Advisory ID:   ngCERT-2026-040006

SUMMARY

ngCERT has identified a newly disclosed zero-day vulnerability (CVE-2026-33825) affecting the Microsoft Defender Antimalware Platform. The vulnerability was disclosed on 14 April 2026, as part of Microsoft Patch Tuesday updates. This flaw allows threat actors to perform elevation-of-privilege (EoP) attacks, enabling them to bypass standard access controls and gain SYSTEM-level privileges on affected Windows systems. Although exploitation requires prior access to a target machine, this vulnerability poses a significant risk in post-compromise scenarios and is likely to be exploited by advanced cybercriminals to achieve full system control. Accordingly, ngCERT strongly advise government, private organisations, and the general public to urgently apply the relevant security updates to mitigate potential exploitation.

DESCRIPTION

The vulnerability exists within the Microsoft Defender Antimalware Platform due to insufficient access-control granularity (CWE-1220). This weakness allows improper handling of privileged operations within Defender components. An attacker with local access to a system can exploit this flaw by interacting with vulnerable Defender processes or services in a way that bypasses intended permission boundaries. Successful exploitation results in privilege escalation to the SYSTEM level, the highest privilege tier in Windows environments. Once elevated, the attacker can execute arbitrary code, manipulate system processes, disable security controls, and establish persistent access. This vulnerability is particularly dangerous because Microsoft Defender operates with elevated privileges by default, making it an attractive target for attackers seeking to expand their control after initial compromise. Although the vulnerability does not allow direct remote exploitation, it can be combined with other attack vectors such as phishing, malware infection, or remote code execution to achieve full system compromise.

Damage:      Critical 

Probability:  High

Platform(s):  Windows systems

CONSEQUENCES

Successful exploitation of the vulnerability could lead to:

1. Privilege escalation.
2. Security control bypass.
3. Persistence.
4. Credential theft and lateral movement.
5. Full system compromise. 

SOLUTION/MITIGATION

The following mitigations are strongly recommended:

1. Apply Microsoft Security Updates Immediately.
2. Ensure Defender Platform is Up to Date.
3. Limit Local Access.
4. Enable Endpoint Detection and Response (EDR).
5. Monitor Defender Services.
6. Implement Application Control Policies.
7. Conduct Regular Patch Management.
8. User Awareness and Phishing Protection    

HYPERLINK

• https://cyberpress.org/poc-exploit-released-for-microsoft-defender-0-day-vulnerability/
• https://undercodetesting.com/microsoft-defender-zero-day-cve-2026-33825-exposed-privilege-escalation-unleashed-via-bluehammer-exploit-video/
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825 

Advisory ID:   ngCERT-2026-040007

SUMMARY

ngCERT has observed a significant rise in high-impact cybersecurity incidents affecting organisations across multiple sectors within Nigeria, driven by phishing, ransomware, business email compromise (BEC), and data breaches. These threats are increasingly enabled by “as-a-service” cybercrime models and AI-driven techniques, allowing threat actors to scale operations and exploit weak security controls across the ecosystem. Private and public sector organisations, particularly the Critical National Information Infrastructure (CNII), are advised to strengthen their cybersecurity posture and remediate identified vulnerabilities urgently.

DESCRIPTION

The surge in cybersecurity incidents in Nigeria reveals a pattern of high-frequency and increasingly sophisticated attacks targeting public and private sector organisations. Threat actors are leveraging phishing campaigns, credential harvesting, ransomware deployment, and exploitation of unpatched systems to gain unauthorised access to networks. The proliferation of phishing-as-a-service and ransomware-as-a-service platforms has lowered the barrier to entry for cybercriminals, enabling coordinated and large-scale attacks. Additionally, the use of automation and artificial intelligence has enhanced cybercriminals’ ability to conduct convincing social engineering, evade detection, and exploit vulnerabilities more efficiently. These threats disproportionately affect sectors such as financial services, telecommunications, government institutions, healthcare, and other critical National infrastructures, where data sensitivity and system availability are mission-critical. Many of these incidents are linked to common weaknesses, including poor identity and access management, lack of multi-factor authentication, inadequate patching, and low user awareness and staff training.

Damage:      Critical 

Probability:  High

Platform(s):  Web Applications, Cloud Services and Email

CONSEQUENCES

If successfully exploited, these cybersecurity threats may result in:

1. Financial losses due to fraud, ransomware payments, and incident response costs.
2. Operational disruption, including system downtime and service outages.
3. Unauthorized access to systems and compromise of sensitive data.
4. Data breaches/exfiltration leading to privacy violations and regulatory penalties.
5. Reputational damage and erosion of customer and stakeholder trust.
6. Compromise of critical infrastructure, with potential national security implications. 

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Enforce multi-factor authentication (MFA) across all critical systems and services.
2.  Implement endpoint detection and response (EDR/XDR) and continuous network monitoring. 
3. Regularly patch and update systems, applications, and network devices.
4.  Adopt a Zero Trust security model and enforce least-privilege access controls.
5. Conduct regular vulnerability assessments and penetration testing.
6. Strengthen employee cybersecurity awareness through training and phishing simulations.
7.  Encrypt sensitive data and maintain secure, offline backups to mitigate ransomware risks.
8. Organisations are further advised to promptly report confirmed incidents to " data-linkindex="0"> or 090 5555 4499 for timely support and coordinated response in line with National Cybersecurity Policy Strategy 2015 (AsAmended 2024).    

HYPERLINK

• https://businessamlive.com/nigeria-leads-africa-in-cyberattacks-with-4701-weekly-hits-per-organisation/
• https://nairametrics.com/2026/03/14/interpol-shuts-45000-malicious-ip-addresses-in-operation-involving-nigeria-others/#google_vignette 

Advisory ID:   ngCERT-2026-040009

SUMMARY

ngCERT alerts all critical sectors to the persistent and escalating threat of Distributed Denial-of-Service (DDoS) attacks within Nigeria's cyberspace. Threat actors are leveraging botnets, amplification techniques, and exploitation of known vulnerabilities to disrupt the availability of essential services within government and private systems. These attacks are increasingly multi-vector and may be combined with other malicious activities, posing significant risks to national resilience and economic stability. Organisations are strongly advised to review this advisory, align it with their DDoS preparedness posture, and ensure it aligns with national incident response frameworks.

DESCRIPTION

A DDoS attack is a coordinated cyber operation in which multiple compromised systems, often forming botnets of infected servers, endpoints, and Internet of Things (IoT) devices, are used to overwhelm a target system, network, or application with excessive traffic, thereby exhausting its resources and rendering services unavailable to legitimate users. These attacks may manifest as volumetric floods that saturate bandwidth, protocol-based attacks that exploit weaknesses in network layers, or application-layer attacks that mimic legitimate user requests to evade detection. Threat actors frequently exploit known vulnerabilities such as CVE-2018-10561, CVE-2021-44228, CVE-2019-19781, CVE-2018-7600, and CVE-2020-25705 to compromise systems and expand botnet infrastructure, while also employing reflection and amplification techniques (e.g., DNS, NTP, Memcached) to significantly magnify attack traffic.

Damage:      Critical 

Probability:  High (CVSS Score 6.6 -10.0)

Platform(s):  All web Domain

CONSEQUENCES

If successfully exploited, this campaign may result in:

1. Disruption of critical services and prolonged system downtime.
2. Financial losses due to operational interruption and mitigation costs.
3. Degradation of national critical infrastructure resilience.
4. Reputational damage and erosion of public trust.
5. Exploitation as a diversion for ransomware or data exfiltration attacks.
6. Exposure to regulatory and compliance sanctions. 

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Activate incident response and escalate internally.
2. Engage ISPs for traffic filtering and mitigation.
3. Enable DDoS protection (scrubbing, rate limiting, filtering).
4. Block malicious IPs and restrict non-essential traffic.
5. Patch vulnerabilities, including CVE-2021-44228, CVE-2019-19781, and CVE-2018-7600.
6. Harden systems and disable unused services.
7.  Deploy Web Application Firewalls and Intrusion Prevention Systems, and anti-DDoS solutions.
8. Implement anti-spoofing per Internet Engineering Task Force (IETF) Best Current Practices 38.
9. Ensure redundancy, load balancing, and auto-scaling.
10. Monitor traffic continuously and detect anomalies.
11. Report any incidents to ngCERT and share IOCs.    

HYPERLINK

• https://www.ncsc.gov.uk/collection/denial-service-dos-guidance-collection
• https://www.proofpoint.com/au/threat-reference/ddos
• https://www.a10networks.com/blog/5-most-famous-ddos-attacks/ 
• https://www.cloudflare.com/learning/ddos/famous-ddos-attacks/ 

Advisory ID:   ngCERT-2026-040004

SUMMARY

ngCERT alerts on multiple critical Remote Code Execution (RCE) vulnerabilities in the Windows Routing and Remote Access Service (RRAS), tracked as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111. These vulnerabilities affect enterprise Windows systems leveraging RRAS for VPN and remote access management. Successful exploitation could allow attackers to execute arbitrary code over a network, leading to full system compromise. Organisations and individuals are strongly advised to apply the Microsoft-released security updates, including out-of-band hot patches, to address these flaws.

DESCRIPTION

Windows RRAS is a Windows service that provides routing, VPN, and remote connectivity features. It is affected by multiple critical remote code execution (RCE) vulnerabilities identified as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111, arising from improper handling of network responses and memory structures. These flaws can be exploited when an authenticated attacker tricks a domain user into interacting with a malicious RRAS server or sending crafted network requests via the RRAS management interface. The vulnerabilities, particularly CVE-2026-26111, involve integer overflow conditions that lead to memory corruption and enable execution of attacker-controlled code over the network. Collectively, these issues allow low-privileged attackers to leverage legitimate RRAS operations to gain remote code execution capabilities in affected systems.

Damage:      Critical (CVSS 8.0)

Probability:  High

Platform(s):  Windows

CONSEQUENCES

Exploitation of these vulnerabilities may result in:

1. Remote Code Execution (RCE)
2. Full System Compromise.
3. Unauthorized Access.
4. Lateral Movement.
5. Service Disruption. 

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Apply Microsoft security patches immediately.
2. Restrict RRAS access to trusted networks.
3. Disable RRAS if not needed.
4. Implement network segmentation and enforce least privilege access controls.
5. Monitor for suspicious activity and configure firewall protections.
6. Use IDS/IPS solutions to detect and prevent attacks.    

HYPERLINK

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25172
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25173
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26111
• https://www.esecurityplanet.com/threats/microsoft-issues-hotpatch-for-windows-11-rras-rce-bugs/
• https://www.sentinelone.com/vulnerability-database/cve-2026-25173/