// #endpoint-security
5 articles
BitLocker Bypass CVE-2026-50507 and the Physical Security Gap in Laptop Data Protection
CVE-2026-50507 bypasses BitLocker pre-boot authentication on devices using TPM-only mode, enabling data access from a stolen device without the Windows login password. With corporate laptops regularly carrying sensitive data, financial information, and cached credentials, the physical theft scenario this vulnerability enables has significant business impact beyond IT.
CISA Adds Seven to KEV Catalogue — Including Two Active Microsoft Defender Zero-Days Patched via Silent Engine Update
CISA's 20 May Known Exploited Vulnerabilities batch included CVE-2026-41091 (Microsoft Defender for Endpoint EoP, CVSS 7.8) and CVE-2026-45498 (Microsoft Defender DoS, CVSS 4.0), both patched via a silent Defender engine update pushed on 19 May. The batch also included five legacy Windows and Adobe vulnerabilities from 2008–2010 indicating re-exploitation of outdated systems in active campaigns.
Windows 11 Yielded Four Independent LPE Paths at Pwn2Own Berlin — Kernel Attack Surface Analysis
By the close of Pwn2Own Berlin 2026, researchers had demonstrated four separate, independently discovered privilege escalation paths from standard user to SYSTEM on fully patched Windows 11. Each exploited a different component and vulnerability class. The results indicate the Windows kernel and user/kernel boundary remain a consistently productive attack surface for skilled researchers.
Fortinet FortiClient EMS Zero-Day CVE-2026-35616 Actively Exploited — Apply Emergency Hotfix Now
A critical pre-authentication API bypass in Fortinet FortiClient EMS (CVSS 9.1) is being actively exploited in the wild, with CISA adding the vulnerability to its Known Exploited Vulnerabilities catalogue on 6 April. Organisations running FortiClient EMS 7.4.5 or 7.4.6 must apply the emergency hotfix immediately — FCEB agencies faced a remediation deadline of 9 April.
Qilin and Warlock Ransomware Deploy BYOVD Technique to Disable 300+ EDR Tools Before Encryption
Cisco Talos and Trend Micro have documented that Qilin and Warlock ransomware operations are now using the Bring Your Own Vulnerable Driver (BYOVD) technique to systematically disable endpoint detection and response software before deploying ransomware payloads. The technique exploits a legitimate but outdated signed kernel driver to terminate over 300 EDR products from virtually every security vendor — including CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, and Carbon Black.
Commentary tagged #endpoint-security
BitLocker Gives You Compliance, Not Security Against Determined Attackers
The YellowKey BitLocker bypass demonstrates what practitioners have known for years: BitLocker deployed in its default TPM-only configuration satisfies regulatory checkboxes but does not protect against an adversary with physical access or WinRE trigger capability. The compliance requirement and the security requirement are not the same thing, and conflating them leaves organisations with an expensive false assurance.
CipherWatch Editorial
Security Intelligence Platform
BYOVD Is a Commodity Technique Now — Your EDR Vendor Knows
Qilin's Warlock toolkit, capable of disabling over 300 security tools using Bring Your Own Vulnerable Driver techniques, is not a nation-state capability — it is an affiliate-accessible ransomware tool. EDR is a necessary control. It is not a sufficient one, and the industry's marketing has outpaced what the technology can actually guarantee.
CipherWatch Editorial
Security Intelligence Platform