Tag
#privilege-escalation
13 posts tagged #privilege-escalation.
-
Analysis · May 22, 2026 · Colten Anderson
Your antivirus runs as SYSTEM, and that's the whole story
Two actively-exploited Defender zero-days look like 'the AV is broken.' The pattern underneath is older and more boring: the scanner has run unsandboxed as SYSTEM for a decade, and that makes it a target, not a sentinel.
-
Analysis · May 20, 2026 · Colten Anderson
The VPN bug that isn't on the gateway, it's the updater on the laptop
CVE-2020-3433 and CVE-2020-3153 are in the Cisco AnyConnect Windows client, not the VPN gateway. The weak point is the privileged helper service that auto-updates the client, which a local user can trick into running their code as SYSTEM.
-
Analysis · May 20, 2026 · Colten Anderson
The fix shipped in 2015. The CVE came in 2017. The deadline landed in 2024.
CVE-2017-1000253 is a Linux kernel privilege escalation that was already patched upstream two years before it got a CVE. It got a federal deadline the same year CentOS 7 died. 'Patched upstream' never meant 'patched on your box.'
-
Analysis · May 20, 2026 · Colten Anderson
The Linux firewall bug your users can reach because you gave them a private root
CVE-2024-1086 is an nf_tables use-after-free that hands a local user root. The reason an unprivileged user can touch the kernel's packet-filtering engine at all is unprivileged user namespaces, and turning those off defuses a whole class of these bugs at once.
-
Analysis · May 20, 2026 · Colten Anderson
noPac: any domain user to Domain Admin, no exploit code required
CVE-2021-42278 and CVE-2021-42287 chain into 'noPac,' which takes a standard domain user to Domain Admin in about one command. There's no memory corruption, just abused Active Directory name handling, riding on a default that lets ordinary users create computer accounts.
-
Analysis · May 20, 2026 · Colten Anderson
Two years of Patch Tuesdays, one message: the exploited Windows bug is almost always a privilege escalation
Across 2025 and 2026, Microsoft kept fixing already-exploited Windows flaws, storage drivers, Hyper-V, the network stack, even a 20-year-old third-party modem driver. They don't each need their own post. Together they make one point about patching Windows fast.
-
Analysis · May 20, 2026 · Colten Anderson
A clickable link in a SYSTEM dialog is a SYSTEM shell waiting to happen
CVE-2019-1388 turned a hyperlink in the UAC certificate dialog into a path to NT AUTHORITY\SYSTEM. No exploit code, just clicks: open the cert, click 'Issued by,' and the browser launches as SYSTEM. The lesson is what any interactive element in a privileged process really is.
-
Analysis · May 20, 2026 · Colten Anderson
The FBI dismantled QakBot in 2023. In 2024 it was test-driving a Windows zero-day.
CVE-2024-30051 is a DWM Core Library privilege escalation to SYSTEM, used as a zero-day. Kaspersky tied it to QakBot, the botnet taken down nine months earlier, and found the exploit was already in several groups' hands before the patch.
-
Analysis · May 20, 2026 · Colten Anderson
The boring privilege-escalation bug is the one that finishes the job
CVE-2024-30088 is a local Windows kernel race condition. It needs an attacker who's already inside, which is exactly why it gets deprioritized. APT34 used it to turn a foothold into SYSTEM, then dropped a password filter to skim every cleartext login.
-
Analysis · May 14, 2026 · Colten Anderson
Fragnesia is the patch you already deployed, bypassed
If you rolled the Dirty Frag kernel update last week and called it done, your fleet is exposed again. Worse, patched hosts may still hand out root shells until you drop the page cache.
-
Analysis · May 6, 2026 · Colten Anderson
Six zero-days in three years: the CLFS pattern Microsoft can't outrun
Microsoft patched a CLFS zero-day on April 8 but left Windows 10 without a fix for five weeks. Two unrelated ransomware groups were already using it. It was the sixth CLFS zero-day since 2022.
-
Analysis · May 3, 2026 · Colten Anderson
Copy Fail is a 732-byte root shell. Patch your Linux fleet this week.
CVE-2026-31431 is a deterministic privilege escalation in the Linux kernel affecting versions 4.14 through 6.19. A Python script gives any local user root. Every major distro is affected, containers don't help, and the mitigation is trivial.
-
Analysis · May 1, 2026 · Colten Anderson
Windows Defender is the attack surface now, and two of the three exploits don't have patches
Three tools dropped in April turn Defender's own privileged operations into privilege escalation and detection evasion. Microsoft patched one. The other two work on fully patched systems.