CVE-2026-50656: Windows Defender Patch Introduces Disk Exhaustion Vulnerability

A recent patch for the Windows Defender zero-day vulnerability, RoguePlanet (CVE-2026-50656), which previously allowed remote administrative control of Windows 10 and 11, has introduced a new flaw enabling attackers to exhaust disk space. The researcher NightmareEclipse, who initially disclosed RoguePlanet, identified that "defense-in-depth" additions in the Microsoft Malware Protection Engine update cause mpengine.dll to leak 8 bytes of data when opening files, with new SpyNet functionality also contributing. Attackers can exploit this by configuring a custom Server Message Block (SMB) server to deliver a malicious file followed by a massive Zone.Identifier Alternative Data Stream (ADS) file. Windows Defender will attempt to cache this large ADS file locally, bypassing typical size limits, and if the SMB server maintains the connection without responding to read requests, Defender will hang, continuously writing data and consuming all available disk space, leading to system instability. This issue further escalates an ongoing dispute between NightmareEclipse and Microsoft concerning vulnerability disclosures.

Severity: Critical

Threat Details and IOCs

Malware: Banana RAT, DOGLEASH, JARLEASH, LONGLEASH, Rokarolla, RustDuck, ShortLeash, SmartRAT, Xctdoor
CVEs: CVE-2020-17103, CVE-2026-33825, CVE-2026-41091, CVE-2026-45498, CVE-2026-45585, CVE-2026-45586, CVE-2026-50507, CVE-2026-50656
Technologies: Microsoft Defender Antivirus, Microsoft Windows, Microsoft Windows Server
Threat Actors: ChaoticEclipse, DeadEclipse, Eclipse, MSNightmare, Nightmare Eclipse, NightmareEclipse, UAT-5918
Attacker Countries: China, India, Iran, Russia, Singapore, Switzerland
Attacker Domains: blog[.]projectnightcrawler[.]dev, deadeclipse666[.]blogspot[.]com, git[.]projectnightcrawler[.]dev, projectnightcrawler[.]dev
Attacker URLs: hxxps[://]blog[.]projectnightcrawler[.]dev/posts/2026-06-16-rogueplanet-another-quick-statement/, hxxps[://]github[.]com/0xBlackash/CVE-2026-50656, hxxps[://]github[.]com/MSNightmare/RoguePlane, hxxps[://]github[.]com/MSNightmare/RoguePlanet, hxxps[://]git[.]projectnightcrawler[.]dev/NightmareEclipse/RoguePlanet, hxxps[://]git[.]projectnightcrawler[.]dev/NightmareEclipse/RoguePlanet/src/branch/main/RoguePlanet.cpp#L78086
Victim Industries: Financial, Industrial Control Systems, Industrial Sector, Information Technology, Technology Hardware
Victim Countries: United Kingdom, United States

Mitigation Advice

  • Verify that all Windows 10 and Windows 11 endpoints have the Microsoft Malware Protection Engine updated to the latest version to confirm mitigation for CVE-2026-50656.
  • Configure system monitoring tools to generate high-priority alerts for rapid and anomalous decreases in available disk space on Windows workstations and servers.
  • Implement a firewall rule to block all outbound SMB traffic (TCP port 445) from the corporate network to the internet.
  • In your Endpoint Detection and Response (EDR) or Security Information and Event Management (SIEM) platform, create a rule to alert on sustained, high disk I/O activity from the Microsoft Defender Antivirus process (MsMpEng.exe).

Compliance Best Practices

  • Develop and implement a network segmentation strategy that restricts SMB (TCP port 445) communication to only authorized endpoints and servers, following the principle of least privilege.
  • Evaluate and deploy a non-Microsoft Endpoint Detection and Response (EDR) solution to provide a secondary layer of endpoint protection and telemetry, independent of the native Microsoft security stack.
  • Conduct a formal risk assessment to weigh the security benefits of Microsoft's cloud-delivered protection (MAPS/SpyNet) against the potential risk of exploitation from vulnerabilities like the one described, before making any policy changes to disable the feature.
Sources

https://arstechnica.com/security/2026/07/patch-for-windows-defender-0-day-could-allow-attackers-to-fill-hard-disk/

https://buaq.net/go-423884.html

https://buaq.net/go-427939.html

https://buaq.net/go-427944.html

https://cyberpress.org/microsoft-rogueplanet-defender-0-day/

https://exploit-intel.com/vuln/CVE-2026-50656

https://gbhackers.com/microsoft-confirms-rogueplanet-zero-day-exploit/

https://it.slashdot.org/story/26/06/17/2030228/microsoft-working-to-patch-rogueplanet-zero-day?utm_source=rss1.0mainlinkanon&utm_medium=feed

https://meterpreter.org/rogueplanet-cve-2026-50656/

https://securityonline.info/rogueplanet-defender-zero-day/

https://thecyberexpress.com/cve-2026-50656-rogueplanet-windows-defender/

https://thehackernews.com/2026/06/microsoft-confirms-rogueplanet-defender_02022423645.html

https://thehackernews.com/2026/07/microsoft-patches-rogueplanet-defender.html

https://threatprotect.qualys.com/2026/06/18/microsoft-defender-zero-day-vulnerability-exploited-in-attacks-cve-2026-50656-rogueplanet/

https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-rogueplanet-defender-zero-day-vulnerability/

https://www.bleepingcomputer.com/news/microsoft/microsoft-working-on-defender-patch-for-rogueplanet-zero-day/

https://www.darkreading.com/vulnerabilities-threats/microsoft-rogueplanet-zero-day-threat

https://www.helpnetsecurity.com/2026/06/17/rogueplanet-zero-day-cve-2026-50656/

https://www.helpnetsecurity.com/2026/07/09/microsoft-releases-fix-for-rogueplanet-defender-flaw-cve-2026-50656/

https://www.malwarebytes.com/blog/news/2026/06/microsoft-working-on-a-fix-for-rogueplanet-a-flaw-that-grants-full-pc-control

https://www.malwarebytes.com/blog/news/2026/07/microsoft-fixes-rogueplanet-zero-day-in-defender

https://www.morphisec.com/blog/microsoft-defender-zero-day-rogueplanet-when-your-detector-becomes-the-attack-surface/

https://www.scworld.com/brief/microsoft-releases-patch-for-defender-zero-day-vulnerability-rogueplanet

https://www.securitylab.ru/news/573889.php

https://www.securityweek.com/microsoft-patches-defender-rogueplanet-vulnerability/

https://www.securityweek.com/microsoft-working-on-patch-for-rogueplanet-zero-day/

https://www.techradar.com/pro/security/microsoft-says-its-hard-at-work-on-a-patch-for-this-worrying-defender-zero-day

https://www.theregister.com/security/2026/07/09/microsoft-closes-book-on-nightmare-eclipses-rogueplanet-zero-day/5269280


WP-SHELLSTORM: Exposed Server Unveils Operations Targeting 1.4M Sites

An exposed Python SimpleHTTPServer instance, left open for 22 days, revealed the full operational toolkit, logs, and target lists of a financially motivated cybercrime group, now tracked as WP-SHELLSTORM. This operation targeted over 1.4 million domains, weaponized 27 CVEs, and deployed more than 5,700 active webshells. The exposed directory, located at 137.175.93[.]126, contained 800MB of webshells, exploit scripts, scan results, bash history, and C2 configurations. Attribution points to a Chinese-linked actor, evidenced by the system user "tance," the handle "chen-kk," use of FOFA (a Chinese reconnaissance tool), and Simplified Chinese comments in the code. Beyond WordPress, the actor also targeted Apache Nacos, XXL-Job, and Spring Boot infrastructure, exploiting vulnerabilities like CVE-2021-29441 (Nacos authentication bypass) to exfiltrate 613 configuration files from 11 victim systems in May 2026, obtaining cloud credentials, database connection strings, and Alipay RSA private keys. The primary webshell, `down.php`, is a heavily obfuscated BestShell derivative, capable of extensive post-exploitation activities, while a dropper named SNOWLIGHT deploys the VShell implant, which renames its process to `[kworker/0:2]` for stealth. Key vulnerabilities exploited include Breeze Cache (CVE-2026-3844), ThemeREX Addons (CVE-2026-1969), and Joomla JCE (CVE-2026-48907). The actor attempted to cover tracks by deleting log entries after discovery, but weak operational security, including exposed FOFA config and hardcoded webshell credentials, facilitated the investigation. Defense measures include blocking known infrastructure (137.175.93[.]126, 43.108.17[.]80, 113.196.56[.]150, xs.xxooonline[.]eu[.]cc), scanning for specific webshell filenames and hashes (e.g., `down.php` SHA256: 84F7E396A48913851A10CC78C5CC22A25634564ABD0694465236D2F365E2BDEE), monitoring for suspicious `[kworker/X:Y]` processes, upgrading Nacos to 2.2.1+ with authentication enabled, securing XXL-Job and Spring Boot endpoints, and updating or disabling targeted WordPress/Joomla plugins.

Severity: Critical

Threat Details and IOCs

Malware: BlueBeam, Godzilia, Godzilla, Godzilla Webshell, SNOWLIGHT, VShell
CVEs: CVE-2020-25213, CVE-2020-36847, CVE-2021-29441, CVE-2025-12057, CVE-2025-34085, CVE-2025-7443, CVE-2025-7852, CVE-2026-0740, CVE-2026-1969, CVE-2026-3300, CVE-2026-3844, CVE-2026-48907, CVE-2026-6433
Technologies: Alibaba Cloud, Alibaba Nacos, Amazon Web Services, DigitalOcean, Joomla!, Linux, Oracle Cloud, Oracle Java, Oracle MySQL, PHP, Pivotal Spring Boot, Tencent Cloud, WordPress, XXL-JOB
Threat Actors: ChenKk, Tance, Unc5174, Uteus, WPShellstorm
Attacker Countries: China
Attacker IPs: 113[.]196[.]56[.]150, 113[.]196[.]59[.]51, 137[.]175[.]93[.]126, 43[.]108[.]17[.]80
Attacker Emails: chenyk@163[.]com, email protected
Attacker Domains: xs[.]xxooonline[.]eu[.]cc
Attacker Hashes: 84f7e396a48913851a10cc78c5cc22a25634564abd0694465236d2f365e2bdee
Victim Industries: Consumer Electronics, E-commerce, Electronics, Financial Technology, Gaming, Logistics, Retail
Victim Countries: China, United States

Mitigation Advice

  • Add the IP addresses 137.175.93.126, 43.108.17.80, and 113.196.56.150 to your network firewall blocklist.
  • Block the domain xs.xxooonline.eu.cc in your DNS filtering service and web proxy.
  • Scan all web server file systems for files matching the patterns: .bd.php, .wp-log.php, .brq-*.php, .sd.php, .leo_*.php, .wvp-*.php, .cc-*.php, .nf-log.php, BZ_*.phtml.
  • Use your EDR or file scanning tools to search all systems for a file with the SHA256 hash 84F7E396A48913851A10CC78C5CC22A25634564ABD0694465236D2F365E2BDEE.
  • On Linux hosts, investigate any running process named '[kworker/X:Y]' to verify its executable path is a legitimate kernel path and not a masquerading implant.
  • Audit all WordPress sites for the presence of vulnerable plugins mentioned in the article (Breeze Cache, ThemeREX Addons, Simple File List, Custom CSS JS PHP, WavePlayer, BerqWP, Ninja Forms, WPBookit, WP File Manager) and update them to the latest patched version immediately.
  • Audit all Joomla sites to identify and immediately update any vulnerable versions of the JCE component to a patched version.
  • Upgrade all Apache Nacos instances to version 2.2.1 or later to mitigate the authentication bypass vulnerability (CVE-2021-29441).
  • Verify that all Apache Nacos instances have authentication enabled by setting 'nacos.core.auth.enabled=true' in the configuration.
  • Review all production Spring Boot applications and disable the '/actuator/heapdump' endpoint.
  • Identify all XXL-Job executor endpoints and ensure they require authentication and are not directly exposed to the internet.

Compliance Best Practices

  • Implement a centralized secrets management solution, such as HashiCorp Vault, to store and manage all application credentials, API keys, and tokens, removing them from configuration files.
  • Establish an Attack Surface Management (ASM) program to continuously scan for and inventory all internet-facing assets, identifying and remediating exposures like open ports and unauthenticated services.
  • Develop and implement a formal vulnerability management program that includes regular automated scanning, risk-based prioritization of vulnerabilities, and defined SLAs for patching.
  • Conduct a thorough audit of all systems that may have been exposed to the Nacos authentication bypass (CVE-2021-29441) and execute a phased rotation of all associated credentials, including database passwords, cloud keys, and API tokens.
  • Design and implement a network segmentation strategy that isolates critical application components from each other and from the public internet, applying the principle of least privilege to network traffic.
  • Develop and deploy custom detection rules in your SIEM and EDR platforms to alert on behaviors specific to this campaign, such as process masquerading as '[kworker/X:Y]' and the creation of files with suspicious PHP extensions in web directories.
  • Deploy a Web Application Firewall (WAF) in front of all public-facing web applications and create a long-term plan to tune its rulesets to block common attack patterns like SQL injection, file inclusion, and known exploit attempts.
Sources

https://socradar.io/blog/wp-shellstorm-expose-1-4m-wordpress-sites/

https://thehackernews.com/2026/07/exposed-hacker-server-reveals-wp.html

https://www.esecurityplanet.com/threats/wp-shellstorm-exposed-hackers-backdoored-thousands-of-wordpress-websites/


Linux FUSE Vulnerability Allows Unprivileged Users to Pop a Root Shell

A critical Linux kernel vulnerability, tracked as CVE-2026-31694, exists within the FUSE subsystem, enabling unprivileged local users to achieve root privilege escalation. This flaw, present in the `fuse_add_dirent_to_cache()` function (fs/fuse/readdir.c), stems from a 24-byte heap overflow past the end of a page cache page. Specifically, when the `FOPEN_CACHE_DIR` flag is enabled, an attacker can craft a FUSE directory entry with a `namelen` of 4095 bytes, resulting in a 4120-byte record that exceeds the standard 4 KiB `PAGE_SIZE` on `x86_64` systems. This overflow allows for controlled corruption of the page cache, which can be exploited by strategically placing the oversized FUSE directory entry page immediately before the `.init` section of a cached SUID binary, such as `/usr/bin/su` on Ubuntu 26.04 with a vulnerable 7.0 kernel. The injected payload, minimal `x86_64` shellcode calling `setuid(0)` and `setgid(0)`, executes with root privileges before the normal authentication flow, granting a root shell. This vulnerability affects Linux kernels from v6.16-rc1 onwards, particularly on systems with 4 KiB page sizes where unprivileged FUSE mounts are possible. The issue is resolved by commit `51a8de6c50bf947c8f534cd73da4c8f0a13e7bed`, which prevents caching directory entries larger than ``PAGE_SIZE`.` Recommended mitigations include deploying kernel updates, stripping the setuid bit from `fusermount3` if not essential, and restricting or disabling unprivileged user namespaces to reduce the attack surface.

Severity: Critical

Threat Details and IOCs

CVEs: CVE-2026-31694
Technologies: Linux Kernel
Attacker Emails: brauner@kernel[.]org, mszeredi@redhat[.]com, nightu@northwestern[.]edu, sam@bynar[.]io, tpluszz77@gmail[.]com
Attacker Domains: bynar[.]io, gmail[.]com, kernel[.]org, northwestern[.]edu, patch[.]msgid[.]link, redhat[.]com, vger[.]kernel[.]org
Attacker URLs: hxxps[://]patch[.]msgid[.]link/20260420090139.662772-1-mszeredi@redhat.com
Attacker Hashes: 51a8de6c50bf947c8f534cd73da4c8f0a13e7bed

Mitigation Advice

  • Scan all Linux hosts to identify systems running kernel versions v6.16-rc1 or later and flag them as vulnerable to CVE-2026-31694.
  • Apply the latest available kernel security updates from your Linux distribution to all identified vulnerable systems to patch CVE-2026-31694.
  • On vulnerable systems where immediate patching is not feasible, remove the setuid permission from the `fusermount3` binary using the command `chmod u-s /usr/bin/fusermount3`.
  • On vulnerable systems where immediate patching is not feasible, disable unprivileged user namespaces by setting the kernel parameter `kernel.unprivileged_userns_clone=0` via sysctl.

Compliance Best Practices

  • Establish a recurring process to audit all Linux systems for SUID and SGID binaries, and create a baseline of approved executables, removing permissions from any that are not required for business operations.
  • Develop and implement a formal security policy that restricts the use of unprivileged user namespaces, enabling them only on systems where they are explicitly required and approved for applications like container runtimes.
Sources

https://cyberpress.org/linux-fuse-page-cache-overflow/

https://gbhackers.com/linux-fuse-vulnerability/

https://securityonline.info/linux-kernel-fuse-cve-2026-31694/

https://sploitus.com/exploit?id=B1A34079-E8F9-5174-9297-C9EF365CAE42


Jscrambler npm Supply Chain Attack Steals Cloud Credentials and Crypto Wallet Secrets

A malicious actor compromised the Jscrambler npm package, publishing trojanized versions that deployed a hidden, cross-platform credential-stealing payload. This supply chain attack targeted developers, build pipelines, and CI/CD systems, aiming to exfiltrate source code, cloud credentials, deployment tokens, and sensitive environment variables. The initial malicious release, `jscrambler@8.14.0`, detected on July 11, 2026, utilized an undocumented `preinstall` hook to execute `node dist/setup.js`, which then launched a hidden executable from `dist/intro.js`. Subsequent compromised versions, including `8.16.0`, `8.17.0`, `8.18.0`, and `8.20.0`, evolved their delivery methods; versions `8.18.0` and `8.20.0` injected a self-executing dropper into `dist/index.js` and `dist/bin/jscrambler.js`, activating upon dependency import or CLI execution. The Rust-based payload, using ChaCha20-Poly1305 for string concealment, extensively targeted cloud credentials (AWS, Google Cloud, Azure tokens and keys), cryptocurrency wallet data (MetaMask, Trust Wallet, Coinbase Wallet, Phantom, Exodus seed phrases and vault data), and configuration files from AI coding assistants and developer tools (Claude Desktop, Cursor, VS Code API keys). It also sought browser data, Discord, Slack, Telegram, Steam information, system keyrings, and developer secrets, exfiltrating data via TLS-based multipart POST requests. Organizations must immediately identify and remove installations of these affected versions, rotating all potentially exposed secrets, including npm tokens, cloud keys, GitHub tokens, deployment credentials, API keys, and cryptocurrency wallet credentials. Jscrambler confirmed the unauthorized publishing, revoked compromised credentials, deprecated malicious versions, and released `jscrambler@8.22.0` as a clean update.

Severity: Critical

Threat Details and IOCs

Malware: CanisterWorm, Mini Shai-Hulud, PhantomRaven, SHA1-Hulud, Shai-Hulud, Shai-Hulud 2.0
CVEs: CVE-2026-45321
Technologies: Amazon Web Services, Anthropic Claude, Apple macOS, Bitwarden, Cursor, Discord, Git, GitHub, Google Cloud Platform, HashiCorp Vault, Jscrambler, Kubernetes, Linux, Microsoft Azure AI, Microsoft Entra ID, Microsoft Windows, Node.js, npm, Slack, TanStack, Telegram
Threat Actors: CipherForce, DeadCatx3, MegaGame10418, Miasma, PCPcat, PersyPCP, PhantomRaven, SHADOW-WATER-058, ShellForce, TeamPCP
Attacker IPs: 1[.]1[.]1[.]1, 23[.]254[.]164[.]123, 23[.]254[.]164[.]92
Attacker Domains: check[.]torproject[.]org, metadata[.]google[.]internal, packages[.]storeartifact[.]com, server[.]exodus[.]io
Attacker URLs: check[.]torproject[.]org/api/ip, github[:]antvis/G2#1916faa365f2788b6e193514872d51a242876569, hxxp[:]//packages.storeartifact.com/npm/@acme-types/acme-package
Attacker Hashes: 1916faa365f2788b6e193514872d51a242876569, a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86, a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60, b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903, c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd, fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd
Victim Industries: Automotive, Cloud Infrastructure, Cryptocurrency, E-commerce, Financial Services, Financial Technology, Gaming, Healthcare, Information Security, Information Technology, Manufacturing, Media Streaming Distribution, Public Sector, Software, Technology Hardware
Victim Countries: France, Germany, Romania, United States

Mitigation Advice

  • Scan all software projects, dependency lock files (e.g., package-lock.json), and build environments to identify any use of malicious Jscrambler package versions: 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0.
  • Add the SHA-256 hashes for the malicious loaders and platform-specific executables provided in the article to your Endpoint Detection and Response (EDR) platform's blocklist to prevent execution.
  • Using your SIEM or forensic tools, search all endpoints and servers for files matching the SHA-256 hashes provided in the Indicators of Compromise list, including dist/setup.js, dist/intro.js, and the OS-specific payloads.
  • On all systems where malicious versions were found, remove the package and upgrade to the clean Jscrambler version 8.22.0 or higher. Rebuild any affected projects from a clean state.
  • Immediately begin rotating all potentially exposed cloud credentials, including AWS, Google Cloud, and Microsoft Azure keys, tokens, and service account files on developer workstations and in CI/CD environments.
  • Immediately rotate all developer platform credentials, including npm tokens, GitHub tokens, and other API keys stored in configuration files or environment variables on developer machines and CI/CD systems.
  • Force a logout and credential rotation for users on potentially affected systems for communication platforms like Slack, Discord, and Telegram.
  • Isolate any developer workstations or CI/CD runners where malicious Jscrambler versions were installed from the network pending full remediation and investigation.

Compliance Best Practices

  • Configure all CI/CD pipelines and developer environments to use `npm install --ignore-scripts` by default. Establish a formal exception and review process for packages that require lifecycle scripts to run.
  • Evaluate and implement a software supply chain security platform to scan third-party dependencies for malicious code, unexpected lifecycle scripts, and other high-risk characteristics before they are integrated into projects.
  • Re-architect CI/CD pipelines and developer workflows to use short-lived, ephemeral credentials for accessing cloud resources, such as using OIDC federation with cloud provider IAM roles, instead of storing static, long-lived keys.
  • Implement strict egress filtering rules for developer workstations and CI/CD environments to block outbound traffic to non-essential or unknown destinations, allowing connections only to an approved list of services.
  • Develop and mandate a recurring security training program for all developers focusing on software supply chain risks, secure dependency management practices, and how to identify suspicious packages.
Sources

https://gbhackers.com/grafana-confirms-tanstack-npm-supply-chain-attack/

https://gbhackers.com/jscrambler-npm-supply-chain-attack-steals-cloud-credentials/

https://jfrog.com/blog/npm-v12-from-implicit-to-explicit-trust/

https://securityboulevard.com/2026/07/jscrambler-npm-package-compromised-a-security-vendor-becomes-the-supply-chain-risk/

https://www.hendryadrian.com/jscrambler-npm-package-compromised-in-supply-chain-attack/


Dell BIOS Passwords: Weak XOR Encryption Allows Recovery from SPI Flash (CVE-2026-40639)

Dell BIOS administrator and user passwords are stored as XOR-encrypted plaintext in the DVAR region of the SPI flash chip, not as a one-way hash, leading to a critical vulnerability tracked as CVE-2026-40639 (DSA-2026-197). This scheme encrypts a 32-byte password field with a 20-byte key, but the first character remains unencrypted. For passwords up to 12 characters, the unused null-padded tail of the field directly leaks the entire 20-byte key, allowing for instant, exact recovery from a flash dump without brute force. Longer passwords are also vulnerable because the key derivation is largely static per device (only 256 possible keys based on the unencrypted first character) and the log-structured DVAR store retains historical password records, which can leak the full key if a shorter, historically used password shared the same first character. Exploitation requires physical access to the device to read the SPI flash, either with a hardware programmer or by booting an attacker-controlled operating system. This vulnerability affects a range of Dell platforms, including the current-generation Wyse 5070 thin client, Dell Latitude E7250, Latitude 7490, and XPS 15 9560, all of which utilize the SystemPwSmm SMM driver. While newer models like the OptiPlex 3000 use a more secure SHA-256 hashing mechanism, many vulnerable systems remain unpatched, including end-of-life devices. Recovering the BIOS password grants an attacker full BIOS access, enabling changes to boot order, disabling Secure Boot, and potentially bypassing full disk encryption if the BIOS password is part of the boot chain protection. Recommendations include hashing passwords with strong algorithms (e.g., PBKDF2, bcrypt, Argon2), ensuring encryption keys are sufficiently long and not derivable from plaintext, encrypting all password components, securely wiping historical records, and for defenders, assuming BIOS passwords are recoverable with physical access, implementing Secure Boot with enrolled keys, TPM-measured boot, and robust physical security controls.

Severity: Critical

Threat Details and IOCs

CVEs: CVE-2026-40639
Technologies: Dell Client Platform BIOS, Dell Latitude, Dell Wyse, Microsoft Windows
Attacker Domains: bios-pw[.]org
Attacker URLs: hxxps[://]github[.]com/R3n5k1/dellpwn, hxxps[://]github[.]com/R3n5k1/unlocked-and-leaked, hxxps[://]www[.]mdsec[.]co[.]uk/2026/07/dell-bios-passwords-weak-xor-encryption-allows-recovery-from-spi-flash-cve-2026-40639/
Victim Industries: Education, Financial Services, Government, Healthcare, Manufacturing, Retail

Mitigation Advice

  • Identify all Dell models listed in Dell Security Advisory DSA-2026-197 and apply the corresponding BIOS updates immediately.
  • Create an inventory of all Dell client hardware models and their current BIOS versions to identify systems vulnerable to CVE-2026-40639.
  • Review and reinforce physical security controls for all Dell client devices, especially laptops that travel and thin clients located in public-facing areas.
  • For vulnerable devices that cannot be patched immediately, enforce a temporary policy requiring BIOS passwords to be a minimum of 13 characters long.

Compliance Best Practices

  • Develop and implement a hardware lifecycle policy to replace end-of-life models that will not receive security patches for vulnerabilities like CVE-2026-40639.
  • Implement a centralized management solution, such as Dell Command | Configure, to enforce unique BIOS administrator passwords for each device across the fleet.
  • Implement Secure Boot across the Dell fleet using organization-controlled, enrolled keys instead of the default manufacturer keys.
  • Configure full disk encryption (e.g., BitLocker) to use a Trusted Platform Module (TPM) and validate boot configuration integrity by binding encryption keys to the correct Platform Configuration Registers (PCRs).
  • Update the corporate asset disposal policy to mandate the secure wiping of BIOS/UEFI non-volatile memory (NVRAM) in addition to storage drives before devices are resold or recycled.
  • Enable and configure BIOS-level chassis intrusion detection on supported Dell desktops and configure alerting within your security monitoring tools.
Sources

https://cyberpress.org/dell-bios-recover-passwords-spi-flash/

https://gbhackers.com/dell-bios-flaw-extract-plaintext-password-brute-force/

https://www.mdsec.co.uk/2026/07/dell-bios-passwords-weak-xor-encryption-allows-recovery-from-spi-flash-cve-2026-40639/


Authors & Contributors

Brian Sayer (Author)

Threat Intelligence Analyst, F5