EMERGENCY: Two Windows Zero-Days Under Active Attack—One Affects Every Version Ever Made.

 

Disclosure: We may earn a commission if you purchase through links in this post. This supports CyberDudeBivash investigative reporting. Learn more.

EMERGENCY: Two Windows Zero-Days Under Active Attack — One Hits Nearly Every Version

A pair of zero-day vulnerabilities in Microsoft Windows are being actively exploited in the wild. One bug impacts a wide range of builds across Windows 11/10, Windows Server (2012–2022), and legacy editions still operating in factories and branch offices. If your fleet spans the US, EU, UK, AU, or India, treat this as a Code Red incident for both CISO and IT Operations.

Why trust CyberDudeBivash?

• Executive-first risk translation from exploit notes to business continuity, SLA, and revenue impact.
• Guidance aligned to CISA KEV, NIST CSF, ENISA/NIS2, NCSC (UK), ACSC (AU), and CERT-In (India).
• Hands-on Defender/KQL, PowerShell, and Intune/GPO checklists for rapid mitigation.

TL;DR 

• What: Two Windows zero-days; one provides privilege escalation / code execution with broad version coverage, the other enables initial access or sandbox escape.
• Impact: Workstations, VDI, RDS hosts, jump boxes, Domain Controllers, and OT/ICS HMIs running Windows variants.
• Active exploitation: Confirmed in the wild. Assume targeted phishing + endpoint post-exploitation frameworks.
• Action now: Enable vendor mitigations, deploy latest updates to canaries and Tier-0, push emergency rings, and monitor IOC/behavior below.

Who’s at Highest Risk?

• Enterprises with mixed vintages (Windows 7/8.1/2012 still around for shop-floor apps or medical/lab devices).
• RDP/WinRM/SMB exposed to the internet, or partners connected via VPN without strict device posture.
• Manufacturing, Healthcare, BFSI, Government, Retail, SaaS in US/EU/UK/AU/IN.

Likely Attack Chains

1. Phish → Scripted dropper (JS/HTA/ISO) → LOLBin execution (mshta, rundll32, powershell) → Zero-day for privilege escalation → C2 + credential dumping.
2. Browser/Document exploit → sandbox escape → UAC bypass / token theft → AD discovery → lateral movement via SMB/RDP.

Immediate Actions (0–24 Hours)

• Tier-0 first: Domain Controllers, PKI, management servers, hypervisors, and jump hosts — patch ahead of user endpoints.
• Block risky LOLBins: SRP/AppLocker/WDAC deny mshta.exe, wscript.exe, rundll32.exe for non-admin users.
• EDR hardening: Turn on cloud-delivered protection, tamper protection, and ASR rules (Office macros, script abuse, LSASS credential theft).
• Macro/Attachment controls: Strip .js, .hta, .iso, .lnk at the secure email gateway; enable SafeLinks/SafeAttachments.
• Internet-exposed Windows: Put behind ZTNA or VPN with device health; geo/IP throttle; remove direct RDP/SMB exposure.

Rapid Patch Rings (Intune / SCCM)

1. Ring 0 (Canary) — 25–50 diverse endpoints and one non-prod DC.
2. Ring 1 (Tier-0) — DCs, management plane, bastions/jump boxes.
3. Ring 2 (Critical Biz Apps) — VDI, RDS, file/print, app servers.
4. Ring 3 (General Fleet) — All remaining workstations and kiosks.

Detection: Microsoft Defender KQL 

DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessParentFileName in~ ("winword.exe","excel.exe","outlook.exe","acrord32.exe","chrome.exe","msedge.exe")
| where FileName in~ ("powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe")
| project Timestamp, DeviceName, InitiatingProcessParentFileName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessSHA1

DeviceImageLoadEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("lsass.exe","winlogon.exe","explorer.exe")
| where FileName has_any ("dbghelp.dll","comsvcs.dll","samlib.dll")  // LSASS scraping hallmarks
| summarize dcount(DeviceName) by FileName

PowerShell: Patch/Build Audit (Run as Admin)

Get-ComputerInfo | Select-Object CsName, WindowsVersion, OsName, OsArchitecture, OsBuildNumber
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10 Source, Description, HotFixID, InstalledOn

Hardening Checklist (GPO/Intune)

• Credential Guard + LSA Protection on Windows 10/11 and Server 2019+.
• Disable SMBv1; restrict NTLM; enable LDAP signing and channel binding.
• Exploit Protection profiles (DEP/ASLR/CFG) — enforce for Office and PDF readers.
• Attack Surface Reduction rules: Block Office from creating child processes; Block credential stealing from LSASS; Block executable content from email/webmail.

OT/Factory & Healthcare Notes

For ICS/HMI or medical/lab devices pinned to older Windows builds in India’s Make-in-India plants, EU factories, UK NHS, AU health networks: apply virtual patching (network IPS/WAF), tighten allow-lists, and schedule maintenance windows with vendor validation before reboot.

Compliance & Reporting

• US (CISA/NIST CSF): DE.AE-2 anomalies, PR.IP-12 vulnerability management, RS.MI-1 mitigation.
• EU (NIS2/ENISA): Timely patching and incident handling for essential entities; supplier oversight.
• UK (NCSC CAF): D2 protective tech, M2 detection & log retention.
• AU (ACSC Essential Eight): Patch applications/OS, macro controls, application control, harden MS Office.
• India (CERT-In): 180-day log retention; notifiable incidents within mandated timelines.

C-Suite Brief

Situation: Two Windows zero-days are being exploited. One impacts most supported versions; the other is used for initial access.

Risk: Endpoint takeover, lateral movement to AD, data theft, ransomware downtime.

Action: Emergency patch rings in flight; Tier-0 prioritized; EDR and ASR tightened; external exposures reduced.

Business impact: Patching/reboots during approved windows; user prompts possible due to increased controls.

Stay Ahead of Zero-Days

 Subscribe to our LinkedIn newsletter ThreatWire for executive-ready alerts: CyberDudeBivash — ThreatWire .

 Need a same-day patch/runbook? Talk to our response team.

 Vendors: sponsor deep-dives read by US/EU/UK/AU/IN enterprise buyers. Advertise.

Editor’s Picks — Windows Zero-Day Response Stack

EDR/XDR for Windows & Server
Behavioral detections, ASR, tamper protection Patch Orchestration (Intune/SCCM add-on)
Ringed deployments, reboot coordination Secure Email Gateway + Sandbox
Detonate HTA/ISO/LNK, stop phish initial access Privileged Access Management
Vault, JIT, session isolation for Tier-0

Affiliate links — we may earn a commission.

Windows Security · Zero Day · CISO Briefing · Incident Response

Get executive-ready briefs and runbooks, fast: Subscribe to CyberDudeBivash ThreatWire .

#CyberDudeBivash #Windows #ZeroDay #PatchNow #Microsoft #EDR #XDR #Intune #SCCM #CISO #ThreatIntel #IncidentResponse #Ransomware #ActiveExploitation #US #EU #UK #Australia #India #SecurityOperations