"CVE-2026-21510: a Windows SmartScreen and Windows Shell security prompts bypass that can be exploited by convincing the targeted user to open a malicious link or shortcut file. CVE-2026-21514: a vulnerability that allows an attacker to bypass OLE mitigations in Microsoft 365 and Office by tricking the target into opening a malicious Office file. CVE-2026-21513: an Internet Explorer issue that allows an attacker to bypass security controls and potentially execute code by convincing the victim to open a malicious HTML or LNK file."
"However, it's worth noting that for the discovery of both CVE-2026-21510 and CVE-2026-21514 Microsoft credited Google Threat Intelligence Group (GTIG), its own security teams, and an anonymous researcher. CVE-2026-21513 was discovered by Microsoft and GTIG. This suggests that some of these vulnerabilities may have been exploited by the same threat actors or in the same attacks. Google has been tracking attacks conducted by commercial spyware vendors, state-sponsored APTs, and profit-driven cybercriminals, but nation-state hackers are often behind campaigns involving these types of zero-days."
Microsoft issued Patch Tuesday fixes for about 60 vulnerabilities, including six actively exploited zero-days affecting SmartScreen, Windows Shell, Internet Explorer, Office/OLE, Desktop Window Manager, Remote Desktop Services, and Remote Access Connection Manager. Several of the zero-days enable prompt-and-file-based bypasses or require local access for privilege escalation or denial-of-service. Microsoft credited Google Threat Intelligence Group, internal teams, CrowdStrike, and an anonymous researcher for discoveries. Three zero-days were flagged as publicly disclosed. No public attack details have surfaced, but attribution notes and GTIG tracking suggest potential involvement of commercial spyware vendors, state-sponsored APTs, or nation-state actors.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]