EG-FinCIRT

Remcos RAT Operations: How Attackers Gain and Maintain Control

Thu, 05 Mar 2026 12:27:09 +0000

March 5, 2026
3:27 pm
Malware Analysis

Remcos in nutshell

Remcos is a Windows remote access trojan (RAT) that was originally sold as a legitimate tool for remote administration and management, but it has been widely abused by cybercriminals and threat groups in phishing and malware campaigns to infect systems across many sectors, including government, healthcare, financial services, banking, and other critical industries .

Remcos gives attackers full remote control over an infected system, allowing them to execute commands, manage files, capture keystrokes and screenshots, record audio and video, and steal stored credentials . Because of these capabilities and its persistence, Remcos is often used not only for espionage or system takeover but also for financially driven objectives: attackers can covertly collect sensitive data such as login credentials, banking details, and other personal or business information and then use it to take over accounts, commit fraud, perform unauthorized transactions, steal money, or sell the stolen information for profit.

Infection flow

The initial stage of the infection chain was first observed on 2025-12-16 (UTC) according to VirusTotal. The sample is a malicious JavaScript (JS) file with a size of 8.84 MB .

SHA256: e0a69eff836709cbefee1079d647d50d55f558e5f8c7bf18a8056361cd5116f3
Detection Ratio: 20/63 at the time of analysis

The analyzed sample is heavily obfuscated JavaScript that drops and executes multi-stage payloads. Below, a diagram shows these stages.

Stage 1 - Analysis of obfuscated Java Script

The first stage of the infection chain is implemented in a large JavaScript file that is highly obfuscated and mainly contains junk, unused variables, and functions that do not affect execution.

One noticeable technique is the repeated concatenation of the same unclear string to a single variable many times, which intentionally increases the script size and hides the real payload inside a large amount of repetitive data.

In addition to this, it hides meaningful strings inside large arrays and retrieves them dynamically at runtime using helper functions with calculated indexes and also uses confusing execution structures, including unnecessary loops and arithmetic expressions. Also defines several functions that appear to move execution forward or backward, as well as unused prototypes that are never actually invoked .

After the deobfuscation, the script first checks whether a specific file with a random-looking name already exists under C:\Users\Public\Libraries\.

If the file does not exist, the malware copies itself into that directory, and then, to maintain persistence, it creates a scheduled task using theschtasksutility.

This causes the script to be executed every 10 minutes, guaranteeing re-execution even after a reboot. The task is created via
cmd.exeand launched using WScript.Shell.Run,which is a common LOLBins-based persistence technique where attackers abuse legitimate Windows binaries or scripts (“Living off the Land Binaries”) to perform malicious actions without dropping new executables, helping them evade security detection.

The script then drops three files in the same directory:C:\Users\Public\Libraries\. Each file is reconstructed from obfuscated data – the strings are reversed, cleaned of special characters (~,!,#,$,%,^,&,*,>),and written to disk usingADODB.Stream.

The decoding process can be reproduced in CyberChef using this recipe that reverses the string and removes unwanted characters.

The dropped files as following :

Dropped File	Description
Filename: WTZTFTBNJIPTWLHJTGXIXAYZECKKCFKKMBWVLGGVHQGONDHQVYLZUJN Hash: 6bed90bbdb00ffb3704410c6a7b16751cd8fdc100acf47130783477750c33c8b	Obfuscated Lua script; executed by the loader as a command-line argument
Filename: WTZTFTBNJIPTWLHJTGXIXAYZECKKCFKKMBWVLGGVHQGONDHQVYLZUJN.exe Hash: 5343326fb0b4f79c32276f08ffcc36bd88cde23aa19962bd1e8d8b80f5d33953	LuaJIT-based loader; executed first and receives the Lua script as input
Filename: lua51.dll	LuaJIT runtime library used by the loader to execute the Lua script

Stage 2 - LUA

This stage is written in Lua, a lightweight, high-level scripting language designed for embedded use. Lua is famous for its simplicity, speed, and flexibility, and is commonly employed for scripting, automation, and integration into other applications thanks to its compact footprint and efficient performance.

Analyzing the Script it’s an obfuscated LuaJIT-based loader that leverages FFI (Foreign Function Interface), a built‑in feature that allows pure Lua code to directly call native C functions and work with C data structures, without needing custom bindings or external DLL wrappers. In this case, FFI is abused to enable low‑level process and memory manipulation from within Lua.

The malware targets colorcpl.exe, a legitimate Windows Control Panel applet, as its process injection victim. The loader spawns the trusted Windows process and injects a decoded payload via opening the target process with full access, allocates executable memory, writes the decoded payload into it, and executes it via a remote thread.

The injected payload is stored inside a large embedded variable and protected by three layers of obfuscation. First, the payload string is reversed, then Base64 decoded, and finally transformed using a ROT14 applied to printable ASCII characters.

This script automates the deobfuscation and dumping of the shellcode for further analysis.

				
					import re
import base64

def rot14(data):
    return bytes(
        33 + ((b + 14) % 94) if 33 <= b <= 126 else b
        for b in data
    )

with open("file.lua", "r", errors="ignore") as f:
    lua = f.read()

# Find the embedded payload
payload = re.search(r"(==[A-Za-z0-9+/=]{100,})", lua).group(1)

payload = payload[::-1]             
payload = base64.b64decode(payload)   
payload = rot14(payload)              

with open("dump.bin", "wb") as f:
    f.write(payload)

print("Payload decoded")

Donut loader - Shellcode

The extracted shellcode is packed using Donut, a popular shellcode generation tool that produces position‑independent code designed for in‑memory execution. Donut can convert a wide range of payload types, including native PE files (EXE/DLL) and .NET assemblies into shellcode that can be injected and executed.

Donut shellcode is composed of a native loader stub followed by a structured configuration and the embedded payload itself. The configuration, commonly referred to as the Donut instance, contains metadata such as architecture flags, encryption keys, payload type, and execution options.

To inspect this stage, the donut‑decryptor tool was helpful to parse and decrypt the Donut instance, allowing the loader logic and dumping
the embedded payload.

The dumped final stage was identified as Remcos RAT, delivered as a PE32 executable and written in C++. The Remcos payload is never written to disk during this stage and only exists in memory after successful decryption and execution by the Donut loader.

Final Payload - Remcos

Configuration

The sample stores its RC4‑encrypted configuration inside a PE resource named “SETTINGS”. The configuration data is structured so that the first byte specifies the length of the RC4 key, followed by the key itself, and then the encrypted configuration blob.

Here is the Python script used to decrypt the embedded configuration :

				
					import pefile

def rc4_decrypt(data, key):
    if type(data) == str:
        data = data.encode('utf-8')
    if type(key) == str:
        key = key.encode('utf-8')
    x = 0
    box = list(range(256))
    for i in range(256):
        x = (x + box[i] + key[i % len(key)]) % 256
        box[i], box[x] = box[x], box[i]
    x = 0
    y = 0
    out = []
    for c in data:
        x = (x + 1) % 256
        y = (y + box[x]) % 256
        box[x], box[y] = box[y], box[x]
        out.append(c ^ box[(box[x] + box[y]) % 256])
    return bytes(out)
    
def extract_remcos_config(pe):
    for rsrc in pe.DIRECTORY_ENTRY_RESOURCE.entries:
        for entry in rsrc.directory.entries:
            if str(entry.name) == 'SETTINGS':
                data_entry = entry.directory.entries[0].data
                offset = data_entry.struct.OffsetToData
                size = data_entry.struct.Size
                return pe.get_memory_mapped_image()[offset:offset + size]
    raise ValueError("SETTINGS resource not found")

# main
pe_file = pefile.PE("remcos.bin")
config_data = extract_remcos_config(pe_file)
key_len = config_data[0]
key = config_data[1:key_len + 1]
encrypted_config = config_data[key_len + 1:]
print(rc4_decrypt(encrypted_config,key))

Some decrypted values from the configuration are shown below:

Value	Description
laboratery.ydns.eu:63099:1	C2 server address, port, and TLS flag (1 = TLS enabled)
laboratery1.ydns.eu:63921:0	C2 server address, port, and TLS flag (0 = TLS disabled)
RemoteHost	Botnet name configured in the malware
remcos.exe	Name of the REMCOS executable once installed
Rmc-AFAZ9F	Mutex name, also used as a registry key
logs.dat	File used to store keylogging output
Remcos	Main installation directory
remcos	Directory used for keylogging data
C16F3DF974E930853974A85A2987E8B7	Embedded REMCOS license value
Screenshots	Folder used to store captured screenshots
MicRecords	Folder used to store recorded audio

\x1e\x1e\x1f is used as a delimiter between fields in C2 communication packets
The configuration also includes flags that enable or disable modules such as keylogging, screenshot capture, microphone/audio recording, and other capabilities
Additionally, it contains certificate-related values used for TLS communication, including the raw TLS certificate and the C2 server’s public certificate, which enable encrypted communication when TLS is active

Remcos pre execution phase

Privilege checks

At startup, Remcos performs a series of privilege checks to determine its current execution context and adapt its behavior accordingly. It
first verifies whether the process is running with administrative privileges. If this check succeeds, the malware performs an additional
validation by querying the process access token and comparing the user SID against the LOCAL SYSTEM account. This allows the malware to distinguish between standard user, administrator, and SYSTEM execution contexts.

Mutex

Remcos uses a mutex name taken from its configuration to ensure that only one instance runs at a time.

When executed with SYSTEM privileges, the malware appends the -sys suffix to the mutex name to indicate a high-privilege instance. If running without SYSTEM privileges, the mutex is created using the same name without the suffix.

Registry

Remcos stores its configuration and operational state in the Windows registry under a registry key name derived from the malware’s mutex Rmc-AFAZ9Ft. This key resides under HKCU\Software\ for standard user-level infections, and under HKLM\Software\ when elevated/system privileges are available.

Some default Remcos registry values:

Value Name	Description
`(Default)`	Default key value (unset)
`exepath`	The Remcos executable path encrypted with the same key as the config
`licence`	License string assigned to the Remcos build
`time`	Timestamp stored as a DWORD (likely Unix epoch)
`UID`	Unique malware identifier or victim ID

Remcos may create additional registry values depending on the features enabled in its configuration. For example:

Registry Value	Purpose
`WD`	Stores the PID of the main Remcos process. The malware writes this value before starting the watchdog process. The watchdog (often running inside a legitimate process like `svchost.exe`) monitors the main process and restarts it if it is killed.
`Inj`	Used to track or reset the state of process injection. It is related to Remcos injecting itself into another process.
`FR`	First-run flag. It shows that one-time actions (such as browser data cleaning) have already been executed, so they will not run again.

Installation and Persistence

REMCOS installs itself on the victim machine by copying its executable to the %ProgramData% folder with the filename remcos.exe under a directory named Remcos. Both the directory name and the filename are retrieved directly from its configuration. REMCOS also makes manual detection more difficult by applying read-only, hidden, and system attributes to the file and the directory.

For persistence, Remcos is dependent on the privilege level of the running process. When run under a standard user context, it only sets persistence within HKEY_USERS\\Software\Microsoft\Windows\CurrentVersion\Run, ensuring execution upon logon for that specific user.

However, if the process is running with administrative privileges, REMCOS can write to system-wide autorun locations such as HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run. These locations provide persistence across all user accounts and are generally more impactful.

Featured enabled in this sample

Keylogger

Remcos includes features for keylogging and clipboard monitoring, allowing it to collect every keystroke a user makes as well as any text data the user copies to the clipboard. This sample logs the captured input, both keystrokes and clipboard contents, into a file logs.dat within a Remcos folder under %AppData%.

The keylogging functionality is implemented by installing a Windows hook using SetWindowsHookExA, which allows the malware to intercept keyboard events at the system level without requiring kernel drivers. Once installed, this hook runs continuously in the background, capturing key presses as they occur.

The clipboard monitoring capture copies text data the user explicitly places on the clipboard that might not be entered via keyboard alone. It uses standard Windows clipboard APIs to grab the current text contents whenever a command is issued or at regular intervals and stores it in the same log file.

Screenshots

Remcos includes a screen capture capability that enables attackers to monitor the victim’s desktop activity in real time. It creates an in-memory copy of the current display and extracts the image data to generate a screenshot. It also enumerates open windows and selectively captures specific applications based on their titles, allowing for more targeted surveillance.

Captured screenshots are stored locally in the Screenshots folder defined in the configuration. Each file uses a timestamp-based naming format: wnd_%04i%02i%02i_%02i%02i%02i, which corresponds to wnd_YYYYMMDD_HHMMSS, allowing the images to be organized chronologically.

Audio recording [MicRecords]

The audio recording capability enables Remcos to capture live microphone input from an infected system in real time. Once activated, the malware interacts directly with the Windows multimedia (WaveIn) API to continuously record audio from the victim’s microphone using a buffered recording mechanism. As audio data is received, it is processed and saved locally in the folder MicRecords (as defined in the configuration) as standard .wav files, using a timestamp-based naming convention (YYYY-MM-DD HH.MM.wav), allowing recordings to be organized chronologically.

Recording works in continuous parts. When one buffer becomes full and is saved to disk, the malware immediately starts recording the next part without stopping. This allows it to monitor surrounding sounds continuously without any interruption .

Additional Capabilities of Remcos

Remcos is a fully featured Remote Access Trojan (RAT) that gives attackers extensive control over an infected system. Although some features are inactive, the sample includes several advanced capabilities:

Watchdog: Launches a secondary process, injects itself into it, and monitors the main process. If either process is terminated, the other restarts it to ensure persistence.
Process Injection: REMCOS can inject itself into a specified or hardcoded Windows process to avoid detection.
UAC Disabling: Modifies the EnableLUA registry value or uses a COM-based bypass to execute actions with elevated privileges silently.
PEB Masquerading: Patches the Process Environment Block to appear as explorer.exe, helping the malware evade basic detection.
Remote Wallpaper Change: Enables attackers to instantly change the victim’s desktop wallpaper for visual control or intimidation.
DLL Loader: Remotely loads and executes supplied DLLs.
Logins Cleaner: Deletes saved credentials, browser history, and cookies.
Extended System Control: Provides remote control over the mouse, keyboard, monitor, CD drive, taskbar, and Start Button.

C2 communication

The sample communicates with its C2 server using raw TCP sockets, with each C2 entry stored in the format domain:port:tls_flag. Upon execution, the malware iterates through this list and attempts to establish a direct socket connection to each C2 address until one successfully responds.

Depending on the configuration, TLS can be enabled or disabled dynamically. When TLS is enabled, the malware handles certificate loading, key initialization, and peer verification before establishing the encrypted channel. If the TLS setup fails, the error is logged, and the malware may continue by falling back to non-encrypted communication.

Remcos uses a structure when sending information to its command-and-control (C2) server. Each packet begins with a specific header followed by command-related data.

packet magic | packet size | command ID | command data

Magic number: 3 bytes 0xFF 0x04 0x24 marking the start of a packet.
Packet size: Indicates the total size of the packet.
Command ID: Identifies the action being performed.
Command data: Contains the collected system information, separated by the delimiter \x1E\x1E\x1F.

Information gathered

Field	Description
Agent Version	The Remcos version
Agent Identifier	Unique identifier assigned to the malware instance
Computer Name	Name of the infected system
Username	User account associated with the system
Geographic Location	Approximate location of the host
Operating System	OS name and architecture of the infected machine
Total Memory	Amount of installed system RAM
Processor Information	CPU model and hardware details
Running Process Path	Full path of the executing malware process
Active Window Title	Title of the currently focused window
Agent Type	Type of agent (EXE or DLL)
Registry Key / Mutex	Mutex or registry key used for persistence or identification
Installation Time	Timestamp when the malware was installed
Command and Control (C2) IP	Remote server used for communication
System Uptime	Duration since the system was last started
Idle Time	Time since the last user activity
Keylogger File Path	Location where keystroke logs are stored

C2 commands

Remcos receives a control command from the C2 server to perform actions on the victim’s device. It has many C2 commands that let attackers monitor and control the infected system. These commands can be grouped into different categories.

Category	Description
File Management	Browse drives, search files, upload/download files, zip/unzip files, rename or delete files, and modify file attributes to explore and manipulate data on the victim system
Process Management	List running processes and terminate, suspend, or resume processes to control applications and system operations
Service Management	Start, stop, or manage Windows services to control system functionality
Window Management	List, show/hide, maximize/minimize windows and modify window titles to control the user interface
Registry Management	Read, create, or delete registry keys and values for persistence and system configuration changes
Program Management	Enumerate installed applications and remotely uninstall software
Remote Shell Access	Establish a remote shell and execute system commands on the infected machine
Script Execution	Execute JavaScript, VBS, or batch scripts remotely for additional malicious operations
Power Management	Log off, shutdown, restart, sleep, or hibernate the system remotely
Password Recovery	Extract stored passwords from the system or applications
Network Monitoring	List processes using network connections to analyze network activity
Proxy Management	Start or stop a proxy server on the victim machine to route traffic through the compromised host
File Download & Execution	Download and execute files from the command-and-control server to deploy additional malware
DNS Manipulation	Modify or retrieve the hosts file to redirect network traffic
Communication	Display messages or chat with the victim directly
Multimedia Actions	Play sounds or alerts on the system for notification or intimidation
Credential Cleaning	Remove stored browser logins and cookies to erase traces
System Control Features	Disable input devices, hide taskbar, control monitor power, or manage hardware components
Malware Self-Management	Rename, restart, update, elevate privileges, or terminate the Remcos malware to maintain persistence and control

Conclusion

The sample is a multi-stage infection chain that eventually installs Remcos RAT (v7.1.0 Pro), a commercial remote-access tool commonly abused in cyberattacks. The attack begins with a heavily obfuscated JavaScript file, which then drops LuaJIT loaders and shellcode payloads.
The JavaScript maintains persistence via scheduled tasks (schtasks) and hides meaningful payload data using junk code, large arrays, loops, and string obfuscation.
The LuaJIT loader injects the payload into colorcpl.exe, performing in-memory execution without writing the Remcos PE to disk. The shellcode is packed using Donut, with embedded configuration and payload metadata.
The decrypted Remcos configuration reveals: C2 server addresses and ports, TLS flags, botnet name, mutex, installation paths, module flags (keylogger, screenshots, audio), and embedded license key.
Remcos collects extensive host information: system username, computer name, OS version, CPU/RAM details, running processes, active window titles, uptime, idle time, and registry keys.
Active capabilities in this sample include keylogging, screenshot capture, microphone recording, and storage of captured data in configured folders with timestamped filenames.
Additional capabilities: watchdog process, process injection, UAC bypass, PEB masquerading, remote wallpaper change, DLL loader, credential cleaning, extended system control (mouse, keyboard, monitor, CD, taskbar).
C2 communication is performed over raw TCP sockets with optional TLS, sending structured packets containing system info and receiving commands for full remote control.
Persistence is achieved via registry autorun entries, with installation using hidden, system, and read-only attributes

References

The post Remcos RAT Operations: How Attackers Gain and Maintain Control appeared first on EG-FinCIRT.

Google Chrome Security Update – 12 February 2026

Thu, 12 Feb 2026 09:13:39 +0000

30/2026

High

February 12, 2026

12:13 pm

Google has released an updated Chrome version 145.0.7632.45/46 for Windows and Mac, and version 145.0.7632.45 for Linux.

The addressed vulnerabilities could allow the attacker to bypass security controls, obtain sensitive information, exploit heap corruption, conduct UI spoofing via a crafted HTML page, persuade the victim to perform specific UI gestures to install a malicious extension, execute arbitrary code, and gain unauthorized access to the affected product.

Sample of the addressed vulnerabilities:

Google Chrome Heap Buffer Overflow in Codecs Code Execution Vulnerability (CVE-2026-2314):

CVSS: 8.8
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Consequences: Gain Access

Vulnerabilities

CVE-2026-2313
CVE-2026-2314
CVE-2026-2315
CVE-2026-2316
CVE-2026-2317
CVE-2026-2318
CVE-2026-2319
CVE-2026-2320
CVE-2026-2321
CVE-2026-2322
CVE-2026-2323

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

Google Chrome Security Update

References

Google Chrome Security Update

The post Google Chrome Security Update – 12 February 2026 appeared first on EG-FinCIRT.

Intel® Security Updates – 11 February 2026

Wed, 11 Feb 2026 14:01:17 +0000

29/2026

High

February 11, 2026

5:01 pm

Intel has released security updates to address several vulnerabilities in multiple Intel products.

The addressed vulnerabilities could allow the attacker to gain elevated privileges, obtain sensitive information, or perform denial-of-service attacks on the affected product.

Samples of the addressed vulnerabilities:

1. Intel® AMT and Intel® Standard Manageability Out-of-bounds Write in The Firmware Via Network Access Vulnerability (CVE-2025-32008):

CVSS: 8.6
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Consequences: Denial of Service

2. Improper Input Validation in The Intel® Server Firmware Update Utility Vulnerability (CVE-2025-25210):

CVSS: 8.2
Attack Vector: Local
Attack Complexity: Low
Privileges Required: High
User Interaction: None
Consequences: Gain Privileges

Sample of the affected products:

Intel® AMT and Intel® Standard Manageability.
Intel® Server Firmware Update Utility.
Intel® Xeon® processors.
Intel® 800 Series Ethernet.
Intel® Core™ processors.

Vulnerabilities

Intel Security Advisory

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

Intel Security Advisory

References

Intel Security Advisory

The post Intel® Security Updates – 11 February 2026 appeared first on EG-FinCIRT.

Ivanti Security Update – 11 February 2026

Wed, 11 Feb 2026 13:00:56 +0000

27/2026

High

February 11, 2026

4:00 pm

Ivanti has released a security update to fix multiple vulnerabilities across Ivanti Endpoint Manager (EPM).

The addressed vulnerabilities could allow the remote attacker to read arbitrary data from the database, leak stored credential data, and bypass security restrictions on the affected systems.

Sample of the addressed vulnerabilities:

Ivanti Endpoint Manager Authentication Bypass Vulnerability (CVE-2026-1603):

CVSS: 8.6
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Consequences: Bypass Security

Vulnerabilities

CVE-2026-1603
CVE-2026-1602

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

Ivanti Security Advisory

References

Ivanti Security Advisory

The post Ivanti Security Update – 11 February 2026 appeared first on EG-FinCIRT.

Microsoft February 2026 Patch Tuesday

Wed, 11 Feb 2026 09:42:04 +0000

26/2026

Critical

February 11, 2026

12:42 pm

Microsoft has released its monthly patch of security updates, known as Patch Tuesday. The mentioned patch addressed six actively exploited and three publicly disclosed zero-day vulnerabilities.

Microsoft has fixed (59) vulnerabilities that could allow the attacker to gain elevated privileges, perform denial-of-service attacks, obtain sensitive information, conduct spoofing attacks, bypass security restrictions, or execute arbitrary code and gain access to the affected systems.

February’s Patch Tuesday was released to fix security flaws in several Microsoft products such as .NET and Visual Studio, Desktop Window Manager, Windows Subsystem for Linux, Mailslot File System, Windows Kernel, Windows Shell, Windows Storage, Windows Remote Access Connection Manager, Windows Subsystem for Linux, Microsoft Graphics Component, Windows Cluster Client Failover, Windows LDAP – Lightweight Directory Access Protocol, and Windows Remote Desktop.

The actively exploited zero-day vulnerabilities in February’s Patch are:

Windows Shell Security Feature Bypass Vulnerability “CVE-2026-21510” allows the attacker to bypass security.
MSHTML Framework Security Feature Bypass Vulnerability “CVE-2026-21513” allows the unauthorized attacker to bypass a security feature over a network.
Microsoft Word Security Feature Bypass Vulnerability “CVE-2026-21514” allows the attacker to bypass security.
Desktop Window Manager Elevation of Privilege Vulnerability “CVE-2026- 21519” allows the attacker to gain elevated privileges.
Windows Remote Access Connection Manager Denial of Service Vulnerability “CVE-2026 21525” allows the unauthorized attacker to deny service locally.
Windows Remote Desktop Services Elevation of Privilege Vulnerability “CVE- 2026-21533” allows the authorized attacker to gain elevated privileges locally.

The publicly disclosed zero-day flaws are:

Windows Shell Security Feature Bypass Vulnerability “CVE-2026-21510” allows the attacker to bypass security.
MSHTML Framework Security Feature Bypass Vulnerability “CVE-2026-21513” allows the unauthorized attacker to bypass a security feature over a network.
Microsoft Word Security Feature Bypass Vulnerability “CVE-2026-21514” allows the attacker to bypass security.

Sample of the addressed vulnerabilities:

1- Azure SDK for Python Remote Code Execution Vulnerability (CVE-2026- 21531):

CVSS: 9.8
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Consequences: Gain Access

2- M365 Copilot Information Disclosure Vulnerability (CVE-2026-24307):

CVSS: 9.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Consequences: Obtain Information

Vulnerabilities

Microsoft MSRC

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

Microsoft MSRC

References

Microsoft MSRC

The post Microsoft February 2026 Patch Tuesday appeared first on EG-FinCIRT.

Fortinet Security Updates – 11 February 2026

Wed, 11 Feb 2026 09:33:46 +0000

25/2026

Critical

February 11, 2026

12:33 pm

Fortinet has released security updates to fix several vulnerabilities across multiple Fortinet products.

The addressed vulnerabilities could allow the attacker to bypass authentication mechanisms, conduct SQL injection and cross-site scripting attacks, perform request smuggling attacks, execute unauthorized code or commands, gain elevated privileges, obtain sensitive information, bypass firewall and access control policies, or gain unauthorized administrative access to the affected products.

Sample of the addressed vulnerabilities:

1. FortiClientEMS SQLi in the Administrative Interface Vulnerability (CVE-2026- 21643):

CVSS: 9.1
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Consequences: Gain Access

2. FortiOS LDAP Authentication Bypass Vulnerability in Agentless VPN and FSSO (CVE-2026-22153):

CVSS: 7.5
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Consequences: Bypass Security

Sample of the affected products:

FortiAnalyzer.
FortiManager.
FortiProxy.
FortiWeb.
FortiClientEMS.
FortiOS.

Vulnerabilities

CVE-2026-21643
CVE-2025-52436
CVE-2025-68686
CVE-2025-55018
CVE-2026-21743
CVE-2026-22153
CVE-2025-64157
CVE-2025-62439
CVE-2025-62676

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

Fortinet Security Advisory

References

Fortinet Security Advisory

The post Fortinet Security Updates – 11 February 2026 appeared first on EG-FinCIRT.

SAP Security Patch Day February 2026

Tue, 10 Feb 2026 09:26:43 +0000

24/2026

Critical

February 10, 2026

12:26 pm

SAP has released security updates to address several vulnerabilities affecting multiple SAP products.

SAP has released a patch that fixes several vulnerabilities affecting multiple SAP products, such as SAP NetWeaver Application Server ABAP and ABAP Platform, SAP NetWeaver, SAP Business One, SAP Business Workflow, SAP S/4HANA, SAP Supply Chain Management, SAP BusinessObjects Business Intelligence Platform, SAP Commerce Cloud, SAP Solution Tools Plug-In (ST-PI), SAP Document Management System and SAP Fiori App.

The attacker could exploit some of these vulnerabilities to perform denial-ofservice attacks, conduct cross-site scripting attacks, obtain sensitive information, bypass security restrictions, execute arbitrary code, and gain access to the affected systems.

Sample of the addressed vulnerabilities:

1. SAP CRM and SAP S/4HANA (Scripting Editor) Code Injection Vulnerability (CVE-2026-0488):

CVSS: 9.9
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Consequences: Gain Access

2. SAP NetWeaver Application Server ABAP and ABAP Platform Missing Authorization Check Vulnerability (CVE-2026-0509):

CVSS: 9.6
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Consequences: Bypass Security

Vulnerabilities

SAP Security Patch Day February 2026

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

SAP Security Patch Day February 2026

References

SAP Security Patch Day February 2026

The post SAP Security Patch Day February 2026 appeared first on EG-FinCIRT.

Cisco Security Updates – 08 February 2026

Sun, 08 Feb 2026 09:17:19 +0000

23/2026

High

February 8, 2026

12:17 pm

Cisco has released security updates to address several vulnerabilities affecting multiple Cisco products.

The addressed vulnerabilities could allow the attacker to perform denial of service attacks, redirect users to malicious websites, conduct cross-site scripting attacks, upload arbitrary files, execute arbitrary commands, gain elevated privileges, and gain access to the affected products.

Sample of addressed vulnerabilities:

1. Cisco Meeting Management Arbitrary File Upload Vulnerability (CVE-2026- 20098):

CVSS: 8.8
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Consequences: Gain Access

2. Cisco TelePresence CE and RoomOS Denial-of-Service Vulnerability (CVE-2026-20119):

CVSS: 7.5
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Consequences: Denial of Service

The affected products:

Cisco TelePresence Collaboration Endpoint (CE) Software.
Cisco RoomOS Software.
Cisco Evolved Programmable Network Manager (EPNM).
Cisco Prime Infrastructure.
Cisco Meeting Management.
Cisco Secure Web Appliance (virtual and hardware).

Vulnerabilities

CVE-2026-20056
CVE-2026-20098
CVE-2026-20111
CVE-2026-20119
CVE-2026-20123

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

Cisco Security Updates

References

Cisco Security Updates

The post Cisco Security Updates – 08 February 2026 appeared first on EG-FinCIRT.

Google Chrome Security Update – 04 February 2026

Wed, 04 Feb 2026 08:30:06 +0000

22/2026

High

February 4, 2026

11:30 am

Google has released an updated Chrome version 144.0.7559.132/.133 for Windows and Mac, and version 144.0.7559.132 for Linux.

The addressed vulnerabilities could allow the attacker to obtain sensitive information, exploit heap corruption via a crafted HTML page, execute arbitrary code, and gain access to the affected product.

Sample of the addressed vulnerabilities:

Google Chrome Heap Buffer Overflow in Libvpx Code Execution Vulnerability (CVE-2026-1861):

CVSS: 8.8
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Consequences: Gain Access

Vulnerabilities

CVE-2026-1861
CVE-2026-1862
CVE-2026-1504

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

Google Chrome Security Update

References

Google Chrome Security Update

The post Google Chrome Security Update – 04 February 2026 appeared first on EG-FinCIRT.

Progress Security Updates – 03 February 2026

Tue, 03 Feb 2026 08:21:21 +0000

21/2026

High

February 3, 2026

11:21 am

Progress has released security updates to fix multiple vulnerabilities across several Progress products.

The addressed vulnerabilities could allow the attacker to execute arbitrary commands and gain access by exploiting unsanitized input in the API input parameters to the affected system.

Sample of the addressed vulnerabilities:

Progress LoadMaster UI/API Command Injection Remote Code Execution Vulnerability (getcipherset) (CVE-2025-13444):

CVSS: 8.4
Attack Vector: Adjacent Network
Attack Complexity: Low
Privileges Required: High
User Interaction: None
Consequences: Gain Access

Sample of the affected products:

MOVEit WAF version 7.2.62.1.
LoadMaster GA 7.2.62.0 and all prior GA versions.
LoadMaster LTSF 7.2.54.15 and all prior LTSF versions.

Vulnerabilities

CVE-2025-13444
CVE-2025-13447

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

Progress Security Advisory

References

Progress Security Advisory

The post Progress Security Updates – 03 February 2026 appeared first on EG-FinCIRT.

OpenSSL Security Updates – 01 February 2026

Sun, 01 Feb 2026 11:04:44 +0000

20/2026

Critical

February 1, 2026

2:04 pm

OpenSSL has released security updates to address several vulnerabilities affecting OpenSSL Software Services.

The addressed vulnerabilities could allow the attacker to perform denial-of-service attacks or execute arbitrary code and gain access to the affected system.

Sample of the addressed vulnerabilities:

OpenSSL Stack Buffer Overflow in CMS AuthEnvelopedData Parsing Vulnerability (CVE-2025-15467):

CVSS: 9.8
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Consequences: Denial of Service

Vulnerabilities

CVE-2025-11187
CVE-2025-15467
CVE-2025-15468
CVE-2025-15469
CVE-2025-69420
CVE-2026-22795
CVE-2025-66199
CVE-2025-68160
CVE-2025-69418
CVE-2025-69419
CVE-2025-69421
CVE-2026-22796

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

OpenSSL Security Updates

References

OpenSSL Security Updates

The post OpenSSL Security Updates – 01 February 2026 appeared first on EG-FinCIRT.

SolarWinds Security Updates – 01 February 2026

Sun, 01 Feb 2026 10:45:06 +0000

19/2026

Critical

February 1, 2026

1:45 pm

SolarWinds has released security updates to address several vulnerabilities affecting multiple SolarWinds products.

The addressed vulnerabilities could allow the attacker to bypass security restrictions, gain unauthorized administrative access using the client user account, execute arbitrary code, and gain access to the affected system.

Sample of the addressed vulnerabilities:

1. SolarWinds Web Help Desk Authentication Bypass Vulnerability (CVE-2025- 40552):

CVSS: 9.8
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Consequences: Bypass Security

2. SolarWinds Web Help Desk Deserialization of Untrusted Data Remote Code Execution Vulnerability (CVE-2025-40551):

CVSS: 9.8
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Consequences: Gain Access

The affected products:

SolarWinds Web Help Desk 12.8.8 HF1 and all previous versions.
SolarWinds Observability Self-Hosted 2025.4 and prior versions.

Vulnerabilities

CVE-2025-26391
CVE-2025-40553
CVE-2025-40554
CVE-2025-40536
CVE-2025-40551
CVE-2025-40537
CVE-2025-40552

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

SolarWinds Security Updates

References

SolarWinds Security Updates

The post SolarWinds Security Updates – 01 February 2026 appeared first on EG-FinCIRT.

Ivanti Security Update – 01 February 2026

Sun, 01 Feb 2026 10:39:10 +0000

18/2026

Critical

February 1, 2026

1:39 pm

Ivanti has released a security update to fix multiple vulnerabilities across Ivanti Endpoint Manager Mobile (EPMM).

The addressed vulnerabilities could allow the unauthenticated attacker to execute arbitrary code and gain access to the affected systems.

Sample of the addressed vulnerabilities:

Ivanti Endpoint Manager Code Execution Vulnerability (CVE-2026-1281):

CVSS: 9.8
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Consequences: Gain Access

It should be highlighted that Ivanti is aware of a very limited number of customers whose solution has been exploited at the time of disclosure.

Vulnerabilities

CVE-2026-1281
CVE-2026-1340

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

Ivanti Security Advisory

References

Ivanti Security Advisory

The post Ivanti Security Update – 01 February 2026 appeared first on EG-FinCIRT.

Fortinet Security Update – 28 January 2026

Wed, 28 Jan 2026 12:29:30 +0000

17/2026

Critical

January 28, 2026

3:29 pm

Fortinet has released a security update to fix a critical vulnerability across multiple Fortinet products.

addressed vulnerability could allow the attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.

Fortinet FortiOS, FortiManager, and FortiAnalyzer Security Bypass Vulnerability (CVE-2026-24858):

CVSS: 9.4
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Consequences: Bypass Security

Sample of the affected products:

FortiAnalyzer version 7.6.0 through 7.6.5.
FortiProxy version 7.6.0 through 7.6.4.
FortiOS version 7.6.0 through 7.6.5.
FortiManager version 7.6.0 through 7.6.5.

It should be highlighted that the vulnerability “CVE-2026-24858” is being exploited in the wild and has not yet been patched. Apply Forti’s official recommendatios for mitigation and risk reduction.

Vulnerabilities

CVE-2026-24858

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

Fortinet Security Advisory

References

Fortinet Security Advisory

The post Fortinet Security Update – 28 January 2026 appeared first on EG-FinCIRT.

Grafana Security Updates – 28 January 2026

Wed, 28 Jan 2026 08:48:58 +0000

16/2026

High

January 28, 2026

11:48 am

Grafana has released security updates to fix several vulnerabilities in Grafana Enterprise.

The addressed vulnerabilities could allow the remote attacker to gain elevated privileges or perform denial-of-service attacks on the affected systems.

The addressed vulnerabilities:

1. Grafana Cross-Dashboard Privilege Escalation via Permission Management Vulnerability (CVE-2026-21721):

CVSS: 8.1
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Consequences: Gain Privilege

2. Grafana Avatar Cache Unauthenticated DoS Vulnerability (CVE-2026-21720):

CVSS: 7.5
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Consequences: Denial-of-Service

Vulnerabilities

CVE-2026-21720
CVE-2026-21721

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

Grafana Security Advisory

References

Grafana Security Advisory

The post Grafana Security Updates – 28 January 2026 appeared first on EG-FinCIRT.

Mozilla Firefox Security Update – 28 January 2026

Wed, 28 Jan 2026 08:03:07 +0000

15/2026

High

January 28, 2026

11:03 am

Mozilla has released an updated Firefox version 147.0.2 to fix multiple vulnerabilities.

The addressed vulnerabilities could allow the attacker to bypass security restrictions, corrupt memory, execute arbitrary code, and gain access to the affected system.

Sample of the addressed vulnerabilities:

Mozilla Use-After-Free in the Layout: Scrolling and Overflow Component Vulnerability (CVE-2026-24869):

CVSS: 8.1
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Consequences: Gain Access

Vulnerabilities

CVE-2026-24868
CVE-2026-24869

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

Mozilla Firefox Security Advisory

References

Mozilla Firefox Security Advisory

The post Mozilla Firefox Security Update – 28 January 2026 appeared first on EG-FinCIRT.

Microsoft Security Updates – 27 January 2026

Tue, 27 Jan 2026 11:12:52 +0000

14/2026

High

January 27, 2026

2:12 pm

Microsoft has released a security update to fix a vulnerability across multiple versions of Microsoft Office.

The addressed vulnerability could allow the local attacker to bypass security restrictions to the affected system.

Microsoft Office Security Feature Bypass Vulnerability (CVE-2026-21509):

CVSS: 7.8
Attack Vector: Local
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Consequences: Bypass Security

Sample of the affected products:

Microsoft Office 2016 (64-bit edition).
Microsoft Office LTSC 2024 for 64-bit editions.
Microsoft 365 Apps for Enterprise for 64-bit Systems.
Microsoft Office 2019 for 64-bit editions.

It should be highlighted that Microsoft is aware that the zero-day vulnerability “CVE-2026-21509” is being exploited in the wild.

Vulnerabilities

CVE-2026-21509

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

Microsoft MSRC

References

Microsoft MSRC

The post Microsoft Security Updates – 27 January 2026 appeared first on EG-FinCIRT.

GNU InetUtils Security Update – 26 January 2026

Mon, 26 Jan 2026 10:39:12 +0000

13/2026

Critical

January 26, 2026

1:39 pm

GNU InetUtils has released a security update to fix a critical vulnerability affecting the telnetd service in GNU InetUtils versions from 1.9.3 through 2.7.

The addressed vulnerability could allow the attacker to bypass authentication controls due to improper handling of the user-supplied USER environment variable. The telnetd service passes this variable directly to /usr/bin/login without adequate sanitization. By setting USER=-f root and initiating a connection using the telnet -a option, the attacker can circumvent the authentication process and gain unauthorized root-level access to the affected system.

GNU Inetutils Security Bypass Vulnerability in telnetd (CVE-2026-24061):

CVSS: 9.8
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Consequences: Bypass Security

It should be highlighted that security researchers disclosed a proof-of-concept (PoC) exploit that exists in the wild for vulnerability “CVE-2026-24061”.

Vulnerabilities

CVE-2026-24061

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

Openwall Security Update

References

Openwall Security Update

The post GNU InetUtils Security Update – 26 January 2026 appeared first on EG-FinCIRT.

Cisco Security Updates – 22 January 2026

Thu, 22 Jan 2026 10:05:26 +0000

12/2026

High

January 22, 2026

1:05 pm

Cisco has released security updates to fix several vulnerabilities across multiple Cisco products.

The addressed vulnerabilities could allow the attacker to conduct cross-site scripting attacks, escalate privileges, perform denial-of-service attacks, obtain sensitive information, or execute arbitrary commands/code and gain access to the affected systems.

Sample of addressed vulnerabilities:

1. Cisco Unified Communications Products Remote Code Execution Vulnerability (CVE-2026-20045):

CVSS: 8.2
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Consequences: Gain Access

2. Cisco Intersight Virtual Appliance Privilege Escalation Vulnerability (CVE- 2026-20092):

CVSS: 6
Attack Vector: Local
Attack Complexity: Low
Privileges Required: High
User Interaction: None
Consequences: Gain Privileges

Sample of the affected products:

Cisco Unified CM, CM SME, and CM IM&P.
Cisco Unified Customer Voice Portal (CVP) and Unified Intelligence Center (CUIC).
Cisco Intersight Connected Virtual Appliance (CVA).
Cisco ISE and Cisco ISE-PIC.
Cisco EPNM and Cisco Prime Infrastructure.
Cisco IEC6400 Wireless Backhaul Edge Compute Software.
Cisco Virtualized Voice Browser.
Cisco Webex Calling Dedicated Instance.

Vulnerabilities

CVE-2026-20026
CVE-2026-20027
CVE-2026-20029
CVE-2026-20045
CVE-2026-20047
CVE-2026-20055
CVE-2026-20075
CVE-2026-20076
CVE-2026-20080
CVE-2026-20092
CVE-2026-20109

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

Cisco Security Updates

References

Cisco Security Updates

The post Cisco Security Updates – 22 January 2026 appeared first on EG-FinCIRT.

Oracle Security Patch Update – 21 January 2026

Wed, 21 Jan 2026 09:44:39 +0000

11/2026

High

January 21, 2026

12:44 pm

Oracle released its patch update for January 2026, containing 337 new security patches for multiple affected products in Oracle and third-party components.

The addressed vulnerabilities could allow the attacker to perform various attacks, such as obtaining sensitive information, conducting denial of service attacks, performing data manipulation, or executing arbitrary code and gaining access to the affected systems.

Sample of the addressed vulnerabilities:

1. Oracle VM VirtualBox Takeover Vulnerability (CVE-2026-21990):

CVSS: 8.2
Attack Vector: Local
Attack Complexity: Low
Privileges Required: High
User Interaction: None
Consequences: Gain Access

2. Oracle FLEXCUBE Investor Servicing Security Management System Vulnerability (CVE-2026-21973):

CVSS: 8.1
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Consequences: Data Manipulation

Sample of the affected products:

Oracle VM VirtualBox.
Oracle Planning and Budgeting Cloud Service.
Oracle Database Enterprise Edition.
Oracle Agile Product Lifecycle Management for Process.
Oracle Banking Corporate Lending Process Management.
Oracle Financial Services Model Management and Governance.

The complete list of the affected products: Oracle Advisory – January 2026

Vulnerabilities

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

Oracle Advisory – January 2026

References

- Oracle Advisory – January 2026
- Oracle Map of CVE to Advisory/Alert

The post Oracle Security Patch Update – 21 January 2026 appeared first on EG-FinCIRT.