagnostics, was not registered on the public NPM registry. After registering the unclaimed @fxinternal namespace and publishing a malicious package, the researcher confirmed remote code execution by triggering out-of-band callbacks from Microsoft-owned systems. Microsoft MSRC declined to treat the issue as a vulnerability, claiming the dependency was resolved internally and activity originated from automated security tooling. The package was later assigned GHSA-83×6-432q-hpcf with CVSS 9.3 (Critical) severity.
CVE-2026-32288, a high-severity denial-of-service vulnerability in Go's archive/tar package, impacts Azure Linux, Azure Kubernetes Service (AKS), and container registries. The flaw causes unbounded memory consumption when processing malicious tar archives, potentially crashing containerd and other container tools. Microsoft has released patches for Azure Linux and AKS node images, and active exploitation targeting container registries and CI/CD pipelines has been observed.
Multiple unpatched zero-day vulnerabilities in Microsoft Windows and Microsoft Defender are actively exploited in the wild. BlueHammer (CVE-2026-33825), RedSun, and UnDefend enable privilege escalation and defense evasion. Real-world intrusions have been observed using these exploits following public PoC disclosure, with attackers gaining SYSTEM privileges, deploying tunneling malware (BeigeBurrow), and establishing command-and-control connections from Russia, Singapore, and Switzerland. RedSun and UnDefend remain unpatched as of June 2026.
A critical local privilege escalation vulnerability, CVE-2026-40369, has been disclosed in the Windows kernel affecting Windows 11 versions 24H2 and 25H2, with advisories noting Windows Server 2025 may also be impacted. The flaw resides in ntoskrnl.exe within the ExpGetProcessInformation function, reachable via a single NtQuerySystemInformation syscall with information class 253; improper validation when the buffer length is zero allows an attacker to perform an arbitrary 12-byte kernel write (increment) primitive from any unprivileged context, including browser renderer sandboxes. Microsoft rated the vulnerability CVSS 7.8 (High) and addressed it in the May 2026 Patch Tuesday cumulative updates. Researcher Ori Nimron has published a full exploit package, and the exploit is confirmed publicly available, enabling reliable escalation to SYSTEM when chained with a kernel ASLR bypass. Azure workloads running Windows Server 2025 virtual machines or Windows 11-based environments are at risk until the May 2026 patches are applied. No configuration-based workaround is reported to fully remove the attack surface.
Microsoft patched CVE-2026-45659, a high-severity remote code execution vulnerability in SharePoint Server (CVSS 8.8), on May 21, 2026. The flaw stems from deserialization of untrusted data within Microsoft Office SharePoint and allows a network-based attacker to execute arbitrary code remotely on affected servers. Exploitation requires only a minimum of Site Member-level authenticated access — no elevated privileges — and carries low attack complexity with no user interaction needed. Affected products include SharePoint Server Subscription Edition (build 16.0.19725.20280), SharePoint Server 2019 (build 16.0.10417.20128), and SharePoint Enterprise Server 2016 (build 16.0.5552.1002). Microsoft currently assesses exploitation as "Less Likely" and no public proof-of-concept is known; however, the low exploitation barrier and SharePoint's history as a target for ransomware operators and nation-state actors make prompt patching a priority for organizations running on-premises deployments.
Security researcher Justin O'Leary publicly disclosed a privilege escalation flaw in Azure Backup for AKS that allowed a user holding only the low-privileged Backup Contributor role on a backup vault to obtain cluster-admin access on a target AKS cluster by abusing the Trusted Access relationship that Azure Backup automatically configured. The attack, classified as a Confused Deputy issue (CWE-441) between Azure RBAC and Kubernetes RBAC, let an attacker enable backup on a cluster, extract secrets through backup operations, or restore malicious workloads. Microsoft Security Response Center rejected the March 17, 2026 report as expected behavior requiring pre-existing admin access and recommended against CVE assignment, and CERT/CC subsequently closed its VU#284781 case under CNA hierarchy rules. The researcher reports that the original exploit path no longer works as of May 2026, with new permission checks and a requirement to manually configure Trusted Access before enabling backup, indicating a silent patch despite Microsoft stating no product changes were made. No CVE, advisory, or customer notification has been issued, leaving defenders without visibility into the exposure window for tenants that granted the Backup Contributor role before May 2026.
BitNinja has published an advisory describing CVE-2026-40411, a remote code execution vulnerability in Microsoft Azure Virtual Network Gateway. The flaw is rated critical with a reported CVSS score of 9.9 and is said to allow attackers to execute arbitrary code against the gateway component, which could enable unauthorized actions against connected workloads and disrupt network connectivity for affected tenants. The write-up urges administrators to apply the latest updates to Azure Virtual Network Gateway and related components, deploy a web application firewall, monitor authentication attempts for brute-force activity, and run malware detection on dependent servers. The source does not cite an official Microsoft Security Response Center bulletin or confirm in-the-wild exploitation, so the disclosure should be corroborated against Microsoft's advisory before patching decisions are finalized.
The FBI has issued a public warning about Kali365, a phishing-as-a-service platform first observed in April 2026 that targets Microsoft 365 users through device code phishing to bypass multi-factor authentication. Operators distribute the kit via Telegram and provide AI-generated phishing lures, automated campaign templates, real-time victim tracking dashboards, and OAuth token capture tooling, lowering the technical bar for attackers. Victims are lured into entering an attacker-supplied device code on a legitimate Microsoft verification page, which authorizes the attacker's device and yields OAuth access and refresh tokens for services such as Outlook, Teams, and OneDrive without requiring the user's password or further MFA prompts. The stolen tokens enable persistent access to Microsoft 365 and Entra ID-protected resources until they are revoked. The FBI has published guidance for users and organizations on defending against device code phishing.
CISA added two actively exploited Microsoft Defender vulnerabilities, CVE-2026-45498 and CVE-2026-41091, to its Known Exploited Vulnerabilities catalog on May 20, 2026, with a federal remediation deadline of June 3, 2026. CVE-2026-45498 is a denial-of-service flaw that can stop Microsoft Defender from functioning, allowing attackers to disable endpoint malware protection. CVE-2026-41091 is a link-following (CWE-59) vulnerability that lets a locally authorized attacker abuse symbolic-link handling to escalate to SYSTEM privileges. Microsoft has released patches for both flaws. CISA confirms exploitation in the wild but has not tied the activity to a specific ransomware campaign. Organizations using Microsoft Defender, including in Azure-managed environments, are urged to apply the updates immediately and review endpoint telemetry for tampering.
- CISA Issues Alert on Exploited Microsoft Defender Zero-Day Vulne(opens in a new tab)
- Microsoft patches pair of Microsoft Defender zero-days following(opens in a new tab)
- CISA Warns of Microsoft Defender 0-Day Vulnerabilities Exploited(opens in a new tab)
- Microsoft confirms two major Defender security issues — so updat(opens in a new tab)
- Microsoft Condemns "Uncoordinated" Zero Day Disclosures - Infose(opens in a new tab)
- GitLab Suspends Windows Exploit Researcher Nightmare-Eclipse Aft(opens in a new tab)
Microsoft has disclosed an active cloud intrusion campaign by a threat actor it tracks as Storm-2949, which abuses compromised Microsoft Entra ID identities to exfiltrate data from Microsoft 365 and Azure environments. Initial access was obtained through social-engineering of high-value users into approving MFA prompts during Self-Service Password Reset flows, after which the attackers reset passwords, registered their own MFA devices, and locked out legitimate users. With privileged Entra ID access, Storm-2949 pivoted into Azure to abuse RBAC permissions against App Services, Key Vaults, Storage accounts, and SQL databases, including retrieving web app publishing profiles, modifying Key Vault access policies to extract secrets, and altering SQL firewall and storage settings to enable bulk data exfiltration. The actor also abused the Azure Instance Metadata Service for token theft, deployed ScreenConnect on Azure VMs via the VMAccess extension and Run Command, and attempted to disable Defender and clear logs. No CVE is involved; the campaign relies on legitimate cloud management features, so defenders are advised to harden SSPR and MFA approval workflows, tighten RBAC and Key Vault access policies, and monitor identity, cloud, and endpoint signals together.
- Hackers Exploit Entra ID Accounts to Steal Microsoft 365, Azure (opens in a new tab)
- Microsoft Exposes Storm-2949 Azure And M365 Breach(opens in a new tab)
- Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsof(opens in a new tab)
- Hackers Exploit Azure RBAC to Steal Key Vault Secrets(opens in a new tab)
A security researcher publicly disclosed what they describe as a critical cross-tenant access vulnerability in Microsoft Azure's identity and access management layer, claiming it allows traversal of tenant isolation boundaries to access resources belonging to other Azure customers without requiring victim-side misconfiguration. The researcher reports submitting full technical details and proof-of-concept code to the Microsoft Security Response Center, which closed the case as "by design" and declined to assign a CVE or issue an advisory. No patch, CVE identifier, or official Microsoft advisory has been published, and there are no reports of active exploitation. The disclosure highlights a recurring "silent fix" pattern in which similar cross-tenant issues have later been quietly remediated without acknowledgement, leaving customers without identifiers to track residual risk. Azure operators are advised to treat cross-tenant isolation as an untrusted boundary, supplement CVE-feed-based vulnerability management with direct monitoring of researcher disclosures, and review tenant-boundary controls in penetration testing scope.
Microsoft disclosed CVE-2026-41105 on May 7, 2026, a server-side request forgery flaw in the Azure Monitor Action Group notification system that allows an authenticated attacker to elevate privileges over the network (CVSS 8.1). No in-the-wild exploitation has been reported, and Microsoft has addressed the issue server-side per the MSRC advisory. Concurrently, Microsoft published CVE-2026-35428, a critical command-injection/spoofing vulnerability in Azure Cloud Shell that could permit arbitrary code execution within a victim's session and potential takeover of Azure subscriptions; mitigations were rolled out server-side with no customer action required. Both issues were included in Microsoft's May 2026 security update cycle. Azure customers should review MSRC guidance and audit Action Group and Cloud Shell usage for anomalous activity.
- CVE Alert: CVE-2026-41105 - Microsoft - Azure Monitor Action Gro(opens in a new tab)
- CVE-2026-35428: Azure Cloud Shell Critical Spoofing Fix—No Patch(opens in a new tab)
- CVE-2026-41105 and Azure Monitor Action Groups: When alerts beco(opens in a new tab)
- Microsoft security update summary's for May 2026 | OpenText Cyb(opens in a new tab)
- Windows 11 security update fixes critical Bing and Azure flaws(opens in a new tab)
- CVE-2026-43321: Linux BPF Verifier Register Liveness Bug Exposes(opens in a new tab)