Apple on Wednesday released emergency iOS and iPadOS updates addressing CVE-2026-28950, a vulnerability that allowed recovery of deleted messages including Signal chats law enforcement accessed during investigations. The flaw affected dozens of iPhone and iPad models from iPhone XR through iPhone 16e.
Microsoft Defender Zero-Day Sees Active Exploitation
Microsoft patched CVE-2026-33825 on April 14, but not before attackers exploited the privilege escalation vulnerability in the wild using publicly available proof-of-concept code. According to Huntress, the first attacks leveraging the public exploit were observed on April 10.
The vulnerability, dubbed “BlueHammer” by researcher Chaotic Eclipse, earned a CVSS score of 7.8. Microsoft describes it as an elevation of privilege bug rooted in insufficient access control granularity. The flaw exploits a time-of-check to time-of-use (TOCTOU) race condition in Defender’s signature update mechanism.
BlueHammer attack sequence:
- Uses operation locks (oplocks) to suspend Defender operations
- Triggers signature updates to trick Defender into copying the Security Account Manager (SAM) database
- Parses the SAM hive and decrypts users’ NT hashes
- Temporarily changes all user passwords to gain System permissions
Huntress identified suspicious FortiGate SSL VPN access tied to compromised environments, including source IPs geolocated to Russia. Attackers deployed all three techniques published by Chaotic Eclipse: BlueHammer, RedSun, and UnDefend.
Apple’s iOS Notification Vulnerability Details
CVE-2026-28950 stems from a logging issue where notifications marked for deletion remained on devices. Apple’s security update addresses the flaw through improved data redaction across iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8, and iPadOS 18.7.8.
The vulnerability reportedly allowed FBI forensic teams to extract Signal messages from an alleged Antifa member’s iPhone during the Prairieland case. Despite Signal’s disappearing message settings and app uninstallation, message previews persisted in system cache accessible through forensic tools.
Affected devices include:
- iPhone XR through iPhone 16 series
- 5th generation iPad mini through iPad Pro 13-inch (M4)
- Multiple iPad generations and variants
Signal praised Apple’s quick response, noting that no user action is required beyond installing the patch. The fix automatically deletes inadvertently-preserved notifications and prevents future retention for deleted applications.
CrowdStrike and Tenable Address Critical Flaws
CrowdStrike published an advisory for CVE-2026-40050, a critical unauthenticated path traversal vulnerability in its LogScale product. The flaw enables remote attackers to read arbitrary files from server filesystems, though Next-Gen SIEM customers remain unaffected.
According to CrowdStrike’s advisory, the company discovered the vulnerability internally with no evidence of wild exploitation based on log data review. LogScale SaaS customers received automatic mitigation, while self-hosted customers must update to patched versions.
Tenable addressed CVE-2026-33694, a high-severity vulnerability in Nessus vulnerability scanner on Windows systems. Tenable’s advisories warn the flaw could allow attackers to delete arbitrary files with System privileges via junction exploitation, potentially leading to arbitrary code execution with elevated privileges.
AI-Powered Vulnerability Discovery Emerges
Anthropic’s Project Glasswing demonstration highlighted AI’s growing role in security research, successfully identifying vulnerabilities that traditional automated tools missed. The AI model discovered a 16-year-old FFmpeg flaw that survived five million automated fuzzer testing passes.
According to Dark Reading analysis, the FFmpeg discovery exposes fundamental limitations in enumeration-based security tools. While traditional scanners match known patterns, AI models can “read” code contextually like human analysts, identifying previously unknown vulnerabilities.
The coalition backing Glasswing includes AWS, Apple, Cisco, CrowdStrike, Google, Microsoft, and Palo Alto Networks, signaling industry recognition of AI’s potential in vulnerability research.
What This Means
The convergence of AI-discovered vulnerabilities and active zero-day exploitation demonstrates the evolving threat landscape. Apple’s rapid iOS patch following law enforcement exploitation shows how quickly privacy vulnerabilities can impact users, while Microsoft’s Defender compromise highlights enterprise security risks.
Traditional security tools’ inability to catch the FFmpeg flaw despite millions of automated passes suggests organizations need complementary AI-assisted analysis. The Russian-linked attacks on Microsoft Defender indicate state-sponsored actors actively monitor vulnerability disclosures for rapid weaponization.
For enterprises, these incidents emphasize the need for immediate patching and comprehensive endpoint monitoring beyond signature-based detection.
FAQ
How quickly should organizations patch CVE-2026-33825?
Immediately. Active exploitation began within days of public disclosure, and the vulnerability grants full System privileges from low-privilege accounts.
Does the Apple iOS vulnerability affect other messaging apps?
Yes, the notification logging issue affects any app using iOS notifications. The vulnerability preserves message previews in system cache regardless of the app’s deletion policies.
Can AI tools like Glasswing replace traditional vulnerability scanners?
Not yet. While AI excels at contextual code analysis, traditional scanners remain essential for known pattern matching and compliance scanning. AI tools complement rather than replace existing security infrastructure.
Sources
- Recent Microsoft Defender Vulnerability Exploited as Zero-Day – SecurityWeek
- Apple Patches iOS Flaw Allowing Recovery of Deleted Chats – SecurityWeek
