Zero Day

Security researchers exploited Windows 11, Microsoft Edge, Red Hat Linux, and multiple AI platforms on the first day of Pwn2Own Berlin 2026, earning $523,000 for 24 unique zero-day vulnerabilities.

A disgruntled researcher released two unpatched Windows zero-days: YellowKey bypasses BitLocker encryption via USB, while GreenPlasma grants SYSTEM privileges. No patches available yet.

Google's Threat Intelligence Group identifies a criminal group using an LLM-generated exploit to bypass 2FA in a web admin tool—marking the first confirmed AI-built zero-day in active use.

A new Linux kernel flaw dubbed Dirty Frag (CVE-2026-43284) enables instant root on all major distros. No patches exist after embargo collapsed.

CVE-2026-6973 lets attackers achieve RCE on Ivanti Endpoint Manager Mobile with admin credentials. CISA added it to KEV with a two-day patch deadline for federal agencies.

Russian military hackers deployed PRISMEX steganography malware against Ukraine and NATO logistics networks, exploiting zero-days CVE-2026-21509 and CVE-2026-21513 weeks before patches.

Critical CVSS 9.8 flaw in cPanel/WHM allowed attackers to bypass authentication via CRLF injection. Exploits confirmed in the wild before emergency patches.

Huntress confirms hands-on-keyboard exploitation of all three Windows Defender zero-days. Microsoft patched BlueHammer, but RedSun and UnDefend remain unpatched as attackers chain them for SYSTEM access.

Frustrated researcher 'Chaotic Eclipse' releases RedSun, another Windows Defender privilege escalation exploit granting SYSTEM access. Microsoft has not yet patched this second zero-day.

Microsoft's April 2026 Patch Tuesday fixes 167 vulnerabilities including CVE-2026-32201, an actively exploited SharePoint zero-day. Eight critical RCE flaws patched.

CVE-2026-34621 is a prototype pollution flaw in Adobe Acrobat Reader with a CVSS 8.6 score. Active exploitation began in December 2025. Update immediately.

Microsoft links China-based Storm-1175 to high-velocity Medusa ransomware attacks exploiting zero-day vulnerabilities. Healthcare, education, and finance sectors hit across Australia, UK, and US.

Security researcher releases working proof-of-concept for BlueHammer, an unpatched Windows Defender privilege escalation flaw enabling SYSTEM access via TOCTOU and path confusion vulnerabilities.

AI-discovered vulnerabilities bypass all security policies including 'secure' mode. Most servers won't receive fixes until 2027 without manual intervention.

CVE-2026-35616 lets attackers bypass API authentication in FortiClient EMS 7.4.5-7.4.6 for unauthenticated RCE. Exploitation began March 31. Emergency hotfixes available.

CVE-2026-5281 exploited in the wild targets Dawn WebGPU implementation. Google rushes emergency patch as Chrome zero-days accelerate in 2026.

CVE-2026-33017 (CVSS 9.3) lets attackers execute arbitrary Python code on Langflow AI pipelines without authentication. Exploitation began before any PoC existed.

Interlock ransomware operators weaponized Cisco Secure Firewall Management Center CVE-2026-20131 as a zero-day since January 26, gaining root access to enterprise networks.

Google patches two actively exploited Chrome zero-days affecting Skia graphics and V8 JavaScript engine. CISA adds both to KEV catalog with March 27 deadline.

Microsoft's March 2026 Patch Tuesday addresses 83 vulnerabilities including two publicly disclosed zero-days in SQL Server and .NET. Eight flaws rated Critical.

Security researchers tie Russia's APT28 to CVE-2026-21513 exploitation using malicious LNK files. The MSHTML zero-day was weaponized weeks before Microsoft's February patch.

Google's March 2026 Android security update patches 129 vulnerabilities including CVE-2026-21385, a Qualcomm graphics flaw affecting 234 chipsets under active exploitation.

CVE-2026-20127 gives attackers full admin access to Cisco SD-WAN infrastructure. CISA emergency directive requires federal patches by Feb 27.

Chinese threat group UNC6201 exploited a critical hardcoded credential flaw (CVE-2026-22769) in Dell RecoverPoint for 18 months before disclosure. Patch now.

CVE-2026-2441 is a high-severity CSS use-after-free in Chrome being exploited in the wild. Update to version 145.0.7632.75 immediately.

CVE-2026-20700 memory corruption flaw in dyld exploited against targeted individuals. Google TAG credited with discovery. Patch now for iOS, macOS, watchOS.

Singapore confirms China-linked APT compromised M1, Singtel, StarHub, and SIMBA using zero-day exploits and rootkits. 11-month Operation Cyber Guardian response disclosed.

Microsoft's February 2026 Patch Tuesday fixes 59 flaws including six actively exploited zero-days. CrowdStrike confirmed CVE-2026-21533 was used in attacks targeting US and Canada since December.

CVE-2025-8110 allows authenticated attackers to achieve RCE on self-hosted Git servers via path traversal. Over 700 instances already compromised.

Two critical code injection flaws in Ivanti Endpoint Manager Mobile enable unauthenticated RCE. Federal agencies must remediate by February 1.

CVE-2026-24858 allows attackers with FortiCloud accounts to log into other organizations' FortiGate devices. Patches rolling out now.

CVE-2026-21509 bypasses OLE security protections across Office 2016-2024. CISA adds it to KEV catalog with February 16 deadline.

Fuzzware.io claims Master of Pwn at Tokyo competition after researchers demonstrate record-breaking exploits against Tesla, EV chargers, and infotainment systems.

Researchers demonstrated 29 new zero-day exploits on Day Two at Pwn2Own Automotive in Tokyo, targeting EV chargers, infotainment systems, and Automotive Grade Linux.

Researchers exploited 37 zero-day vulnerabilities in Tesla systems, EV chargers, and infotainment units during the first day of Pwn2Own Automotive 2026 in Tokyo.

January 2026 Patch Tuesday addresses CVE-2026-20805, an info disclosure bug already under attack. CISA gives feds until February 3 to patch.

Huntress researchers discover 'MAESTRO' toolkit exploiting three VMware vulnerabilities. Attackers chained SonicWall VPN access with hypervisor escape to deploy persistent backdoors.

Apple issues emergency patches for two WebKit zero-day vulnerabilities being actively exploited in sophisticated attacks linked to NSO Group's Pegasus spyware.

Beyond CVSS scores, these vulnerabilities caused the most damage in 2025—from nation-state exploitation to mass ransomware campaigns and breaches affecting millions.

CVE-2025-54322 enables unauthenticated root RCE on SD-WAN appliances and edge routers. Vendor has ignored seven months of disclosure attempts. No patch available.

CVE-2025-14174 and CVE-2025-43529 were exploited in sophisticated attacks before Apple's December 12 emergency patches across iOS, macOS, and Safari.

CVE-2025-68613 in the workflow automation platform scores CVSS 9.9 with public PoC code now available. Patch to version 1.122.0 immediately.

CVE-2025-40602 privilege escalation flaw combined with earlier vulnerability enables unauthenticated remote code execution on SonicWall appliances.

Critical out-of-bounds write vulnerability in WatchGuard Firebox firewalls under active exploitation with over 125,000 devices exposed online.

Critical CVE-2025-20393 in Cisco Secure Email Gateway actively exploited by UAT-9686 threat actors deploying AquaShell backdoor since November.