โŒ

Normal view

Introducing Unit 42 Managed XSIAM 2.0

17 February 2026 at 12:01

24/7 Managed SOC Built for Tomorrow's Threats

The window for defense has collapsed, and most SOCs werenโ€™t built for the speed of todayโ€™s attacks. According to the 2026 Unit 42ยฎ Global Incident Response Report, some end-to-end attacks now unfold in under an hour. Attacks that used to take days or weeks now happen in minutes.

Most traditional SOC models are trapped in a cycle of alert overload, fragmented tools and limited engineering capacity that slow investigations and delay response. Traditional SIEM and MDR models were designed to react to alerts. They were not designed to continuously improve detections, correlations and response with threats that move at machine speed. Over time, that gap between attacker speed and defender capability keeps widening, and itโ€™s exactly why we built Unit 42 Managed XSIAM 2.0 (MSIAM).

Today marks the availability of the next evolution of our managed SOC offering โ€“ one that reflects how modern security operations must run in todayโ€™s threat landscape. MSIAM 2.0 is built on Cortex XSIAMยฎ, Palo Alto Networks SOC transformation platform, and operated by Unit 42 analysts, threat hunters, responders and SOC engineers who handle the most complex incidents in the world. With this solution, Unit 42 provides organizations with a 24/7 managed SOC that delivers continuous detection, investigation and full-cycle remediation across the entire attack surface while improving operations over time.

We donโ€™t just manage alerts. Unit 42 continuously engineers detections, correlations and response playbooks within XSIAM, refining them as attacker behavior evolves. This ongoing engineering ensures defenses improve over time, driven by real-world incidents and frontline threat intelligence, not static rules that quickly fall behind.

Why Managed XSIAM 2.0 Is Different

Elite SOC on Day One

We want SOC teams up and running as fast as possible. Experts lead onboarding, data mapping and configuration, and then your managed SOC team takes responsibility for operating and optimizing XSIAM on a day-to-day basis. The result is a SOC that improves over time without adding operational burden.

Every Threat Exposed

Unit 42 goes beyond reactive monitoring with continuous, proactive threat hunting across the entire attack surface. When a new threat is found in the wild, we produce threat impact reports that show how those techniques apply to each customerโ€™s environment. We then translate those insights into custom detections and automated response actions, while also monitoring and investigating the correlation rules your team creates. Both the global threat intelligence and your unique use cases are backed by our 24/7 analysis, closing gaps quickly and strengthening defenses over time.

We also now support both native and third-party EDR telemetry, so organizations can benefit from Unit 42 expertise and Cortexยฎ AI-driven analytics, regardless of the security technologies they use today. This enables customers to receive the strongest possible managed defense now, while creating a natural, low-friction path toward deeper platform consolidation as their environment evolves.

Machine-Speed Response

When incidents escalate, we donโ€™t just hand you a ticket; we take ownership. Collaborating with your team, we establish pre-authorized workflows to execute immediate responses across your entire environment, from endpoints and firewalls to identity and cloud. We pair the platformโ€™s native speed with expert oversight. By validating threat context and business impact, every response action is precise and safe, giving you the confidence to unleash full-cycle remediation. This allows MSIAM 2.0 to move seamlessly from detection to resolution with both velocity and precision.

And we stand behind our solution with a Breach Response Guarantee. If a complex incident strikes, you have the worldโ€™s best responders in your corner with up to 250 hours of Unit 42 Incident Response included. This built-in coverage removes the administrative hurdles of crisis response, enabling our experts to immediately transition from monitoring to deep forensic investigation and complete eradication, so you can focus on recovery.ย 

Proven in the Real World with the Green Bay Packers

Working with Unit 42 and the Cortex XSIAM platform, the Green Bay Packers modernized their security across a complex hybrid environment, demonstrating what Unit 42's managed services deliver in real-world operations. By consolidating telemetry and accelerating investigation and response, they reduced response times from hours to minutes, investigated 54% more alerts and saved over 120 hours of analyst time without adding headcount.

These outcomes reflect the key benefits of MSIAM: Unit 42 experts working to apply frontline intelligence as new attacker behavior emerges, translating it into reporting and tailored detections that improve response where it matters most. When a machine-speed platform is operated by experts handling real incidents every day, defenses continuously strengthen as threats evolve.

The Future of the SOC

Unit 42 MSIAM 2.0 helps your SOC operate as it should by combining AI-driven analytics and automation with expert-led operations and engineering. This combination provides teams with the confidence that their defenses are always on, always improving and ready when it matters most. Thatโ€™s the SOC that security leaders need today, and the one weโ€™re building for tomorrow.

MSIAM is now delivered through two service tiers, Pro and Premium. Organizations can start where they are and grow at their own pace. Pro provides AI-driven managed SOC operations with continuous detection, investigation and response. Premium extends into full-lifecycle SOC engineering, with designated experts and customized detections, automation and tailored response playbooks as your security maturity grows.

To learn more about Managed XSIAM 2.0, join us at Symphony 2026, a Palo Alto Networks premier virtual SOC event, where Unit 42 and Cortexยฎ experts will share frontline threat intelligence from the new 2026 Unit 42 Incident Response Report alongside real-world SOC transformation insights from organizations operating at machine speed.

The post Introducing Unit 42 Managed XSIAM 2.0 appeared first on Palo Alto Networks Blog.

2026 Unit 42 Global Incident Response Report โ€” Attacks Now 4x Faster

17 February 2026 at 12:00

AI-Accelerated Attacks, Identity-Enabled Breaches and Expanding Software Supply Chain Exposure Define the 2026 Cyberthreat Landscape

Each year, thousands of organizations experience a cyber incident. An incident can begin with a SOC alert, zero-day vulnerability, ransom demand or widespread business disruption. When the call comes, our global incident responders quickly mobilize to investigate, contain and eradicate the threat.

This yearโ€™s Unit 42ยฎ 2026 Global Incident Response Report analyzed over 750 major cyber incidents across every major industry in over 50 countries to reveal emerging patterns and lessons for defenders.

The data shows a clear shift in how attacks unfold. Threat actors are moving faster, increasingly leveraging identity and trusted connections, and expanding attacks across multiple attack surfaces. The accelerating speed, scale and complexity of these intrusions mean the window between initial access and business impact is shrinking. Most breaches, however, still succeed due to preventable gaps in visibility and security controls.

Key Findings Show Attacks Are Faster, Broader and Harder to Contain

As adversaries adapt their playbooks, the report highlights several defining trends shaping the 2026 threat landscape:

  • AI Is Compressing the Attack Timeline: In the fastest cases we investigated, attackers needed just 72 minutes to move from initial access to data exfiltration, 4X faster than last year. Weโ€™re seeing AI used in reconnaissance, phishing, scripting and operational execution, which enables machine-like speed at scale.
  • Identity Is Now a Primary Attack Vehicle: Identity weaknesses played a material role in nearly 90% of our investigations. More often than not, attackers arenโ€™t breaking in; theyโ€™re logging in with stolen credentials and tokens, and then exploiting fragmented identity estates to escalate privileges and move laterally without triggering traditional defenses.
  • Supply Chain Risk Now Drives Operational Disruption: In 23% of incidents, attackers leveraged third-party SaaS applications. By abusing trusted integrations, vendor tools and application dependencies, they bypassed traditional perimeters and expanded the impact well beyond a single system.
  • Attack Complexity Is Growing: We found that 87% of intrusions involved activity across multiple attack surfaces. Rarely does an attack stay in one environment. Instead, we see coordinated activity across endpoints, networks, cloud, SaaS and identity, forcing defenders to monitor across all of them at once.
  • The Browser Is a Primary Battleground: Nearly 48% of incidents included browser-based activity. This reflects how often modern attacks intersect with routine workflows, like email, web access and day-to-day SaaS use, turning normal user behavior into an attack vector.
  • Extortion Is Moving Beyond Encryption: Encryption-based extortion declined 15% from the year before, as more attackers skip encryption and move straight to data theft and disruption. From the attackerโ€™s perspective, itโ€™s faster, quieter and creates immediate pressure without the signals that defenders once relied on to detect ransomware attacks.

Attacks Succeed Because Exposure Still Beats Sophistication

Despite the speed and automation weโ€™re seeing, most of the incidents we respond to donโ€™t start with something radically new. They start with gaps that show up again and again. In many cases, attackers didnโ€™t rely on a sophisticated exploit, but on an overlooked exposure.

  • Environmental Complexity Undermining Defenses: In over 90% of the incidents we investigated, misconfigurations or gaps in security coverage materially enabled the attack. A big driver of that is tool sprawl. Many organizations are running 50 or more security products, making it extremely difficult to deploy controls consistently or clearly understand what their data is telling them.
  • Visibility Gaps Delay Detection: In many engagements, the signals were there. When we look back forensically, the evidence is in the logs. But during the attack, teams had to stitch together data from multiple disconnected sources, slowing detection during the most critical early minutes.
  • Excessive Trust Expands Impact: Once attackers gain a foothold, overly permissive access and unmanaged tokens frequently let them move farther than they should. We repeatedly see identity trust relationships turn a single compromised account into broad lateral movement and privilege escalation.

Attackers are evolving their tools and tactics, but they still win most often from exploited complexity, limited visibility and excessive trust inside modern enterprise environments.

Recommendations for Security Leaders and Defenders

Across more than 750 frontline investigations, three priorities come up again and again in conversations with CISOs and security teams.

  • Reduce Exposure: Many of the attacks we see begin in places teams didnโ€™t realize were exposed โ€“ third-party integrations, unmanaged SaaS connections or everyday browser activity. Reducing exposure means securing the full application ecosystem and treating trusted connections with the same scrutiny as core infrastructure.
  • Reduce Area of Impact: Once attackers get in, the difference between a contained incident and a major disruption often comes down to identity. Tightening identity and access management while removing unnecessary trust limits how far an attacker can move and how much damage they can cause.
  • Increase Response Speed: What happens in the first minutes after initial access can determine whether an incident becomes a breach. Security teams need the visibility to see whatโ€™s happening across environments and the ability to use AI to detect, identify and prioritize what matters, so the SOC can contain threats at machine speed, faster than the adversary can move.

Conclusion

Every investigation tells a story. How the attacker got in. How quickly they moved. What made the impact worse. Across hundreds of these cases, patterns emerge. Unit 42 operates 24 hours a day, 7 days a week on the frontlines of these incidents, and each year we distill what we learn into practical guidance. The goal of this report is to turn those frontline lessons into decisions that help you close the gaps that attackers still rely on and stop incidents before they become breaches.

Stay informed. Read the 2026 Unit 42 Global Incident Response Report and download the Executive Resource Kit.

The post 2026 Unit 42 Global Incident Response Report โ€” Attacks Now 4x Faster appeared first on Palo Alto Networks Blog.

Happy 9th Anniversary, CTA: A Celebration of Collaboration in Cyber Defense

24 January 2026 at 01:00

Unit 42 celebrates 9 years of the Cyber Threat Alliance, tracing its journey from a bold idea to a global leader in collaborative cyber defense.

The post Happy 9th Anniversary, CTA: A Celebration of Collaboration in Cyber Defense appeared first on Unit 42.

Unit 42 Incident Response Retainer for AWS Security Incident Response

2 December 2025 at 14:00

Palo Alto Networks Unit 42 and AWS Announce Expanded Collaboration, Launching No-Cost Retainer for AWS Security Incident Response available in AWS Marketplace

Speed is everything in todayโ€™s security landscape. From Unit 42ยฎโ€™s frontline experience responding to more than 500 incidents last year, we've seen that in nearly one in five incidents, attackers go from initial compromise to data exfiltration in less than an hour. It leaves almost no time to react.

The challenge is compounded by the distributed nature of the modern IT environment; cyberattacks are rarely confined to one location. In fact, 70 percent of incidents now span three or more attack surfaces, from endpoints and networks to multiple cloud environments. This complexity increases vulnerabilities, which is a key reason why 86 percent of major incidents disrupt business operations.

When a breach moves at this speed and crosses complex silos, an enterprise has two immediate, critical needs:

  1. Rapid, integrated expertise to contain the threat at its source within the cloud.
  2. Holistic, end-to-end investigation to determine the full scope of the attack, tracing the attacker's path wherever it leads, across all systems and environments.

The No-Cost Unit 42 IR Retainer Available on AWS Marketplace

Recognizing customers need a faster, more comprehensive incident response strategy in the cloud, Palo Alto Networks Unit 42 is expanding our partnership with Amazon Web Services (AWS) Security Incident Response service. The collaboration introduces a no-cost Unit 42 Incident Response Retainer, which is now available to qualified customers in AWS Marketplace. Our value-added offer provides qualified customers with rapid access to Unit 42โ€™s world-class investigative expertise and dramatically minimizes the critical time between an alert and full containment.

For qualified customers, here's what the no-cost Unit 42 Incident Response Retainer offers:

  • 250 hours of initial Unit 42 Incident Response services at no cost.
  • A 2-hour response time agreement for incident response.
  • 24/7/365 access to the Unit 42 Incident Response team.

As an AWS Security Incident Response Service Ready partner, this collaboration is designed to deliver seamless, end-to-end incident response and proactive security services. By combining Unit 42โ€™s deep experience in managing complex, legally privileged investigations with the rapid engagement of AWS Security Incident Response, organizations can resolve critical incidents faster and more comprehensively.

Unit 42 also offers preferred pricing to AWS Security Incident Response customers for proactive services through paid retainer offerings, also available in AWS Marketplace.

Hart Rossman, Vice President of Global Services Security, AWS:

When cyberattacks move at cloud speed, customers need immediate access to comprehensive expertise. By integrating Unit 42's end-to-end investigative capabilities with AWS Security Incident Response, we're delivering a unified response that helps customers contain threats faster and minimize business disruption. The no-cost retainer ensures they can activate the full scope of resources they need within minutes, not hours.

Effective response to a cloud breach demands deep technical skill and the ability to manage complexity under pressure. Unit 42 excels at managing high-stakes incidents. By coupling our expertise with AWS Security Incident Responseโ€™s capabilities to prepare, respond and recover from security incidents, Unit 42 offers customers a unified defense. Streamlining the entire process, from initial alert to final resolution, allows organizations to get back to business faster and limit operational disruption.

A Unified Front Against Complex Cloud Incidents

The collaboration is designed to solve a critical customer problem: Reduce the time and complexity of responding to incidents that span both AWS resources and the broader enterprise.

The combined offering delivers three key benefits, providing customers with a holistic and agile defense strategy:

  • Comprehensive Investigation: Unit 42โ€™s expertise enables an investigation across multiple environments, including endpoints, networks and other enterprise data sources, complementing AWSโ€™s incident response technologies and expertise.
  • Rapid, 24/7 Access to Experts: AWS Security Incident Response provides direct, 24/7 access to the AWS Customer Incident Response Team (CIRT), capable of engaging within minutes. Unit 42 is skilled at serving in the incident command role, coordinating efforts among internal stakeholders, other forensic and recovery vendors, as well as legal counsel.
  • Response Readiness with No-Cost Retainer: The offering removes the typical administrative and procurement overhead of incident response engagements. The added value ensures qualified customers can activate the full resources of Unit 42 instantly, often at the direction of counsel.

Availability

The Unit 42 Incident Response and proactive service offerings are available in AWS Marketplace today. More information on the partnership will be shared during AWS re:Invent 2025 (December 1-5, 2025).

To learn more, visit the Unit 42 listing available in AWS Marketplace.

The post Unit 42 Incident Response Retainer for AWS Security Incident Response appeared first on Palo Alto Networks Blog.

Patch Tuesday, January 2026 Edition

14 January 2026 at 01:47

Microsoft today issued patches to plug at least 113 security holes in its various Windows operating systems and supported software. Eight of the vulnerabilities earned Microsoftโ€™s most-dire โ€œcriticalโ€ rating, and the company warns that attackers are already exploiting one of the bugs fixed today.

Januaryโ€™s Microsoft zero-day flaw โ€” CVE-2026-20805 โ€” is brought to us by a flaw in the Desktop Window Manager (DWM), a key component of Windows that organizes windows on a userโ€™s screen. Kev Breen, senior director of cyber threat research at Immersive, said despite awarding CVE-2026-20805 a middling CVSS score of 5.5, Microsoft has confirmed its active exploitation in the wild, indicating that threat actors are already leveraging this flaw against organizations.

Breen said vulnerabilities of this kind are commonly used to undermine Address Space Layout Randomization (ASLR), a core operating system security control designed to protect against buffer overflows and other memory-manipulation exploits.

โ€œBy revealing where code resides in memory, this vulnerability can be chained with a separate code execution flaw, transforming a complex and unreliable exploit into a practical and repeatable attack,โ€ Breen said. โ€œMicrosoft has not disclosed which additional components may be involved in such an exploit chain, significantly limiting defendersโ€™ ability to proactively threat hunt for related activity. As a result, rapid patching currently remains the only effective mitigation.โ€

Chris Goettl, vice president of product management at Ivanti, observed that CVE-2026-20805 affects all currently supported and extended security update supported versions of the Windows OS. Goettl said it would be a mistake to dismiss the severity of this flaw based on its โ€œImportantโ€ rating and relatively low CVSS score.

โ€œA risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned,โ€ he said.

Among the critical flaws patched this month are two Microsoft Office remote code execution bugs (CVE-2026-20952 and CVE-2026-20953) that can be triggered just by viewing a booby-trapped message in the Preview Pane.

Our October 2025 Patch Tuesday โ€œEnd of 10โ€ roundup noted that Microsoft had removed a modem driver from all versions after it was discovered that hackers were abusing a vulnerability in it to hack into systems. Adam Barnett at Rapid7 said Microsoft today removed another couple of modem drivers from Windows for a broadly similar reason: Microsoft is aware of functional exploit code for an elevation of privilege vulnerability in a very similar modem driver, tracked as CVE-2023-31096.

โ€œThatโ€™s not a typo; this vulnerability was originally published via MITRE over two years ago, along with a credible public writeup by the original researcher,โ€ Barnett said. โ€œTodayโ€™s Windows patches remove agrsm64.sys and agrsm.sys. All three modem drivers were originally developed by the same now-defunct third party, and have been included in Windows for decades. These driver removals will pass unnoticed for most people, but you might find active modems still in a few contexts, including some industrial control systems.โ€

According to Barnett, two questions remain: How many more legacy modem drivers are still present on a fully-patched Windows asset; and how many more elevation-to-SYSTEM vulnerabilities will emerge from them before Microsoft cuts off attackers who have been enjoying โ€œliving off the land[line] by exploiting an entire class of dusty old device drivers?โ€

โ€œAlthough Microsoft doesnโ€™t claim evidence of exploitation for CVE-2023-31096, the relevant 2023 write-up and the 2025 removal of the other Agere modem driver have provided two strong signals for anyone looking for Windows exploits in the meantime,โ€ Barnett said. โ€œIn case you were wondering, there is no need to have a modem connected; the mere presence of the driver is enough to render an asset vulnerable.โ€

Immersive, Ivanti and Rapid7 all called attention to CVE-2026-21265, which is a critical Security Feature Bypass vulnerability affecting Windows Secure Boot. This security feature is designed to protect against threats like rootkits and bootkits, and it relies on a set of certificates that are set to expire in June 2026 and October 2026. Once these 2011 certificates expire, Windows devices that do not have the new 2023 certificates can no longer receive Secure Boot security fixes.

Barnett cautioned that when updating the bootloader and BIOS, it is essential to prepare fully ahead of time for the specific OS and BIOS combination youโ€™re working with, since incorrect remediation steps can lead to an unbootable system.

โ€œFifteen years is a very long time indeed in information security, but the clock is running out on the Microsoft root certificates which have been signing essentially everything in the Secure Boot ecosystem since the days of Stuxnet,โ€ Barnett said. โ€œMicrosoft issued replacement certificates back in 2023, alongside CVE-2023-24932 which covered relevant Windows patches as well as subsequent steps to remediate the Secure Boot bypass exploited by the BlackLotus bootkit.โ€

Goettl noted that Mozillaย has released updates for Firefox and Firefox ESR resolving a total of 34 vulnerabilities, two of which are suspected to be exploited (CVE-2026-0891 and CVE-2026-0892). Both are resolved in Firefox 147 (MFSA2026-01) and CVE-2026-0891 is resolved in Firefox ESR 140.7 (MFSA2026-03).

โ€œExpect Google Chrome and Microsoft Edge updates this week in addition to a high severity vulnerability in Chrome WebView that was resolved in the January 6 Chrome update (CVE-2026-0628),โ€ Goettl said.

As ever, the SANS Internet Storm Center has a per-patch breakdown by severity and urgency. Windows admins should keep an eye on askwoody.com for any news about patches that donโ€™t quite play nice with everything. If you experience any issues related installing Januaryโ€™s patches, please drop a line in the comments below.

Why iPhone users should update and restart their devices now

13 January 2026 at 13:55

If you were still questioning whether iOS 26+ is for you, now is the time to make that call.

Why?

On December 12, 2025, Apple patched two WebKit zeroโ€‘day vulnerabilities linked to mercenary spyware and is now effectively pushing iPhone 11 and newer users toward iOS 26+, because thatโ€™s where the fixes and new memory protections live. These vulnerabilities were primarily used in highly targeted attacks, but such campaigns are likely to expand over time.

WebKit powers the Safari browser and many other iOS applications, so itโ€™s a big attack surface to leave exposed and isnโ€™t limited to โ€œriskyโ€ behavior. These vulnerabilities allowed an attacker to execute arbitrary code on a device after exploitation via malicious web content.

Apple has confirmed that attackers are already exploiting these vulnerabilities in the wild, making installation of the update a highโ€‘priority security task for every user. Campaigns that start with diplomats, journalists, or executives often lead to tooling and exploits leaking or being repurposed, so โ€œIโ€™m not a targetโ€ is not a viable safety strategy.โ€‹

Due to public resistance to new features like Liquid Glass, many iPhone users have not yet upgraded to iOS 26.2. Reports suggest adoption of iOS 26 has been unusually slow. As of January 2026, only about 4.6% of active iPhones are on iOS 26.2, and roughly 16% are on any version of iOS 26, leaving the vast majority on older releases such as iOS 18.

However, Apple only ships these fixes and newer protections, such as Memory Integrity Enforcement, on iOS 26+ for supported devices. Users on older, unsupported devices wonโ€™t be able to access these protections at all.

Another important factor in the upgrade cycle is restarting the device. What many people donโ€™t realize is that when you restart your device, any memory-resident malware is flushedโ€”unless it has somehow gained persistence, in which case it will return. High-end spyware tools tend to avoid leaving traces needed for persistence and often rely on users not restarting their devices.

Upgrading requires a restart, which makes this a win-win: you get the latest protections, and any memory-resident malware is flushed at the same time.

For iOS and iPadOS users, you can check if youโ€™re using the latest software version, go to Settings > General > Software Update. Itโ€™s also worth turning on Automatic Updates if you havenโ€™t already. You can do that on the same screen.

How to stay safe

The most important fixโ€”however painful you may find itโ€”is to upgrade to iOS 26.2. Not doing means missing an accumulating list of security fixes, leaving your device vulnerable to more and more newly found vulnerabilities.

ย But here are some other useful tips:

  • Make it a habit to restart your device on a regular basis. The NSA recommends doing this weekly.
  • Do not open unsolicited links and attachments without verifying with the trusted sender.
  • Remember, Apple threat notifications will never ask users to click links, open files, install apps or ask for account passwords or verification code.
  • For Apple Mail users specifically, these vulnerabilities create risk when viewing HTML-formatted emails containing malicious web content.
  • Malwarebytes for iOS can help keep your device secure, with Trusted Advisor alerting you when important updates are available.
  • If you are a high-value target, or you want the extra level of security, consider using Appleโ€™s Lockdown Mode.

We donโ€™t just report on phone securityโ€”we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices byย downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Microsoft Patch Tuesday, December 2025 Edition

10 December 2025 at 00:18

Microsoft today pushed updates to fix at least 56 security flaws in its Windows operating systems and supported software. This final Patch Tuesday of 2025 tackles one zero-day bug that is already being exploited, as well as two publicly disclosed vulnerabilities.

Despite releasing a lower-than-normal number of security updates these past few months, Microsoft patched a whopping 1,129 vulnerabilities in 2025, an 11.9% increase from 2024. According to Satnam Narang at Tenable, this year marks the second consecutive year that Microsoft patched over one thousand vulnerabilities, and the third time it has done so since its inception.

The zero-day flaw patched today is CVE-2025-62221, a privilege escalation vulnerability affecting Windows 10 and later editions. The weakness resides in a component called the โ€œWindows Cloud Files Mini Filter Driverโ€ โ€” a system driver that enables cloud applications to access file system functionalities.

โ€œThis is particularly concerning, as the mini filter is integral to services like OneDrive, Google Drive, and iCloud, and remains a core Windows component, even if none of those apps were installed,โ€ said Adam Barnett, lead software engineer at Rapid7.

Only three of the flaws patched today earned Microsoftโ€™s most-dire โ€œcriticalโ€ rating: Both CVE-2025-62554 and CVE-2025-62557 involve Microsoft Office, and both can exploited merely by viewing a booby-trapped email message in the Preview Pane. Another critical bug โ€” CVE-2025-62562 โ€” involves Microsoft Outlook, although Redmond says the Preview Pane is not an attack vector with this one.

But according to Microsoft, the vulnerabilities most likely to be exploited from this monthโ€™s patch batch are other (non-critical) privilege escalation bugs, including:

โ€“CVE-2025-62458 โ€” Win32k
โ€“CVE-2025-62470 โ€” Windows Common Log File System Driver
โ€“CVE-2025-62472 โ€” Windows Remote Access Connection Manager
โ€“CVE-2025-59516 โ€” Windows Storage VSP Driver
โ€“CVE-2025-59517 โ€” Windows Storage VSP Driver

Kev Breen, senior director of threat research at Immersive, said privilege escalation flaws are observed in almost every incident involving host compromises.

โ€œWe donโ€™t know why Microsoft has marked these specifically as more likely, but the majority of these components have historically been exploited in the wild or have enough technical detail on previous CVEs that it would be easier for threat actors to weaponize these,โ€ Breen said. โ€œEither way, while not actively being exploited, these should be patched sooner rather than later.โ€

One of the more interesting vulnerabilities patched this month is CVE-2025-64671, a remote code execution flaw in the Github Copilot Plugin for Jetbrains AI-based coding assistant that is used by Microsoft and GitHub. Breen said this flaw would allow attackers to execute arbitrary code by tricking the large language model (LLM) into running commands that bypass the userโ€™s โ€œauto-approveโ€ settings.

CVE-2025-64671 is part of a broader, more systemic security crisis that security researcher Ari Marzuk has branded IDEsaster (IDEย  stands for โ€œintegrated development environmentโ€), which encompasses more than 30 separate vulnerabilities reported in nearly a dozen market-leading AI coding platforms, including Cursor, Windsurf, Gemini CLI, and Claude Code.

The other publicly-disclosed vulnerability patched today is CVE-2025-54100, a remote code execution bug in Windows Powershell on Windows Server 2008 and later that allows an unauthenticated attacker to run code in the security context of the user.

For anyone seeking a more granular breakdown of the security updates Microsoft pushed today, check out the roundup at the SANS Internet Storm Center. As always, please leave a note in the comments if you experience problems applying any of this monthโ€™s Windows patches.

Why You Got Hacked โ€“ 2025 Super Edition

By: BHIS
19 November 2025 at 18:50

This article was written to provide readers with an overview of a selection of our pentest results from the last 15 months. This data was gathered toward the end of September 2025. Shockingly, the data does not differ much from our prior analyses conducted at the end of 2022 or 2023.

The post Why You Got Hacked โ€“ 2025 Super Edition appeared first on Black Hills Information Security, Inc..

Proxying Your Way to Code Execution โ€“ A Different Take on DLL Hijackingย 

By: BHIS
26 September 2024 at 17:00

While DLL hijacking attacks can take on many different forms, this blog post will explore a specific type of attack called DLL proxying, providing insights into how it works, the potential risks it poses, and briefly the methodology for discovering these vulnerable DLLs, which led to the discovery of several zero-day vulnerable DLLs that Microsoft has acknowledged but opted to not fix at this time.

The post Proxying Your Way to Code Execution โ€“ A Different Take on DLL Hijackingย  appeared first on Black Hills Information Security, Inc..

Persistence โ€“ Visual Studio Code Extensions

4 March 2024 at 07:19
It is not uncommon developers or users responsible to write code (i.e. detection engineers using Sigma) to utilize Visual Studio Code as their code editor.โ€ฆ

Continue reading โ†’ Persistence โ€“ Visual Studio Codeย Extensions

Persistence โ€“ Disk Clean-up

29 January 2024 at 06:59
Disk Clean-up is a utility which is part of Windows operating systems and can free up hard drive disk space by deleting mainly cache andโ€ฆ

Continue reading โ†’ Persistence โ€“ Diskย Clean-up

Persistence โ€“ Event Log

8 January 2024 at 08:21
Windows Event logs are the main source of information for defensive security teams to identify threats and for administrators to troubleshoot errors. The logs areโ€ฆ

Continue reading โ†’ Persistence โ€“ Eventย Log

POGS at Wild West Hackinโ€™ Fest!ย 

Ean Meyer // This post is for attendees of Wild West Hackinโ€™ Fest: Deadwood 2022 POGs? Yes, POGs! If you arenโ€™t familiar with POGs, this game started decades ago, reaching [โ€ฆ]

The post POGS at Wild West Hackinโ€™ Fest!ย  appeared first on Black Hills Information Security, Inc..

โŒ