FAQ on Copy Fail Linux Kernel Privilege Escalation (CVE-2026-31431)
On April 29, researchers at Theori publicly disclosed CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem dubbed "Copy Fail." The flaw has been present in every major Linux distribution since 2017. A public proof-of-concept exploit is available and reported to work reliably, drawing comparisons to Dirty Cow and Dirty Pipe. CVE Description CVSSv3 CVE-2026-31431 Linux Kernel Local Privilege Escalation Vulnerability 7.8 Patched kernel versions are available, though some major distributions have not yet shipped updates. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.Oracle April 2026 Critical Patch Update Addresses 241 CVEs
On April 21, Oracle released its Critical Patch Update (CPU) for April 2026, the second quarterly update of 2026. This CPU contains fixes for 241 unique CVEs in 481 security updates across 28 Oracle product families. Out of the 481 security updates published this quarter, 7.1% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 45.9%, followed by medium severity patches at 44.1%. For more information about the April 2026 CPU release, including the availability of patches and Tenable product coverage, please visit our blog.Microsoft’s April 2026 Patch Tuesday Addresses 163 CVEs (CVE-2026-32201)
On April 14, Microsoft released its April 2026 Patch Tuesday release which addressed 163 CVEs with eight rated as critical, 154 rated as important and one rated as moderate. This month’s update included one actively exploited zero-day vulnerability. CVE-2026-32201 is a spoofing vulnerability affecting Microsoft SharePoint Server. It received a CVSSv3 score of 6.5 and was rated as important. Microsoft has released updates for SharePoint 2016, 2019 and SharePoint Server Subscription Edition to address this flaw. Microsoft also addressed another zero-day, however this vulnerability was not exploited in the wild, however was publicly disclosed prior to a patch being made available. CVE-2026-33825 is an elevation of privilege vulnerability in Microsoft Defender. It received a CVSSv3 score of 7.8 and was rated important. This month’s update includes patches for: .NET .NET and Visual Studio .NET Framework .NET, .NET Framework, Visual Studio Applocker Filter Driver (applockerfltr.sys) Azure Logic Apps Azure Monitor Agent Desktop Window Manager Function Discovery Service (fdwsd.dll) GitHub Copilot and Visual Studio Code Microsoft Brokering File System Microsoft Defender Microsoft Dynamics 365 (on-premises) Microsoft Edge (Chromium-based) Microsoft Graphics Component Microsoft High Performance Compute Pack (HPC) Microsoft Management Console Microsoft Office Microsoft Office Excel Microsoft Office PowerPoint Microsoft Office SharePoint Microsoft Office Word Microsoft Power Apps Microsoft PowerShell Microsoft Windows Microsoft Windows Search Component Microsoft Windows Speech Remote Desktop Client Role: Windows Hyper-V SQL Server Universal Plug and Play (upnp.dll) Windows Active Directory Windows Admin Center Windows Advanced Rasterization Platform Windows Ancillary Function Driver for WinSock Windows Biometric Service Windows BitLocker Windows Boot Loader Windows Boot Manager Windows Client Side Caching driver (csc.sys) Windows Cloud Files Mini Filter Driver Windows COM Windows Common Log File System Driver Windows Container Isolation FS Filter Driver Windows Cryptographic Services Windows Encrypting File System (EFS) Windows File Explorer Windows GDI Windows Hello Windows HTTP.sys Windows IKE Extension Windows Installer Windows Kerberos Windows Kernel Windows Kernel Memory Windows Local Security Authority Subsystem Service (LSASS) Windows LUAFV Windows Management Services Windows OLE Windows Print Spooler Components Windows Projected File System Windows Push Notifications Windows Recovery Environment Agent Windows Redirected Drive Buffering Windows Remote Desktop Windows Remote Desktop Licensing Service Windows Remote Procedure Call Windows RPC API Windows Sensor Data Service Windows Server Update Service Windows Shell Windows Snipping Tool Windows Speech Brokered Api Windows SSDP Service Windows Storage Spaces Controller Windows TCP/IP Windows TDI Translation Driver (tdx.sys) Windows Universal Plug and Play (UPnP) Device Host Windows USB Print Driver Windows User Interface Core Windows Virtualization-Based Security (VBS) Enclave Windows WalletService Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys) Windows Win32K - GRFX Windows Win32K - ICOMP For more information, please visit our blog.CVE-2026-35616: Fortinet FortiClientEMS zero-day vulnerability exploited in the wild
On April 4, Fortinet published a security advisory (FG-IR-26-099) for CVE-2026-35616, a critical improper access control vulnerability affecting Fortinet FortiClientEMS. CVE Description CVSSv3 CVE-2026-35616 Fortinet FortiClientEMS Improper Access Control Vulnerability 9.1 CVE-2026-35616 is a critical improper access control vulnerability affecting Fortinet FortiClientEMS. A remote, unauthenticated attacker can exploit this flaw to execute arbitrary code using specially crafted requests which bypass API authentication. While no attribution has been provided as of the time this blog was published, the advisory from Fortinet confirms that exploitation has been observed. The advisory credits Simo Kohonen from Defused and Nguyen Duc Anh, who reported the vulnerability to Fortinet. On April 4, Defused released a Linkedin post confirming their observations of zero-day exploitation of this flaw. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.FAQ on the Axios npm Supply Chain Attack by North Korea-Nexus Threat Actor UNC1069
On March 31, a North Korea-nexus threat actor (UNC1069) compromised the axios npm package, one of the most widely used JavaScript libraries with over 100 million weekly downloads. The attacker published two malicious versions (1.14.1 and 0.30.4) containing a cross-platform remote access trojan tracked as WAVESHAPER.V2, targeting macOS, Windows and Linux developer environments. The malicious versions were live on the npm registry for approximately three hours before being removed. Google Threat Intelligence Group (GTIG) attributed the attack to UNC1069 based on malware lineage and infrastructure overlaps. Systems that installed the affected versions are considered fully compromised. Developers are advised to downgrade to axios@1.14.0 or 0.30.3, remove the phantom dependency (plain-crypto-js), rotate all secrets and rebuild affected systems. For more information about this supply chain attack, including IoCs, remediation guidance and Tenable product coverage, please visit our blog.CVE-2026-21992: Critical Oracle Fusion Middleware Vulnerability Out-of-Band Security Alert
Oracle published an out-of-band security alert on March 19 for CVE-2026-21992, a critical remote code execution vulnerability affecting Oracle Identity Manager and Oracle Web Services Manager, both part of Oracle Fusion Middleware. The vulnerability has a CVSSv3 score of 9.8 and is remotely exploitable without authentication. CVE Description CVSSv3 CVE-2026-21992 Oracle Identity Manager and Oracle Web Services Manager Remote Code Execution Vulnerability 9.8 Out-of-band security alerts from Oracle are infrequent and signal elevated risk. Patches are available through Oracle's Fusion Middleware patch documentation. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.Cyber Retaliation: Analyzing Iranian Cyber Activity Following Operation Epic Fury
In the wake of Operation Epic Fury, digital attacks have shifted from quiet espionage to a loud, coordinated campaign of economic and physical retaliation. In response, the Tenable Research Special Operations (RSO) team is examining the latest threats and cyber operations linked to Iranian threat actors. Recently Ministry of Intelligence and Security (MOIS) affiliated groups have significantly escalated their operations, shifting from espionage to disruptive and destructive campaigns. MuddyWater and the Void Manticore persona known as Handala are two groups which have seen an increased level of malicious activity surrounding the recent military operations in Iran. For more information about this threat activity, including the availability of patches for the CVEs covered in our analysis as well as Tenable product coverage, please visit our blog.Microsoft’s March 2026 Patch Tuesday Addresses 83 CVEs
Microsoft’s March 2026 Patch Tuesday Addresses 83 CVEs (CVE-2026-21262, CVE-2026-26127) On March 10, Microsoft released its March 2026 Patch Tuesday release which patched 83 CVEs with eight rated as critical and 75 rated as important, including two vulnerabilities that were publicly disclosed prior to a patch being released. CVE-2026-21262 is an elevation of privilege (EoP) vulnerability affecting Microsoft SQL Server. It received a CVSSv3 score of 8.8 and was rated as important. CVE-2026-21262 was publicly disclosed as a zero-day. While no exploitation has been reported by Microsoft, a successful exploit of this flaw would result in an attacker gaining SQL sysadmin privileges. In addition, two more CVEs were issued for EoP flaws in Microsoft SQL Server, CVE-2026-26115 and CVE-2026-26116. CVE-2026-26127 is a denial of service (DoS) vulnerability affecting .NET 9.0 and 10.0 on Windows, Mac OS and Linux. It received a CVSSv3 score of 7.5 and was rated as important. According to Microsoft, this vulnerability was publicly disclosed prior to patches being made available. Although it was publicly disclosed, Microsoft assesses that exploitation is unlikely for this DoS vulnerability. This month’s update includes patches for: .NET ASP.NET Core Active Directory Domain Services Azure Arc Azure Compute Gallery Azure Entra ID Azure IoT Explorer Azure Linux Virtual Machines Azure MCP Server Azure Portal Windows Admin Center Azure Windows Virtual Machine Agent Broadcast DVR Connected Devices Platform Service (Cdpsvc) Microsoft Authenticator Microsoft Brokering File System Microsoft Devices Pricing Program Microsoft Graphics Component Microsoft Office Microsoft Office Excel Microsoft Office SharePoint Payment Orchestrator Service Push Message Routing Service Role: Windows Hyper-V SQL Server System Center Operations Manager Windows Accessibility Infrastructure (ATBroker.exe) Windows Ancillary Function Driver for WinSock Windows App Installer Windows Authentication Methods Windows Bluetooth RFCOM Protocol Driver Windows DWM Core Library Windows Device Association Service Windows Extensible File Allocation Windows File Server Windows GDI Windows GDI+ Windows Kerberos Windows Kernel Windows MapUrlToZone Windows Mobile Broadband Windows NTFS Windows Performance Counters Windows Print Spooler Components Windows Projected File System Windows Resilient File System (ReFS) Windows Routing and Remote Access Service (RRAS) Windows SMB Server Windows Shell Link Processing Windows System Image Manager Windows Telephony Service Windows Universal Disk Format File System Driver (UDFS) Windows Win32K Winlogon For more information, please visit our blog.Microsoft’s February 2026 Patch Tuesday Addresses 54 CVEs (CVE-2026-21510, CVE-2026-21513)
Microsoft’s February 2026 Patch Tuesday Addresses 54 CVEs (CVE-2026-21510, CVE-2026-21513) On February 10, Microsoft released its February 2026 Patch Tuesday release which patched 54 CVEs with two rated critical, 51 rated as important and one rated as moderate. This update included patches to address six zero-day vulnerabilities that were exploited in the wild including three of which were publicly disclosed prior to patches being made available. CVE-2026-21510 is a security feature bypass vulnerability affecting Windows Shell. It was assigned a CVSSv3 score of 8.8 and was rated as important. According to Microsoft, this flaw was publicly disclosed prior to a patch being made available and was also exploited in the wild as a zero-day. Exploitation requires an attacker to convince an unsuspecting user to open a malicious link or shortcut file. This would allow the attacker to bypass Windows SmartScreen and Windows Shell warnings by exploiting a flaw in Windows Shell components. CVE-2026-21533 is an elevation of privilege vulnerability affecting Windows Remote Desktop Services. It was assigned a CVSSv3 score of 7.8, rated as important and was reportedly exploited in the wild. Successful exploitation allows a local, authenticated attacker to elevate to SYSTEM privileges. This month’s update includes patches for: .NET .NET and Visual Studio Azure Arc Azure Compute Gallery Azure DevOps Server Azure Front Door (AFD) Azure Function Azure HDInsights Azure IoT SDK Azure Local Azure SDK Desktop Window Manager Github Copilot GitHub Copilot and Visual Studio Internet Explorer Mailslot File System Microsoft Defender for Linux Microsoft Edge for Android Microsoft Exchange Server Microsoft Graphics Component Microsoft Office Excel Microsoft Office Outlook Microsoft Office Word Power BI Role: Windows Hyper-V Windows Ancillary Function Driver for WinSock Windows App for Mac Windows Cluster Client Failover Windows Connected Devices Platform Service Windows GDI+ Windows HTTP.sys Windows Kernel Windows LDAP - Lightweight Directory Access Protocol Windows Notepad App Windows NTLM Windows Remote Access Connection Manager Windows Remote Desktop Windows Shell Windows Storage Windows Subsystem for Linux Windows Win32K - GRFX For more information, please visit our blog.Frequently Asked Questions About Notepad++ Supply Chain Compromise
On February 2, Don Ho, creator of Notepad ++, a source code and text editor for Windows, published a blog detailing the investigation into a supply chain security incident. According to the blog post, threat actors compromised the infrastructure by which Notepad++ would distribute software updates. This compromise allowed the attackers to redirect update traffic from its intended destination (notepad-plus-plus dot org) to an attacker-controlled site. Tenable’s Research Special Operations (RSO) team has compiled a blog to answer Frequently Asked Questions (FAQ) regarding the disclosure of a supply chain compromise of Notepad++. For more information, please visit our blog.
