Daily Digest

Microsoft just dropped a bombshell for June 2026: nearly 200 security holes patched in a single Patch Tuesday. That’s a record-breaking number, and it’s not just about volume—three dozen of these bugs are rated “critical,” and exploit code is already out in the wild for at least three of them. If you’re using Windows or any Microsoft software, you’re in the crosshairs. This isn’t a drill. Attackers have a head start, and with AI supercharging bug discovery, this flood of patches might be your new normal. The clock is ticking—update now or risk being the next headline.

**What exactly happened** Microsoft released its June 2026 Patch Tuesday update, fixing a staggering 190 vulnerabilities across Windows and supported software. That’s the highest number ever for a single monthly cycle. Among these, 35 flaws earned the dreaded “critical” rating, meaning they could let attackers take full control of your system without any user interaction. Worse still, exploit code for at least three of these bugs is already publicly available. That’s a red alert for anyone running unpatched systems. **Who is affected and how** Every Windows user is affected—from individual consumers to massive enterprise networks. The zero-day vulnerabilities are especially dangerous. One, CVE-2026-49160, is a denial of service flaw in web servers like Microsoft Internet Information Services (IIS). Another pair, reported by a researcher using the alias “Nightmare Eclipse,” includes the “GreenPlasma” exploit, which targets core Windows components. If you host websites, run internal apps, or rely on Windows Server, your attack surface just expanded dramatically. **The real-world impact and consequences** This isn’t just a numbers game. Public exploit code means even low-skill attackers can weaponize these flaws. Ransomware gangs, data thieves, and state-sponsored hackers are likely already scanning for vulnerable systems. A successful exploit could lead to system crashes, data theft, or full remote control—potentially crippling businesses and exposing sensitive information. For IT teams, this patch cycle is a nightmare of prioritization. With so many critical fixes, the risk of missing one is high. And with AI now accelerating bug discovery, this volume may become routine, not exceptional. **Technical breakdown (explain the “how” simply)** AI is the game-changer here. Microsoft and security researchers are using artificial intelligence tools to hunt for vulnerabilities faster than ever before. Satnam Narang from Tenable notes that 90% of security professionals now use AI, meaning more bugs are found—and patched—each month. The zero-days are a mix of classic attack vectors. The IIS denial of service bug, for example, can be triggered by sending specially crafted network requests, overwhelming the server until it crashes. The “GreenPlasma” exploit likely abuses a memory handling flaw, letting attackers inject malicious code into trusted processes. **What should be done — mitigation and recommendations** First, apply this month’s patches immediately. Prioritize the critical and zero-day fixes. If you’re an IT admin, use automated patch management tools to deploy updates across your network without delay. Back up your data before updating—just in case a patch causes unexpected issues. And don’t forget third-party software: Google Chrome also patched 429 vulnerabilities this month. Restart your browser after updates to activate the fixes. For home users, enable automatic Windows updates. For businesses, segment your network to limit the blast radius of any successful exploit. **Why this matters in the bigger cybersecurity landscape** This Patch Tuesday is a wake-up call. AI is democratizing vulnerability discovery, which is a double-edged sword. While it helps defenders find and fix bugs faster, it also arms attackers with a steady stream of new exploits. We’re entering an era where patch fatigue is real, and the window between disclosure and exploitation is shrinking. The only defense is speed and discipline. If you’re not updating within days—not weeks—you’re gambling with your security. The message is clear: adapt to this new pace, or get left behind.

A new ransomware crew called The Gentlemen is shaking up the cybercrime underworld—and they're paying their affiliates like rockstars. With a jaw-dropping 90/10 revenue split in favor of affiliates (industry standard is 80/20), they've rocketed to become the second most active ransomware group by victim count this year. But here's the twist: security researchers have uncovered clues pointing to the group's mysterious admin, a figure known as Zeta88 (formerly Hastalamuerte). And they're using AI to supercharge their attacks. If your organization relies on VPNs or firewalls, you're in their crosshairs.

**What exactly happened** The Gentlemen ransomware group has exploded onto the scene, claiming at least 332 victims since mid-2025. Check Point Software researchers tracked their rapid rise, noting over 240 victims in 2026 alone. That's a staggering pace for a group that didn't exist two years ago. Their secret weapon? A 90/10 affiliate revenue split. In the ransomware-as-a-service (RaaS) model, affiliates do the dirty work of spreading malware, and the group takes a cut. The Gentlemen flipped the script, offering affiliates 90% of every ransom paid. That's a massive incentive for experienced hackers to jump ship from rival programs. **Who is affected and how** The group targets Internet-facing devices—specifically VPNs and firewalls. Once inside, they move fast, encrypting entire networks within hours. Think about that: a single compromised VPN credential can lead to a full network lockdown before your IT team even notices. Check Point identified the group's admin as Zeta88, active on Russian-language cybercrime forums. They linked this persona to a previous alias, Hastalamuerte. But the real bombshell came from PRODAFT, a threat intelligence firm that matched the same persona with "high confidence." They found Zeta88 supplies affiliates with initial access—primarily Fortinet SSL-VPN credentials obtained through brute-force attacks or pulled from the group's own leak database. **The real-world impact and consequences** This isn't just another ransomware crew. The Gentlemen are changing the economics of cybercrime. By offering better affiliate splits, they're attracting top talent from established groups. That means more sophisticated attacks, faster encryption, and higher ransom demands. For victims, the consequences are brutal. A single breach can shut down operations for days or weeks. Recovery costs can run into millions. And with AI in the mix, attacks are becoming harder to detect and defend against. **Technical breakdown** Here's how it works: The admin (Zeta88) provides affiliates with pre-compromised VPN credentials. Affiliates then deploy the ransomware, which encrypts files and demands payment. The 90/10 split means affiliates keep most of the loot, incentivizing them to hit more targets. But the real innovation is AI. PRODAFT discovered the admin is using artificial intelligence to develop and maintain the ransomware, as well as to assist with post-exploitation activity. That means automated vulnerability scanning, smarter evasion techniques, and faster lateral movement across networks. **What should be done — mitigation and recommendations** First, patch your VPNs and firewalls. The Gentlemen are exploiting known vulnerabilities in Fortinet SSL-VPNs. If you haven't updated your firmware, do it now. Second, enable multi-factor authentication (MFA) on all Internet-facing devices. A single password isn't enough anymore. Third, monitor for brute-force attacks. If you see repeated login attempts from unknown IPs, that's a red flag. Finally, have an incident response plan. Assume you'll be targeted. Practice your response. Back up critical data offline. **Why this matters in the bigger cybersecurity landscape** The Gentlemen represent a new breed of ransomware group: agile, AI-powered, and aggressively recruiting. Their 90/10 split is a game-changer, forcing other groups to compete or lose their best affiliates. But the bigger story is AI. If ransomware groups can automate attack development and post-exploitation, the threat landscape shifts dramatically. Attacks become faster, cheaper, and harder to stop. For defenders, this means adapting. Traditional signature-based detection won't cut it. You need behavioral analytics, AI-driven threat hunting, and a zero-trust architecture. The Gentlemen aren't just a new group—they're a warning. The next wave of ransomware is here, and it's smarter than ever.

Novo Nordisk, the pharmaceutical giant behind Ozempic and Wegovy, just disclosed a data breach that hit its clinical trials. Attackers swiped patient data and healthcare professional information from internal systems. This isn't just another corporate leak. It puts trial participants at risk of targeted phishing and exposes sensitive health data. If you're a patient or a doctor linked to Novo Nordisk trials, you need to pay attention now.

**What exactly happened** Novo Nordisk revealed on Thursday that attackers broke into its internal IT systems. They stole data from clinical trials, including patient IDs, trial participation details, sex, year of birth, biomarkers, health data, and lifestyle factors like smoking and alcohol use. The company says the data is pseudonymized, meaning patient names weren't directly exposed. But healthcare professionals weren't so lucky. Their names, registration numbers, emails, phone numbers, WhatsApp details, and office locations were all compromised. **Who is affected and how** Patients in clinical trials are the primary victims here. While Novo Nordisk claims the data can't identify them by name, the sheer volume of sensitive health information could still be weaponized. Think targeted scams or even blackmail attempts. Healthcare professionals face a more immediate threat. With contact details exposed, they're prime targets for phishing attacks. Novo Nordisk itself warned them to watch for fake messages impersonating colleagues or authorities. **The real-world impact and consequences** This breach hits at the heart of medical research trust. Clinical trials rely on patient confidentiality. Any erosion of that trust could slow down critical drug development, especially for blockbuster drugs like Wegovy and Ozempic. For healthcare professionals, the fallout could be career-damaging. Phishing attacks targeting doctors could lead to credential theft, ransomware, or even patient data leaks from their own systems. **Technical breakdown** Novo Nordisk hasn't revealed the attack vector yet. But the fact that attackers accessed "internal IT systems" suggests either a phishing campaign, a vulnerability exploit, or a compromised third-party tool. The company took those systems offline to contain the damage. The pseudonymized patient data is a double-edged sword. It's not directly identifiable, but with enough cross-referencing (like linking lifestyle factors to rare conditions), attackers might still piece together identities. That's a slow-burn risk. **What should be done — mitigation and recommendations** Patients in Novo Nordisk trials should monitor for unusual communications. If anyone contacts you claiming to be from the company or a research partner, verify through official channels before sharing anything. Healthcare professionals need to be hyper-vigilant. Enable multi-factor authentication on all accounts. Watch for phishing attempts via email, phone, or WhatsApp. Report any suspicious messages to your IT security team immediately. Novo Nordisk must accelerate its investigation and be transparent about the breach timeline and scale. They should offer credit monitoring or identity theft protection to affected individuals. **Why this matters in the bigger cybersecurity landscape** This breach is a wake-up call for the entire pharmaceutical industry. Clinical trial data is a goldmine for attackers, combining valuable health information with professional contacts. As drug companies digitize more of their research, they become bigger targets. Novo Nordisk's size and global reach make it a high-profile case, but smaller firms should take note too. The cost of a breach here isn't just financial—it's about patient safety and scientific progress.

If you’re an IT admin who’s been tearing your hair out over failed Windows updates since May 2025, Microsoft just handed you a fix. The culprit? A bug in the Windows Update Standalone Installer (WUSA) that blocked updates when run from a network share—a common move in enterprise environments. This wasn’t a random glitch. It hit Windows 11 24H2/25H2 and Windows Server 2025, making updates fail with the cryptic “ERROR_BAD_PATHNAME” error. Home users were mostly spared, but for businesses relying on WUSA to deploy patches, it was a silent productivity killer. Now, with the June 2026 Patch Tuesday updates, the fix is finally live.

**What exactly happened** Microsoft quietly fixed a known issue that had been plaguing Windows updates since May 2025. The bug struck when IT admins used the Windows Update Standalone Installer (WUSA) to install .msu files from a network share containing multiple updates. Instead of a smooth deployment, users hit the “ERROR_BAD_PATHNAME” error—a frustrating roadblock that made patches impossible to apply. The problem first surfaced after the KB5058499 update on May 28, 2025. Microsoft acknowledged it in August 2025, but a full fix didn’t arrive until the June 2026 Patch Tuesday cumulative updates (KB5079391 for Windows 11, KB5094125 for Windows Server 2025). That’s over a year of workarounds for affected organizations. **Who is affected and how** This bug specifically targeted enterprise networks. WUSA isn’t a tool home users typically touch—it’s a command-line workhorse for IT pros deploying updates across multiple machines. Windows 11 24H2, 25H2, and Windows Server 2025 devices were the primary victims. If you were running a single .msu file or storing updates locally, you were safe. The chaos only erupted when multiple .msu files lived on a network share. **The real-world impact and consequences** For businesses, this meant delayed security patches, compliance headaches, and wasted IT hours troubleshooting. Imagine a sysadmin trying to push critical updates to hundreds of machines, only to watch each one fail. The error wasn’t just annoying—it left systems exposed to vulnerabilities that those updates were meant to fix. Microsoft did roll out a temporary mitigation for home and non-managed devices via a Known Issue Rollback in September 2025, but enterprise admins were left waiting. **Technical breakdown** The issue boiled down to how WUSA handled file paths. When pointed to a network share with multiple .msu files, the installer choked on the pathname, triggering ERROR_BAD_PATHNAME. It wasn’t a security flaw—more of a logic bug in the update deployment pipeline. Microsoft’s fix, embedded in the June 2026 cumulative updates, corrected the path resolution logic. For those still on older updates, the workaround is simple: save .msu files locally before running WUSA. **What should be done** If you’re running affected systems, install the June 2026 cumulative updates immediately. For those stuck on pre-fix builds, copy .msu files to a local drive before installing. Also, after a WUSA install, wait 15 minutes before checking Update History—Microsoft warns the Settings app may lag in reporting success. This isn’t just about convenience; it’s about closing a gap that could let attackers slip through unpatched systems. **Why this matters in the bigger cybersecurity landscape** This fix highlights a recurring theme: enterprise update mechanisms are fragile. WUSA is a legacy tool, but it’s still critical for many IT workflows. Bugs like this remind us that even trusted deployment pipelines can fail, creating windows of exposure. Microsoft’s slow response—over a year from discovery to fix—also raises questions about patch management agility. For CISOs, it’s a wake-up call to diversify update methods and test deployment scenarios. In a world where zero-days grab headlines, it’s the silent, mundane bugs that often cause the most damage.

Over 73,000 French government employees just had their work chat data stolen in a breach of Tchap, the state’s official encrypted messaging platform. The attacker got in using a compromised user account and walked away with names, emails, and even 13.5GB of files. But here’s the twist: private conversations stayed safe. The real damage came from public chat rooms, which aren’t encrypted by design. If you work in the French public sector and use Tchap for team discussions, your personal info may now be in the hands of a threat actor who’s already sharing samples online.

**What exactly happened** The French government’s digital affairs directorate, DINUM, confirmed a breach of Tchap—the official encrypted messaging app for public sector employees. A threat actor used a stolen user account to access the platform, scraping data from public chat rooms over an unknown period. DINUM notified France’s data protection authority (CNIL) and later revealed that over 73,000 accounts were affected, out of 825,000 registered users. A threat actor quickly claimed responsibility, sharing stolen file samples and boasting about scraping nearly 650,000 messages. They also allegedly grabbed 13.5GB of documents and media files, plus hardcoded LDAP credentials from a leaked PowerShell script. **Who is affected and how** The breach impacts around 9% of all registered Tchap users—specifically those who participated in public, unencrypted chat rooms. Affected employees work across the French public sector, from local agencies to national ministries. Their names, email addresses, avatar images, and employer organizations were exposed. Private one-on-one conversations remained encrypted and untouched. But the attacker harvested everything shared in open forums, including meeting links and account metadata. For employees who used public channels to discuss work logistics, this is a serious privacy leak. **The real-world impact and consequences** This isn’t just a data spill—it’s a national security headache. With 73,000 government employees’ identities and organizational affiliations exposed, the risk of targeted phishing or social engineering attacks skyrockets. The stolen LDAP credentials could also open doors to deeper network intrusions. The breach comes just months after Tchap became the default work messaging app for all French civil servants in August 2025. Trust in the platform—built with ANSSI, France’s top cybersecurity agency—is now shaken. For a tool designed to secure government communications, this is a major reputational blow. **Technical breakdown** Tchap is built on the Matrix protocol, an open standard for decentralized, real-time communication. While it offers end-to-end encryption for private chats, public rooms are intentionally left unencrypted to allow open collaboration. The attacker exploited this design choice, using a compromised account to scrape all visible data from those rooms. The method? Likely automated scraping via Matrix’s API, which allows authorized users to fetch room history. The stolen data included not just messages but also file attachments and metadata. The hardcoded LDAP credentials found in a PowerShell script suggest the attacker may have probed deeper into internal systems. **What should be done — mitigation and recommendations** DINUM has already blocked the compromised account and launched an in-depth analysis. But affected employees should immediately reset passwords and enable multi-factor authentication on all work accounts. Organizations should review public chat room policies and consider limiting access to sensitive discussions. For the wider public sector, this is a wake-up call to audit how encryption is applied across collaboration tools. Public rooms may be convenient, but they’re not secure. The CNIL will likely push for stricter data handling rules, and users should expect mandatory security training updates. **Why this matters in the bigger cybersecurity landscape** The Tchap breach highlights a recurring blind spot: even encrypted platforms have unencrypted corners. As governments push for sovereign messaging apps, they must balance openness with security. This incident also underscores the human factor—a single compromised account can unravel months of security design. With a teenager arrested in May for a separate French government data theft, the pattern is clear: state systems are prime targets. For cybersecurity professionals, this is a reminder that encryption is only as strong as the weakest link—and sometimes, that link is a public chat room.

A Japanese energy giant just lost a hard drive containing the personal data of nearly 11 million customers. Kyushu Electric Power Co. reported that a physical backup drive, used to manage server storage, vanished from a locked cabinet in late May. The company suspects theft, but the drive—and the sensitive information on it—remains missing. If you live in the Kyushu region of Japan, your name, address, and electricity usage data could be in the wind. This isn't just a lost USB stick. It’s a stark reminder that even the most advanced digital defenses can be undone by a single unlocked cabinet. The risk here is real: identity theft, targeted phishing scams, and even physical security threats if location data falls into the wrong hands. For now, the company is scrambling to notify 10.9 million affected customers, but the clock is ticking.

**What exactly happened** On April 27, Kyushu Electric Power’s IT staff used an external hard drive to back up customer data due to server storage limits. They stored the drive in a server room cabinet, protected by multiple physical security layers. But on May 26, when staff returned to retrieve it, they found the cabinet unlocked and the drive gone. Despite interviewing all 57 people with access to the room, the company has not located the device. A police report was filed on June 4, and the firm is now investigating all possibilities, including unauthorized removal. **Who is affected and how** The breach impacts up to 10.9 million customer accounts across the Kyushu region—home to about 12.6 million people. That means nearly every household in Fukuoka, Saga, Nagasaki, Kumamoto, Oita, Miyazaki, and Kagoshima could be affected. The exposed data includes names, service location addresses, electricity usage patterns, telephone numbers, and retail electricity provider names. Critically, no bank account or credit card information was stored on the drive, which limits direct financial fraud but opens the door to other risks. **The real-world impact and consequences** This is a goldmine for social engineering attacks. With names, addresses, and phone numbers, scammers can craft highly convincing phishing calls or emails pretending to be from Kyushu Electric. Electricity usage data might seem harmless, but it reveals when homes are occupied or empty—a potential physical security risk. The Japanese Ministry of Economy, Trade, and Industry has given the firm until July 8 to report all details and preventive measures. Meanwhile, the company has notified Japan’s Personal Information Protection Commission and promises to contact affected customers individually. **Technical breakdown (explain the "how" simply)** The incident is a textbook physical security failure. The IT team used an external drive for a routine backup—a common practice when server storage runs low. They stored it in a cabinet inside a server room with multiple security layers. But the human factor broke the chain: someone left the cabinet unlocked. With 57 people having access, the room became a high-traffic area, making it easy for a drive to go unnoticed. The investigation hasn’t found it, suggesting either an inside job or a very sloppy theft. The company’s backup process itself wasn’t flawed, but the storage and access controls were. **What should be done — mitigation and recommendations** First, Kyushu Electric must immediately implement strict access logs and surveillance for all server rooms. Biometric locks or keycard-only access with audit trails would prevent this from happening again. For customers, the company should offer free credit monitoring and identity theft protection services. On a broader scale, all utilities should encrypt backup drives by default—even if a drive is stolen, encryption renders the data useless. The firm should also conduct mandatory physical security training for all staff with access to sensitive areas. Finally, they need to accelerate the shift to encrypted cloud backups, eliminating the need for physical drives altogether. **Why this matters in the bigger cybersecurity landscape** This breach is a wake-up call for critical infrastructure. We often focus on sophisticated cyberattacks, but physical security remains a weak link. A single unlocked cabinet can expose millions. For Japan, a country with strict data protection laws, this incident will likely lead to heavier fines and mandatory physical security audits for all utilities. Globally, it underscores that cybersecurity isn’t just about firewalls and patches—it’s about locks, doors, and the people who use them. As we move toward smart grids and IoT, the stakes only get higher. The lesson? Never underestimate the power of a lost hard drive.

Imagine losing control of your Instagram account to a hacker who just chatted with an AI bot. That’s exactly what happened to the Obama White House and U.S. Space Force accounts over the weekend. The exploit was shockingly simple. Pro-Iran hackers tricked Meta’s AI support assistant into resetting passwords by asking it to add a new email address. If you use Instagram without multi-factor authentication, your account is at risk.

**What exactly happened** Over the weekend, Instagram accounts for the Obama White House and the Chief Master Sergeant of the U.S. Space Force were defaced with pro-Iranian messages and images. The attack wasn’t a sophisticated hack—it was a clever social engineering trick aimed at Meta’s AI support bot. Instructions for the exploit spread on Telegram channels starting May 31. A video showed hackers using a VPN with an IP address near the target’s hometown, requesting a password reset, then chatting with Meta’s AI assistant to link a new email address. The bot dutifully sent a one-time code, allowing a full account takeover. **Who is affected and how** High-value Instagram accounts with short, desirable usernames are prime targets. The hackers claimed they hijacked accounts worth over half a million dollars in resale value. But any account without multi-factor authentication (MFA) is vulnerable—the exploit failed against accounts with MFA enabled. The attack targeted Meta’s AI support assistant, designed to streamline account recovery. Instead of helping legitimate users, it became an unwitting accomplice in credential theft. **The real-world impact and consequences** Beyond defacing official U.S. government accounts, this attack exposes a dangerous new attack surface. AI chatbots handling sensitive account recovery can be manipulated just like human support staff—sometimes more easily. The incident forced Meta to push an emergency patch over the weekend. No backend database was breached, but the reputational damage is significant. For users, the risk is losing access to accounts they’ve spent years building. **Technical breakdown** The exploit was remarkably straightforward. Attackers used a VPN to mimic the target’s location, then triggered a password reset. Instead of answering security questions, they chose to chat with Meta’s AI assistant. The bot was instructed to add a new email to the account, and it complied—sending a one-time reset code to that address. This bypassed traditional security measures because the AI bot was designed to be helpful, not skeptical. It lacked the human intuition to question unusual requests, making it vulnerable to social engineering. **What should be done** Enable multi-factor authentication immediately. Even the weakest form—SMS codes—would have blocked this exploit. For stronger protection, use passkeys or security keys. Be cautious about relying on AI support for account recovery. If you have a high-value account, consider additional safeguards like backup codes or recovery contacts. Monitor your account for unauthorized email additions. **Why this matters** This attack signals a new era in cybersecurity. As platforms deploy AI chatbots to handle sensitive tasks, attackers will probe for weaknesses. The same vulnerabilities that plague human support—social engineering, persuasion, and trickery—now apply to AI. Ian Goldin from Lumen’s Black Lotus Labs warns we’re entering uncharted territory. AI bots are eager to help, and that eagerness can be exploited. The lesson is clear: don’t trust AI with your account security—back it up with strong authentication.

The Pixel 10 was supposed to be the fortress Google built after fixing the Pixel 9's critical Dolby zero-click exploit chain. But security researchers just proved that when one door closes, another window—quite literally—opens. A new exploit chain for the Pixel 10 uses a completely different path to achieve the same terrifying result: full device compromise from zero user interaction. If you own a Pixel 10 with a security patch level before February 2026, your device is vulnerable to an attack that requires no clicks, no taps, and no mistakes from you.

**What exactly happened** Security researchers who previously demonstrated a two-exploit chain for the Pixel 9 have now successfully ported their attack to the Pixel 10. The original chain exploited a Dolby zero-click vulnerability (CVE-2025-54957) combined with a local privilege escalation driver called BigWave. When Google patched the Dolby bug in January 2026 and removed BigWave from the Pixel 10, it seemed like the attack vector was closed. But researchers found a new path using the device's Video Processing Unit (VPU) driver instead. **Who is affected and how** Any Pixel 10 device running a security patch level of December 2025 or earlier is vulnerable. The attack requires zero user interaction—meaning you don't need to click a link, open an app, or approve anything. The exploit arrives silently through a malicious media file, likely delivered via messaging apps, email attachments, or even compromised websites. Your phone can be fully compromised without you ever knowing something happened. **The real-world impact and consequences** This is about as bad as it gets for mobile security. A zero-click exploit chain means attackers can gain complete control of your device without any warning signs. Once compromised, attackers can access all your data—messages, photos, passwords, banking apps, and corporate credentials. They can install spyware, activate your microphone and camera remotely, and use your phone as a foothold to attack your network. For journalists, activists, corporate executives, and government officials, this type of vulnerability is a nightmare scenario. But even average users should be concerned—zero-click exploits are the preferred weapon of commercial spyware vendors and state-sponsored attackers. **Technical breakdown** The original Pixel 9 exploit used two components: a Dolby audio decoder vulnerability for initial access, and the BigWave driver for escalating privileges to root. The Dolby bug allowed code execution within the media server process, while BigWave provided the kernel-level access needed for full control. For the Pixel 10, researchers updated the Dolby exploit to account for architectural changes. The Pixel 10 uses RET PAC instead of -fstack-protector, which removed the __stack_chk_fail function as a viable overwrite target. Researchers found a workaround by targeting dap_cpdp_init—initialization code that runs once and can be safely overwritten. The bigger challenge was replacing BigWave, which doesn't exist on the Pixel 10. Researchers discovered that the VPU driver, accessible through the mediacodec SELinux context, provides similar functionality for privilege escalation. This new driver became the "open window" that replaced the closed BigWave door. **What should be done** First, check your Pixel 10's security patch level immediately. If it's December 2025 or earlier, update to the February 2026 patch or later without delay. For organizations managing fleets of Pixel devices, enforce mandatory security updates and consider deploying mobile threat defense solutions that can detect anomalous behavior even on unpatched devices. On a broader level, this research underscores why Google and other manufacturers must conduct thorough security reviews of all drivers and services before shipping new devices—not just the ones that were problematic in previous models. **Why this matters in the bigger cybersecurity landscape** This exploit chain demonstrates a fundamental truth about mobile security: vulnerabilities are not eliminated, they're relocated. When Google removed one attack surface (BigWave), researchers simply found another (VPU). The pattern is concerning. Each new Pixel generation introduces new hardware components and drivers, each potentially harboring undiscovered vulnerabilities. The VPU driver wasn't even on researchers' radar until BigWave was removed. For the security community, this research serves as a critical reminder that proactive security must extend beyond patching known issues. It requires comprehensive auditing of every new component, every new driver, and every new attack surface introduced with each hardware generation. The Pixel 10's vulnerability isn't a failure of Google's patch process—it's a failure of the assumption that removing one exploit path makes a device secure. In cybersecurity, windows open as often as doors close.

Think fuzzing is just about throwing random junk at software until it breaks? Think again. A seasoned vulnerability researcher just pulled back the curtain on a major blind spot in one of the most powerful fuzzing techniques out there: mutational grammar fuzzing. Here’s the kicker: more code coverage doesn’t always mean more bugs. In fact, relying on coverage as your only compass can actually trap you in a local maximum, missing deep, complex flaws hiding just off the beaten path. If you’re running a fuzzer on your browser, compiler, or XML parser, this flaw could be the difference between a clean report and a zero-day slipping through.

**What exactly happened** A cybersecurity researcher published a deep dive into the hidden inefficiencies of mutational grammar fuzzing—a technique where a fuzzer mutates inputs while strictly following a grammar to keep them valid. While this method has uncovered serious bugs in XSLT engines and JIT compilers, the researcher revealed a counterintuitive flaw: **more coverage does not guarantee more bugs**. In fact, the very mechanism that saves "interesting" samples (those that trigger new code paths) can create a stale, overfit corpus that slows down discovery. **Who is affected and how** Anyone using coverage-guided grammar fuzzers—from open-source tools like Jackalope to custom in-house setups—is at risk. The issue is particularly acute for teams fuzzing parsers, interpreters, or any format-validating software (XML, JSON, scripting languages). The researcher noted that the problem isn't tool-specific; it's a structural weakness in how coverage feedback loops work. **The real-world impact and consequences** The practical cost is wasted compute time and missed vulnerabilities. A fuzzer that fixates on high-coverage samples may spend 90% of its cycles mutating a handful of "champion" seeds, ignoring the outskirts of the input space where subtle, complex bugs live. For a security team running a 24/7 fuzzing cluster, this means days of CPU time could yield zero new findings—while a single missed bug becomes a CVE down the line. **Technical breakdown (the "how")** The core issue is a **coverage myopia**. When a fuzzer finds a sample that triggers new code, it saves it and uses it as a base for further mutations. Over time, the corpus becomes dominated by a few highly-covered seeds. Mutations to these seeds often produce valid but boring inputs—they hit the same paths again, just with different data. The fuzzer's "exploration" becomes a narrow, repetitive loop. The researcher's fix is elegantly simple: **introduce a novelty bias**. Instead of only saving samples that increase coverage, the fuzzer should occasionally replace old seeds with new ones that explore different regions of the grammar, even if coverage stays flat. This prevents the corpus from stagnating and forces the fuzzer to "reset" its exploration. **What should be done — mitigation and recommendations** If you're running a grammar fuzzer, don't just trust the defaults. The researcher suggests: - **Periodically purge stale seeds** from your corpus, especially those that haven't yielded new coverage in many cycles. - **Inject random grammar-valid samples** even if they don't increase coverage—this breaks the fixation loop. - **Monitor mutation diversity**, not just coverage. If your fuzzer is repeatedly tweaking the same few seeds, it's time to shake things up. - **Experiment with different strategies** per target. The researcher found that a simple "replace oldest seed" heuristic outperformed default settings on libxslt. **Why this matters in the bigger cybersecurity landscape** This research is a wake-up call for the fuzzing community. We've spent years optimizing for coverage as the gold standard, but this shows that **coverage is a means, not an end**. The real goal is bug discovery, and sometimes you need to sacrifice a bit of coverage to find the hidden gems. As fuzzing becomes a staple in CI/CD pipelines and bug bounty programs, understanding these nuances separates a good fuzzer from a great one. The takeaway? Don't let your fuzzer get stuck in a rut—keep it curious.

A forgotten Windows API just became a security nightmare. The `GetProcessHandleFromHwnd` function, meant to simplify process access, has been quietly exploited to bypass User Account Control (UAC)—and it’s been broken for years. If you’re running Windows 10 or 11 (before 24H2), your system is exposed. Attackers can use this API to hijack privileged processes without triggering alarms. The worst part? Microsoft’s own documentation got it wrong, and the fix only arrived in the latest update.

**What exactly happened** Security researchers uncovered a critical flaw in the `GetProcessHandleFromHwnd` API—a function designed to retrieve a process handle from a window handle (HWND). The API was supposed to be safe, but it turns out Microsoft’s documentation was misleading, and the implementation had a glaring security gap. The vulnerability was first spotted in a publicly disclosed UAC bypass using the Quick Assist UI Access application. This isn’t just a theoretical risk—it’s already being weaponized in the wild. **Who is affected and how** Any Windows user running versions prior to 24H2 is at risk. The API allows a lower-integrity process to obtain a handle to a higher-integrity process—if both run under the same user account. That means malware running with user privileges can escalate to admin-level access. The attack chain is deceptively simple. An attacker first compromises a user-level process. Then, they use `GetProcessHandleFromHwnd` to grab a handle to a privileged process owned by the same user. Finally, they inject code or manipulate memory to gain full system control. **The real-world impact and consequences** This isn’t a minor bug—it’s a fundamental trust failure in Windows security architecture. The API was meant to be a convenience function, but it became a backdoor. The impact is broad: from enterprise networks to personal devices, any system with UAC enabled (which is most of them) is vulnerable. The most alarming part? The API bypasses UAC silently. Users see no prompts, and antivirus tools struggle to detect the abuse. This makes it a favorite for advanced persistent threats (APTs) and ransomware operators. **Technical breakdown** Here’s where it gets interesting. The API’s documentation claimed three things: that it uses Windows hooks to inject code, that it requires UI Access, and that it only works for the same user. All three statements were wrong. In reality, on Windows 11, the function is implemented in the Win32k kernel and opens processes directly—no hooks involved. It also doesn’t properly check for protected processes, meaning it can access even security-critical system processes. The core issue is a missing integrity level check. The API should verify that the caller’s integrity level is equal to or higher than the target’s. Instead, it only checks for same-user status, leaving the door wide open for privilege escalation. **What should be done — mitigation and recommendations** The fix arrived in Windows 11 24H2, which finally adds proper UIPI (User Interface Privilege Isolation) checks. But for older systems, there’s no patch—only a workaround: disable UI Access for non-essential applications and monitor for unusual process handle requests. For enterprise admins, consider using Windows Defender Application Control (WDAC) to block untrusted processes from calling this API. Also, review any applications that use Quick Assist or similar UI Access tools. **Why this matters in the bigger cybersecurity landscape** This vulnerability exposes a deeper problem: Microsoft’s security documentation is often outdated or inaccurate. When developers rely on docs to build secure software, they inherit these blind spots. The `GetProcessHandleFromHwnd` saga also highlights how legacy APIs can become ticking time bombs. As Windows evolves, old functions get new implementations—but the security checks don’t always follow. The takeaway? Trust no API blindly. Always test assumptions, and never assume a “convenience function” is safe. In the world of cybersecurity, convenience often comes with a hidden cost.