Originally reported by The Hacker News, SANS ISC, MSRC Security Updates
TL;DR
Microsoft addressed a remote code execution vulnerability in Windows RRAS while threat actors continue deploying sophisticated social engineering campaigns including trojan VPN clients and evolved ClickFix techniques. Multiple library vulnerabilities across CoreDNS, zlib, and other components require attention.
Windows RRAS remote code execution vulnerability (CVE-2026-25172) represents a high-severity threat to enterprise infrastructure, combined with active credential theft campaigns using sophisticated social engineering techniques.
Microsoft has issued patches for CVE-2026-25172, a remote code execution vulnerability in Windows Routing and Remote Access Service (RRAS). According to Microsoft's advisory, the hotpatch has been re-released to ensure comprehensive coverage across all affected scenarios, indicating the criticality of this flaw for organizations running RRAS infrastructure.
Microsoft's threat intelligence team has documented a credential theft operation by Storm-2561 that leverages search engine optimization (SEO) poisoning to distribute malicious VPN clients. The campaign redirects users searching for legitimate enterprise software to attacker-controlled websites hosting digitally signed trojans that masquerade as trusted VPN applications. This technique exploits the trust users place in search results and code signing certificates to bypass security controls.
Researchers have identified new variants of ClickFix attacks being deployed in active campaigns. SANS ISC documented the SmartApeSG campaign, which uses ClickFix pages to deliver Remcos RAT payloads. These attacks continue to evolve their social engineering techniques to manipulate users into executing malicious code under the guise of fixing legitimate system issues.
Several vulnerabilities affecting widely-used libraries have been published:
CVE-2026-26018: CoreDNS loop detection denial of service vulnerability that could impact DNS resolution servicesCVE-2026-31802: node-tar symlink path traversal vulnerability allowing directory traversal via drive-relative linkpathsCVE-2026-3381: Compress::Raw::Zlib for Perl uses potentially insecure versions of the underlying zlib libraryCVE-2026-27141: HTTP/2 frame handling vulnerability in golang.org/x/net that can cause server panicsCVE-2026-27171: zlib CPU consumption vulnerability through unbounded loops in CRC32 combination functionsCVE-2026-21257 addresses an elevation of privilege vulnerability affecting GitHub Copilot and Visual Studio, while CVE-2026-3942 fixes incorrect security UI behavior in Chromium's Picture-in-Picture feature. Microsoft noted that updates to security information links have been made for the GitHub Copilot issue.
Meta announced plans to discontinue end-to-end encryption support for Instagram chats after May 8, 2026. Users with affected chats will receive instructions for downloading messages and media they wish to preserve before the encryption feature is removed.
Originally reported by The Hacker News, SANS ISC, MSRC Security Updates