The post Active In-The-Wild Exploit: “Copy Fail” Grants Root Privileges on Millions of Linux Systems appeared first on Daily CyberSecurity.

A researcher has discovered a weakness called PhantomRPC that Microsoft does not consider a vulnerability it plans to patch.

PhantomRPC involves Windows Remote Procedure Call (RPC), the core of communication between Windows processes. The vulnerability lets a process with impersonation rights escalate to SYSTEM by impersonating high‑privileged clients that connect to a fake RPC server.

The researcher presented a detailed technical report outlining five exploitation paths, including coercion, user interaction, or background services. They warned that potential vectors are “effectively unlimited” because the root issue is architectural.

Microsoft, however, classified the issue as “moderate,” refused a bounty, declined to assign a CVE (a spot in the list of Common Vulnerabilities and Exposures), and closed the case without tracking. Its position is that the technique requires an already‑compromised machine and does not provide unauthenticated or remote access.

Experts disagreed with Microsoft’s assessment. Their concern is that Microsoft is downplaying a systemic local privilege escalation technique that exists in all supported Windows versions.

The issue

At the core of this issue is that the Windows RPC runtime does not sufficiently verify that the server a high‑privileged client connects to is the intended legitimate endpoint.

If a legitimate RPC server is not reachable (for example because the service stopped, was misconfigured, not installed, or due to a race condition), an attacker with SeImpersonatePrivilege can spin up a fake RPC server that “fills the gap” using the same interface and endpoint.

When a SYSTEM or high‑privileged client connects to this fake server, using an impersonation level that allows the server to impersonate the client, the attacker can call RpcImpersonateClient and immediately escalate their privileges to SYSTEM.

From Microsoft’s perspective, the ability to run a rogue RPC server in this way falls under the category of “already compromised.”

SeImpersonatePrivilege

To understand the issue better, we need to dig into what SeImpersonatePrivilege does.

Basically, SeImpersonatePrivilege is the Windows permission that lets a program “pretend to be you” after you’ve already logged in, so it can do things on your behalf using your level of access.

It’s needed because many system services and server‑type apps (file sharing, RPC servers, COM servers, web apps) have to perform actions on behalf of a user, like reading their files or applying group policy.

If an attacker gains this privilege, they can create a fake service or server and wait for a more powerful account to talk to it. When that high‑privilege service connects, the attacker can grab its security token and impersonate it, effectively upgrading from an account with lower privileges to full SYSTEM control on that machine.

Protection

A Microsoft spokesperson provided the following statement:

“This technique requires an already-compromised machine and does not grant unauthenticated or remote access. Any update is a balance between existing compatibility and customer risk, and we remain committed to continually hardening our products. We recommend customers follow security best practices, including limiting administrative privileges and applying the principle of least privilege.”

In our opinion, mitigating PhantomRPC properly would require deep changes to the RPC architecture, which is hard to do on existing Windows versions without breaking compatibility. It’s maybe something we’ll see in future versions, given the scale of change needed.

What you can do:

• As PhantomRPC is a piece in a larger chain, it is still very important to keep Windows updated.
• Use your admin account sparingly and only for the tasks that need that kind of privilege.
• Use an up-to-date, real-time anti-malware solution that can detect and block suspicious privilege‑escalation activity.
• Avoid disabling or “hardening” services blindly since a malicious service might step in their place.

To answer the question in the title: it looks like a “feature” that can be abused in many ways; one that has outlived its original threat model. Defenders have to treat them as ongoing risks, rather than one‑off CVEs.

---

---

Discover the 9 most dangerous identity-based threats in 2026, from AI phishing attacks and deepfake authentication bypass to MFA fatigue and harvest-now-decrypt-later quantum threats. Learn why legacy authentication fails against each one and how phishing-resistant, passwordless authentication changes the equation.

The post 9 Identity-Based Threats Redefining Cybersecurity in 2026 (Beyond Credential Stuffing) appeared first on Security Boulevard.

The beginning of 2026 has brought a wave of zero-day vulnerabilities affecting Microsoft products, including the actively exploited Windows Desktop Window Manager flaw (CVE-2026-20805), the Microsoft Office zero-day (CVE-2026-21509) that prompted an out-of-band fix, and the Windows Notepad RCE bug (CVE-2026-20841). Microsoft’s March Patch Tuesday release keeps defenders busy again, this time shifting attention to CVE-2026-21262, a publicly disclosed SQL Server Elevation of Privilege (EoP) vulnerability that puts enterprise environments at risk. 

Microsoft describes CVE-2026-21262 as an improper access control flaw that allows an authorized attacker to elevate privileges over a network. The bug carries a CVSS score of 8.8 and was one of two publicly disclosed zero-days addressed in March’s Patch Tuesday. While there is no confirmed evidence of active exploitation, the combination of public exposure, low attack complexity, and the possibility of privilege escalation inside a core database platform makes this one hard to dismiss as a routine patch.

In view of Microsoft’s broad reach across enterprise and consumer environments, vulnerabilities in its products can have a devastating impact. BeyondTrust reported that Microsoft disclosed a record 1,360 vulnerabilities in 2024, with Elevation of Privilege flaws being a top category. That continued into 2025, when Microsoft patched 1,129 vulnerabilities across the year, while EoP issues stayed at 50% of all fixes as of December 2025. Google Threat Intelligence Group adds another layer of context. It tracked 90 in-the-wild zero-days in 2025 and found that enterprise technologies made up a record 48% of observed exploitation.

Sign up for SOC Prime Platform to access the world’s largest detection intelligence dataset backed by an AI-powered product suite, helping SOC teams seamlessly handle everything from threat detection to simulation. Defenders can drill down to a relevant detection stack for vulnerability exploitation activity by pressing Explore Detections.

Explore Detections

All rules are mapped to the latest MITRE ATT&CK® framework and are compatible with multiple SIEM, EDR, and Data Lake platforms. Additionally, each rule comes packed with broad metadata, including CTI references, attack flows, audit configurations, and more.

Cyber defenders can also use Uncoder AI to streamline their detection engineering routine. Turn raw threat reports into actionable behavior rules, test your detection logic, map out attack flows, turn IOCs into hunting queries, or instantly translate detection code across languages backed by the power of AI and deep cybersecurity expertise behind every step.

CVE-2026-21262 Analysis

Microsoft’s March 2026 Patch Tuesday addressed over 80 vulnerabilities, including two publicly disclosed zero-days. Across the release, privilege escalation flaws dominated, with the total list containing 46 EoP bugs, 18 RCE flaws, 10 information disclosure bugs, 4 denial-of-service issues, 4 spoofing vulnerabilities, and 2 security feature bypass flaws. 

CVE-2026-21262 stands out because it affects SQL Server, a platform many organizations rely on to run core applications and store high-value data. Successful exploitation can let attackers move from a low-privileged authenticated account to SQL sysadmin, which effectively means full control over the affected database instance. From there, hackers can access or alter data, change configuration, create new logins, or establish persistence inside the SQL environment.

The flaw does not provide initial access on its own. An attacker still needs valid credentials and network reachability to a vulnerable SQL Server instance. That limitation matters, but it should not create false confidence. In many enterprise environments, low-privileged database accounts are spread across applications, integration services, automation tooling, and legacy workloads, which makes post-compromise abuse a realistic scenario. 

Microsoft’s March Patch Tuesday release also included several other vulnerabilities defenders should keep in focus. The second publicly disclosed zero-day is a .NET denial-of-service flaw (CVE-2026-26127). Microsoft also fixed two notable Office remote code execution bugs (CVE-2026-26110, CVE-2026-26113), which can be exploited through the Preview Pane. Another important issue is an Excel information disclosure flaw (CVE-2026-26144)  that researchers say could potentially be abused to exfiltrate data through Copilot Agent mode.

CVE-2026-21262 Mitigation

According to Microsoft’s advisory, organizations running SQL Server should first identify the exact product version and current build, then install the March 10 security update that matches the instance’s servicing path. 

Notably, the vendor distinguishes between the GDR path, which delivers security fixes only, and the CU path, which includes both security and functional fixes. If an instance has been following the GDR track, install the matching GDR package. If it has already been receiving CU releases, install the corresponding CU security update. Microsoft also notes that organizations can move from GDR to CU once, but cannot roll back from CU to GDR afterward.

The affected supported branches and corresponding updates include the following:

• SQL Server 2016 SP3: KB5077474 (GDR)
• SQL Server 2017: KB5077471 (CU31) or KB5077472 (GDR)
• SQL Server 2019: KB5077469 (CU32) or KB5077470 (GDR)
• SQL Server 2022: KB5077464 (CU23) or KB5077465 (GDR)
• SQL Server 2025: KB5077466 (CU2) or KB5077468 (GDR) for Windows and Linux
  
  

Alongside patching, defenders should review SQL logins and role assignments, reduce unnecessary privileges for service and application accounts, restrict network exposure to database servers, and monitor for unusual permission changes or newly assigned high-privilege roles. Because exploitation requires valid credentials, it is also worth reviewing embedded database credentials, shared service accounts, and secrets management practices across the environment. 

Also, by enhancing the defenses with SOC Prime’s AI-Native Detection Intelligence Platform, SOC teams can source detection content from the largest and up-to-date repository, seamlessly adopt the full pipeline from detection to simulation into their security processes, orchestrate workflows in their natural language, and smoothly navigate the ever-changing threat landscape while strengthening defenses at scale.

The post CVE-2026-21262: SQL Server Zero-Day Fixed in Microsoft’s March Patch Tuesday Release appeared first on SOC Prime.

Hot on the heels of CVE-2025-66516, the maximum-severity Apache Tika XXE vulnerability, a couple of other security flaws have emerged in Windows products. In its December 2025 security update, Microsoft addressed 57 vulnerabilities, including two zero-days, CVE-2025-62221 and CVE-2025-54100.

Microsoft’s technologies underpin a vast share of the global digital infrastructure, making the security of its ecosystem especially critical. The 2025 BeyondTrust Microsoft Vulnerabilities Report notes that 2024 set a new record with 1,360 disclosed Microsoft vulnerabilities—an 11% jump from the previous year—with Elevation of Privilege (EoP) and RCE issues standing out as the most severe. That trend continued into 2025, with Tenable noting that Microsoft delivered patches for 1,129 CVEs in 2025—the second consecutive year the company exceeded the thousand-vulnerability threshold. In the December 2025 Patch Tuesday rollout, EoP flaws made up half of all addressed vulnerabilities, with RCE vulnerabilities following at roughly one-third (33.9%). The above-mentioned zero-days addressed in the December 2025 Patch Tuesday also fit into these threat categories. 

Register for SOC Prime Platform, the industry-first AI-Native Detection Intelligence Platform for real-time defense, to explore a collection of 600,000+ detection rules addressing the latest threats and equip your team with AI and top cybersecurity expertise. Click Explore Detections to reach the extensive rule set for vulnerability exploit detection, pre-filtered using the custom “CVE” tag.

Explore Detections

All detection rules can be used across multiple SIEM, EDR, and Data Lake platforms and are aligned with the latest MITRE ATT&CK® framework v18.1. Explore AI-native threat intelligence, including CTI references, attack timelines, audit configurations, triage recommendations, and more threat context each rule is enriched with.

Security teams can also significantly reduce detection engineering overhead with Uncoder AI by instantly converting detection logic across multiple language formats for enhanced translation accuracy, crafting detections from raw threat reports, visualizing Attack Flows, accelerating enrichment and fine-tuning while streamlining validation workflows. 

CVE-2025-62221and CVE-2025-54100 Analysis

Microsoft is wrapping up the year by releasing patches for 57 security vulnerabilities in Windows products covered in its December 2025 security update release, including two zero-days with a CVSS score of 7.8, CVE-2025-62221 and CVE-2025-54100.

The actively exploited flaw, CVE-2025-62221, is a use-after-free elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver that allows an authenticated local attacker to escalate privileges to SYSTEM. By exploiting this flaw, adversaries can gain full control of affected Windows systems without user interaction, though local access is required.

The vendor has confirmed 2025-62221 active exploitation in the wild; however, specific attack methods remain undisclosed. The vulnerability impacts systems with the Cloud Files minifilter, which is present even if apps like OneDrive, Google Drive, or iCloud aren’t installed. 

Due to the increasing exploitation risks, CISA has recently added CVE-2025-62221 to its KEV catalog, requiring Federal Civilian Executive Branch agencies to apply the update by December 30, 2025. 

Another zero-day, CVE-2025-54100, is an RCE flaw in Windows PowerShell that allows unauthenticated attackers to run arbitrary code if they can get a user to execute a crafted PowerShell command, for instance, via Invoke-WebRequest.

The risk becomes more pronounced when paired with common social-engineering tactics: adversaries could trick a user or administrator into running a PowerShell snippet that retrieves malicious content from a remote server, triggering a parsing bug and enabling code execution or implant delivery. Although the issue is publicly known, Microsoft reports no active exploitation and currently rates the likelihood of exploitation as low. The flaw requires no privileges but does rely on user interaction, making social engineering the most probable attack path.

As potential  2025-62221 and CVE-2025-54100 mitigation measures, organizations that rely on the corresponding Windows products are urged to apply the patches immediately. With SOC Prime’s AI-Native Detection Intelligence Platform, SOC teams can source detection content from the largest and up-to-date repository, seamlessly adopt the full pipeline from detection to simulation into their security processes, orchestrate workflows in their natural language, and smoothly navigate the ever-changing threat landscape while strengthening defenses at scale.

The post CVE-2025-62221 and CVE-2025-54100: Windows Elevation of Privilege and RCE Zero-Day Vulnerabilities Patched appeared first on SOC Prime.