January 2026 Patch Cycle Highlights Multiple High-Severity Vulnerabilities Across OpenStack, Microsoft Windows, and Progress Appliances
Multiple vendors issued fixes for high-impact vulnerabilities that could enable privilege escalation, tenant-wide compromise, security feature bypass, or remote code execution. OpenStack patched CVE-2026-22797 in keystonemiddleware affecting deployments using external_oauth2_token, where failure to sanitize incoming identity headers allows authenticated users to forge headers (e.g., X-Is-Admin-Project, X-Roles, X-User-Id) to escalate privileges or impersonate other users; fixes were released across supported branches and the issue was reported by a Red Hat researcher.
Microsoft patched CVE-2026-20965 in Windows Admin Center’s Azure SSO (fixed in Azure Extension v0.70.00), where improper token validation could let an attacker with local admin on a WAC-enabled Azure VM/Arc machine combine a stolen WAC.CheckAccess token with a forged PoP token to enable lateral movement and tenant-wide access under certain conditions. Separately, Microsoft addressed CVE-2026-20824 in Windows Remote Assistance, an Important security feature bypass that can allow attackers to evade Mark of the Web (MOTW) protections via social engineering. Progress Software also released patches for CVE-2025-13444 and CVE-2025-13447 (CVSS 8.4) affecting LoadMaster and MOVEit WAF, where crafted UI/API requests can trigger command injection leading to remote code execution; the vendor stated it had no evidence of in-the-wild exploitation at the time of release.
Timeline
Jan 16, 2026
OpenStack patches keystonemiddleware header forgery privilege-escalation flaw
By January 16, 2026, OpenStack had released fixes for CVE-2026-22797 across multiple keystonemiddleware release branches. The vulnerability allowed authenticated attackers in deployments using external_oauth2_token middleware to forge identity headers and potentially gain administrative privileges or impersonate other users.
Jan 13, 2026
Microsoft discloses and patches Windows Remote Assistance MOTW bypass
On January 13, 2026, Microsoft disclosed CVE-2026-20824 and released security updates for affected Windows client and server platforms. The flaw allows a Mark of the Web security feature bypass in Windows Remote Assistance, though Microsoft assessed exploitation as less likely and not observed in the wild.
Jan 13, 2026
Microsoft patches Windows Admin Center Azure token validation flaw
On January 13, 2026, Microsoft fixed CVE-2026-20965 in Windows Admin Center Azure Extension v0.70.00. The patch addressed improper token validation that could let an attacker with local administrator access pivot to broader Azure tenant resources.
Jan 12, 2026
Progress releases patches for LoadMaster and MOVEit WAF command injection flaws
On January 12, 2026, Progress Software released fixes for CVE-2025-13444 and CVE-2025-13447, two high-severity command injection vulnerabilities affecting LoadMaster load balancers and MOVEit Web Application Firewalls. Progress said it had no evidence of in-the-wild exploitation at the time of the advisory and urged customers to patch promptly.
Aug 1, 2025
Cymulate discloses WAC Azure SSO flaw to Microsoft
Cymulate Research Labs reported CVE-2026-20965 to Microsoft in August 2025. The vulnerability affected Windows Admin Center Azure Single Sign-On and could enable tenant-wide compromise through improper token validation.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
Related Stories
Microsoft February Patch Tuesday Fixes Actively Exploited Zero-Days Including Windows RDS Privilege Escalation
Microsoft’s February 2026 Patch Tuesday shipped fixes for **58 vulnerabilities** across Windows, Office, and related components, including **six zero-days reported as actively exploited**. Reported zero-days included **CVE-2026-21533** (Windows **Remote Desktop Services** elevation of privilege), **CVE-2026-21510** (Windows Shell security feature bypass involving SmartScreen/Mark-of-the-Web), **CVE-2026-21513** and **CVE-2026-21514** (Office/MSHTML mitigation bypasses requiring user interaction), and **CVE-2026-21525** (Windows Remote Access Connection Manager DoS). Coverage of the release emphasized that elevation-of-privilege issues were the largest category in the update set, and that organizations should prioritize rapid deployment given in-the-wild exploitation claims. For **CVE-2026-21533** (CVSS 7.8, *Important*), reporting cited CrowdStrike observations of an exploit binary used post-compromise to reach **SYSTEM** by modifying a service configuration **registry key** to point to attacker-controlled values, enabling actions such as adding a user to the local Administrators group; the issue primarily impacts Windows systems where RDS is enabled and is positioned as a strong enabler for lateral movement in RDP-heavy environments. Separately, a January 2026-patched local privilege escalation in Windows Error Reporting, **CVE-2026-20817** (CVSS 7.8), was described with technical detail and a released PoC: the WER service (`wersvc.dll`) allegedly failed to validate requester permissions over ALPC, allowing a standard user to trigger process creation with a SYSTEM-derived token retaining powerful privileges (e.g., `SeDebugPrivilege`, `SeImpersonatePrivilege`, `SeBackupPrivilege`), underscoring the broader trend of Windows local EoP bugs being leveraged for post-exploitation escalation.
1 months ago
Microsoft fixes exploited SharePoint flaw in massive Patch Tuesday release
Microsoft released fixes for **165 vulnerabilities** across Windows, Office, SharePoint, Defender, SQL Server, Azure, .NET, and other products in one of its largest Patch Tuesday updates on record. The most urgent issue was **CVE-2026-32201**, an **actively exploited** improper input validation flaw in **SharePoint Server** that enables unauthenticated network-based spoofing and was immediately added to **CISA's Known Exploited Vulnerabilities** catalog. Microsoft also patched **CVE-2026-33825**, a publicly known **Microsoft Defender** privilege-escalation bug with proof-of-concept code, and **CVE-2026-33824**, a critical **remote code execution** flaw in **Windows IKE Service Extensions** affecting IPsec/VPN infrastructure. Researchers flagged **CVE-2026-33827** in **Windows TCP/IP** as potentially **wormable** under certain IPv6 and IPSec configurations. Other high-impact fixes include **CVE-2026-33120**, a **SQL Server remote code execution** flaw that paired with a separate privilege escalation bug (**CVE-2026-32176**) could enable full server compromise, and **CVE-2026-32220**, a **UEFI Secure Boot bypass** that could allow untrusted code to load during the boot process. The release also addressed elevation of privilege flaws across Desktop Window Manager, WinSock, TDI Translation Driver, Windows Push Notifications, Function Discovery Service, WSUS, Remote Desktop Licensing, Azure Monitor Agent, and Windows kernel components; security feature bypasses in Windows Hello, PowerShell, BitLocker, and Windows Shell; information disclosure bugs in Windows GDI, Print Spooler, Web Account Manager, UPnP Device Host, and the Windows kernel; and denial-of-service issues in .NET/Visual Studio and Windows RDBSS. Cumulative updates for Windows Server 2022 and 23H2 bundled security hardening for Kerberos, RDP, Secure Boot, and WDS, with Microsoft warning that Secure Boot certificates begin expiring in June 2026.
2 weeks ago
Microsoft February 2026 vulnerability disclosures across Windows, Azure, and developer tools
Microsoft published multiple security advisories for **Windows**, **Azure**, and **developer tooling**, including several high-impact issues spanning **remote code execution (RCE)**, **elevation of privilege (EoP)**, **spoofing**, **information disclosure**, **denial of service**, and **security feature bypass**. Notable items include **Azure SDK for Python RCE** `CVE-2026-21531` (CVSS 9.8; **deserialization of untrusted data**), **Windows Shell security feature bypass** `CVE-2026-21510` (CVSS 8.8; exploitability listed as **E:F**), **GitHub Copilot/Visual Studio/VS Code** issues enabling **RCE/EoP/feature bypass** (`CVE-2026-21256`, `CVE-2026-21523`, `CVE-2026-21257`, `CVE-2026-21518`), and **Azure Local RCE** `CVE-2026-21228` (CVSS 8.1; **improper certificate validation**). Additional Windows platform flaws include **Desktop Window Manager EoP** `CVE-2026-21519` (type confusion), **HTTP.sys EoP** `CVE-2026-21232` (untrusted pointer dereference), **WinSock Ancillary Function Driver EoP** `CVE-2026-21238` (improper access control), **Windows Storage EoP** `CVE-2026-21508`, **WSL EoP** `CVE-2026-21237`, **Microsoft Word security feature bypass** `CVE-2026-21514`, **Outlook spoofing** `CVE-2026-21511`, **Windows LDAP DoS** `CVE-2026-21243`, plus **ACI Confidential Containers information disclosure** `CVE-2026-23655` and **Azure IoT Explorer information disclosure** `CVE-2026-21528`. Separately, a detailed third-party writeup described a **Windows Error Reporting Service** local privilege escalation, `CVE-2026-20817`, patched in January 2026, where the **WER service** (`wersvc.dll`) running as `NT AUTHORITY\SYSTEM` allegedly fails to validate requester permissions over **ALPC**, enabling a standard user to trigger process creation with a SYSTEM-derived token (retaining powerful rights such as *SeDebugPrivilege*, *SeImpersonatePrivilege*, and *SeBackupPrivilege*). Another third-party report highlighted a long-standing **libpng** heap buffer issue, `CVE-2026-25646` (CVSS 8.3), in `png_set_quantize()` that can be triggered by a crafted PNG (palette present, histogram absent) leading to an infinite loop/out-of-bounds read with potential for DoS and, with heap grooming, possible code execution; an additional MSRC entry referenced **libjpeg-turbo** `CVE-2023-2804` (heap-based overflow) as an Important RCE-class issue. Collectively, the disclosures reinforce the need to prioritize patching for internet-reachable components and developer tooling, and to treat local EoP bugs as high-risk in post-compromise and lateral movement scenarios.
2 months ago