Exploits and vulnerabilities in Q1 2026

What Happened

In the first quarter of 2026, the number of discovered software vulnerabilities continued to grow, partly because artificial intelligence tools are getting better at finding them. Hackers are actively using these flaws to attack Windows, Linux, and Microsoft Office systems, as well as new AI applications. This matters because attackers can use these weaknesses to sneak into networks, steal data, or take control of computers. To stay safe, organizations and individuals should immediately apply the latest security updates and patches to all their software.

Key Takeaways

• Vulnerability registrations are rising, driven by the use of AI agents for discovering security issues.
• Threat actors are chaining new Microsoft Office and Windows OS vulnerabilities (e.g., CVE-2026-21509, CVE-2026-21514, CVE-2026-21513) for initial access via LNK files.
• Metasploit has reclaimed the top spot among C2 frameworks used in APT attacks, followed by Sliver and Havoc.
• AI-related software vulnerabilities (Clawdbot, LangChain, OpenCode) are emerging as new, highly exploitable attack vectors.
• Legacy vulnerabilities (e.g., CVE-2018-0802, CVE-2017-11882) continue to account for a massive share of exploit detections.

Affected Systems

• Windows OS
• Linux OS
• Microsoft Office
• Internet Explorer MSHTML engine
• BeyondTrust
• Apache ActiveMQ
• Microsoft SharePoint
• OpenClaw
• LangChain
• OpenCode

Vulnerabilities (CVEs)

• CVE-2018-0802
• CVE-2017-11882
• CVE-2017-0199
• CVE-2023-38831
• CVE-2025-6218
• CVE-2025-8088
• CVE-2026-21509
• CVE-2026-21514
• CVE-2026-21513
• CVE-2022-0847
• CVE-2019-13272
• CVE-2021-22555
• CVE-2023-32233
• CVE-2023-46604
• CVE-2024-12356
• CVE-2026-1731
• CVE-2023-36884
• CVE-2025-53770
• CVE-2026-21519
• CVE-2026-21533
• CVE-2026-25253
• CVE-2026-34070
• CVE-2026-22812

Attack Chain

Attackers leverage phishing campaigns delivering malicious LNK or specially crafted Microsoft Office files to exploit logic flaws and bypass Protected View (e.g., CVE-2026-21509, CVE-2026-21514, CVE-2026-21513). Upon successful initial access, they utilize C2 frameworks like Metasploit or Sliver to establish persistence and control. Privilege escalation is then achieved using local vulnerabilities such as RegPwn (CVE-2026-21533) or DWM flaws (CVE-2026-21519) to gain SYSTEM-level access.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can detect the exploitation of Office applications, anomalous child processes from Word/Excel, and privilege escalation attempts via registry modifications (RegPwn). Network Visibility: Medium — Network monitoring can catch C2 framework traffic (Metasploit, Sliver) and unauthenticated requests to vulnerable web services, though encryption may obscure payloads. Detection Difficulty: Moderate — While known CVEs have established detection patterns, the chaining of logic flaws and use of LNK files can evade basic static analysis.

Required Log Sources

• Windows Event Logs (Security)
• Sysmon
• EDR Process Telemetry
• Web Application Firewall (WAF) Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for Microsoft Office applications (winword.exe, excel.exe) spawning unusual child processes or making unexpected network connections, indicating potential exploitation of Office vulnerabilities.	EDR Process Telemetry	Execution	Low
Monitor for unauthorized modifications to Remote Desktop Services (RDS) registry keys, which may indicate an attempt to exploit RegPwn (CVE-2026-21533) for privilege escalation.	Windows Registry Logs	Privilege Escalation	Low
Search for unauthenticated WebSocket connections to OpenClaw AI agents that result in large data transfers, potentially indicating credential leakage via CVE-2026-25253.	Network Traffic Logs	Credential Access	Medium

Control Gaps

• Lack of timely patching for edge devices and web applications
• Insufficient monitoring of AI agent interactions (e.g., OpenClaw, LangChain)

Key Behavioral Indicators

• Anomalous LNK file execution leading to MSHTML engine activity
• Unexpected registry modifications targeting RDS components
• Unauthenticated WebSocket queries to AI agents extracting sensitive data

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Apply security patches for all listed CVEs, prioritizing Microsoft Office, Windows OS, and exposed web frameworks.
• Update BeyondTrust, Apache ActiveMQ, and Microsoft SharePoint to their latest secure versions.

Infrastructure Hardening

• Implement strict network segmentation to limit the blast radius of compromised edge devices or web applications.
• Restrict access to AI agent interfaces (e.g., OpenClaw WebSockets, OpenCode HTTP servers) using authentication and network firewalls.

User Protection

• Enforce Protected View and Application Guard for Microsoft Office documents.
• Deploy EDR solutions to monitor for anomalous process executions originating from LNK files or Office applications.

Security Awareness

• Train employees to recognize phishing attempts, particularly those involving suspicious LNK files or unexpected Office document attachments.

MITRE ATT&CK Mapping

• T1566.001 - Phishing: Spearphishing Attachment
• T1203 - Exploitation for Client Execution
• T1068 - Exploitation for Privilege Escalation
• T1190 - Exploit Public-Facing Application
• T1059 - Command and Scripting Interpreter

Additional IOCs

• File Paths:
  • langchain_core/prompts/loading.py - LangChain framework file associated with insecure configuration handling in CVE-2026-34070