What the BSI C5 2026 delivers

The Cloud Computing Compliance Criteria Catalogue has been Germany’s most important security standard for cloud providers and cloud users since 2016. It translates complex security requirements into auditable criteria and creates comparability between providers. C5 audits are carried out by certified public auditors who, after a successful examination, attest that a cloud provider meets the defined security criteria.

With the publication of the BSI C5 2026, the agency takes the technological developments of recent years into account. In terms of content and structure, the catalogue is closely aligned with the work on the European certification scheme EUCS and can in parts be read as its German interpretation. The current versions of the CSA Cloud Controls Matrix v4, ISO/IEC 27001:2022, and the NIS2 Directive were also taken into consideration.

New topics in the criteria catalogue

Three subject areas are addressed explicitly for the first time in the BSI C5 2026. Container management receives significantly more detailed requirements than in the previous version, reflecting a technology that has long become standard in modern cloud architectures. Confidential computing is anchored as an independent subject area, closing a gap that previous audit catalogues had barely been able to capture.

Particular attention should be paid to the inclusion of post-quantum cryptography. Chapter 5.8 contains comprehensive requirements for effective encryption, including the use of hybrid procedures intended to harden algorithms that are foreseeably becoming too weak. With this, the BSI is responding to a development that will only become operationally relevant for many cloud providers in the coming years, but whose preparation must already begin today.

Existing topics have been sharpened. Multi-tenancy separation and supply chain management are addressed more specifically than before. Classic areas such as the protection of customer data and incident management also remain a fixed component of the catalogue.

Structural changes and machine readability

Structurally, the catalogue has been significantly revised. C5 criteria now consist of distinct sub-criteria. Additional criteria are classified according to whether they sharpen existing basic criteria with stricter requirements or complement them with new requirements. This differentiation is intended to make auditing, mapping, and evaluation easier.

An important innovation will follow shortly: the catalogue will be made available in a machine-readable format for the first time, with YAML, XLSX, and PDF planned in both German and English. This will simplify its use within governance, risk, and compliance processes and create a common language for how cloud security is described, audited, and assessed. For the automation of audit processes and the integration into existing compliance platforms, this is a central step.

Relevance for regulated industries

For many sectors, a C5 attestation is hardly a voluntary distinction but rather a de facto market access requirement. In the digital healthcare sector, a Type 2 attestation has been mandatory since July 2025 whenever patient data is processed in a cloud environment. The C5 also serves as a key standard in the banking sector, in digital financial services, and for government bodies.

The effort required for a formal attestation remains high. The audit is extensive and cost-intensive, making it primarily feasible for established providers. For smaller and mid-sized cloud providers, the hurdle remains, even though the machine-readable provision of the catalogue may help reduce manual effort in the long run.

In addition to the security criteria described in the C5, the BSI plans to publish general sovereignty criteria for cloud computing solutions in the near future. This will create a second framework that addresses not only security questions but also aspects of digital sovereignty.

Recommendations for cloud providers and users

Cloud providers should carry out a gap analysis between their current setup and the requirements of the BSI C5 2026 at an early stage. Particular attention should be paid to the new subject areas of container management, post-quantum cryptography, and confidential computing, as these are where the largest gaps in existing environments are to be expected. Supply chain processes should also be reviewed, since the sharpened criteria call for stricter evidence regarding the security of subcontractors.

Cloud users should examine, in ongoing procurement procedures, whether existing C5:2020 attestations from their providers include a credible roadmap for the transition to the new catalogue. Information security officers should incorporate the catalogue into internal risk assessments at an early stage, particularly where regulatory requirements such as NIS2, DORA, or healthcare-sector obligations apply.

Der Beitrag BSI C5 2026: New Criteria Catalogue for Cloud Security erschien zuerst auf Ilja Schlak InfoSec Blog.

Microsoft February 2026 Patch Tuesday at a glance

Microsoft ships cumulative updates on its Patch Tuesday cadence to remediate security vulnerabilities in Windows and related components. In February 2026, the standout aspect is the mix of six zero-days. Three entries are security feature bypasses, two are elevation-of-privilege vulnerabilities, and one is a local denial-of-service. This combination matters operationally because security feature bypasses often undermine protection layers in end-user workflows, while elevation of privilege is typically used after an initial foothold to increase permissions and take fuller control of the host.

The key prioritization factor is less how many fixes are included in a given month and more which attack surfaces sit on common enterprise paths. When zero-days are involved, patching should remain part of the standard change process but be pulled forward in time. This is especially important for devices and roles that process user-supplied content or host privileged sessions.

and the 6 zero-day CVEs

The six zero-day CVEs in the February release affect several core areas. At a high level, they involve Windows Shell, the MSHTML framework, Microsoft Word, Desktop Window Manager, Windows Remote Desktop Services, and the Remote Access Connection Manager. In many environments, at least one of these areas is highly exposed, either through user interaction, remote workflows, or administrative operating models.

• CVE-2026-21510, Windows Shell, Security Feature Bypass
• CVE-2026-21513, MSHTML Framework, Security Feature Bypass
• CVE-2026-21514, Microsoft Word, Security Feature Bypass
• CVE-2026-21519, Desktop Window Manager, Elevation of Privilege
• CVE-2026-21533, Windows Remote Desktop Services, Elevation of Privilege
• CVE-2026-21525, Windows Remote Access Connection Manager, Denial of Service

For practical assessment, the impact of each category matters. A security feature bypass reduces the effectiveness of existing protections that act as “seatbelts” in everyday workflows. An elevation-of-privilege issue is often the step attackers use after initial access to expand control. A local denial-of-service can affect availability and, in some cases, serve as a disruption or diversion mechanism, for example when stable remote-access functionality is required.

Microsoft February 2026 Patch Tuesday and security feature bypasses in Windows and Office

The three security feature bypasses affect components that are closely tied to user interaction in many environments. CVE-2026-21510 in Windows Shell is especially relevant wherever users frequently work with files, links, and shortcuts. CVE-2026-21513 in the MSHTML framework affects an area that can still matter in certain rendering or compatibility contexts. CVE-2026-21514 in Microsoft Word targets an attack surface that is constantly present in enterprises, because Office documents are routine across email, collaboration platforms, and file shares.

For CVE-2026-21514, the risk class is clearly described as bypassing a security decision, which is relevant for common Office attack patterns where the effectiveness of protections in document workflows is critical.

Microsoft February 2026 Patch Tuesday and privilege escalation in Windows

Elevation-of-privilege vulnerabilities are rarely the first entry point, but they are a strong multiplier once an attacker already has code execution in a user context. CVE-2026-21519 in Desktop Window Manager is a typical example, because a successful jump to higher privileges significantly expands options for persistence, credential access, and lateral movement. In environments with a homogeneous client fleet or in VDI pools, a single reliable escalation path can lead to fast, wide-scale impact.

The technical classification of CVE-2026-21519, including the linkage maintained by authorities to known exploitation signals, is available on the NVD page for CVE-2026-21519. For security teams, this means systems with high privilege concentration and dense session activity should be patched early in the rollout wave.

and RasMan DoS in remote-access environments

CVE-2026-21525 affects the Windows Remote Access Connection Manager (RasMan). This is not a Remote Desktop session manager; it is the service responsible for remote-access connections such as dial-up and VPN. If you want to validate the role of the service in Windows and understand security-relevant operational considerations, the service description is documented in the Windows services security guidance for Remote Access Connection Manager on Microsoft Learn. Operationally, the DoS case is most relevant where remote-access functionality is business-critical or where stability in remote workflows is tightly tied to IT service availability.

How to prioritize Microsoft February 2026 Patch Tuesday effectively

For an effective rollout, a phased strategy that combines exposure and blast radius works best. The first wave should cover systems where a successful attack would have the greatest impact or where attack surfaces are used most frequently. This typically includes administrative workstations, jump hosts, shared systems, VDI pools, and Remote Desktop hosts and terminal servers. Endpoints that process large volumes of Office documents and regularly receive external content should also be high priority.

The second wave can cover standard clients and servers without special exposure, provided they are not used for privileged tasks. Systems with tight change windows should not be deferred without compensating controls to bridge the time to patching. These include stricter rules for risky file types, reduced attack surface in Office workflows, stronger hardening for privileged accounts, and closer monitoring of process chains that are typical for initial execution followed by privilege escalation.

Conclusion

The Microsoft February 2026 Patch Tuesday is a high-urgency release because of the six zero-day CVEs. The affected categories align with common enterprise attack paths, from bypassing protections in end-user workflows to local privilege escalation. Focusing rollout waves on the most exposed roles and closing compliance there first reduces risk fastest and with the greatest effect.

Der Beitrag Microsoft February 2026 Patch Tuesday – 6 Zero-Day Vulnerabilities Patched erschien zuerst auf Ilja Schlak InfoSec Blog.

Overview

The OpenSSH RCE vulnerability, known as “regreSSHion” (CVE-2024-6387), poses a worrying threat to millions of systems worldwide. This vulnerability, discovered by the Qualys Threat Research Unit, is a race condition in the signal handler of the OpenSSH server (sshd) on glibc-based Linux systems. It enables unauthenticated remote code execution (RCE) with root privileges, making it a serious problem for millions of systems worldwide.

Excursion: glibc-based Linux systems

“glibc” stands for the GNU C Library, the fundamental library for most Linux distributions. It provides the basic functions and system calls required for Linux applications to operate. A glibc-based Linux system uses this library as a central component of its operating system. Well-known distributions based on glibc include Ubuntu, Fedora, Debian, and CentOS.

What is OpenSSH?

OpenSSH is a widely used suite of secure network services based on the SSH protocol. It provides robust encryption, secure file transfers, and remote server management. OpenSSH is an integral part of the security infrastructure of many organizations, making vulnerabilities in this system particularly concerning.

Details on the OpenSSH RCE Vulnerability CVE-2024-6387

The regreSSHion vulnerability results from a race condition in the signal handler of the sshd component of OpenSSH. If a client does not authenticate within the specified LoginGraceTime (default 120 seconds), the SIGALRM handler is called asynchronously. This handler calls various functions that are not safe for asynchronous signal contexts, potentially leading to remote code execution as root. Exploiting this vulnerability typically requires precise timing and multiple attempts, making it a complex but potentially very dangerous threat.

Excursion: Race Condition

A race condition occurs when the outcome of a process depends on the timing of certain events. In a computing context, this can cause two or more processes to interact in a way that leads to unexpected results, especially when they access shared resources simultaneously. A well-known example of a race condition in IT security is the TOCTOU (Time of Check to Time of Use) attack, where an attacker manipulates a security check between the verification and use of a resource object.

OpenSSH RCE Vulnerability CVE-2024-6387 – CVSS Base Score and Explanation

The CVE-2024-6387 vulnerability has a CVSS (this article explains CVSS – What is CVSS) Base Score of 8.1. This score is determined by several factors that assess the severity of the vulnerability:

1. Attack Vector (AV): Network (N) – The vulnerability can be exploited over the network, increasing its exploitability.
2. Attack Complexity (AC): High (H) – Exploiting the vulnerability requires precise timing and multiple attempts, increasing the complexity.
3. Privileges Required (PR): None (N) – The attacker does not need any special rights or permissions to exploit the vulnerability.
4. User Interaction (UI): None (N) – Exploitation does not require any interaction from a user.
5. Impact on Confidentiality (C): High (H) – A successful attack leads to a complete loss of confidentiality.
6. Impact on Integrity (I): High (H) – A successful attack leads to a complete loss of integrity.
7. Impact on Availability (A): High (H) – A successful attack leads to a complete loss of availability.

Explanation of the CVSS Base Score of the OpenSSH RCE Vulnerability CVE-2024-6387

The CVSS Base Score of 8.1 indicates that this vulnerability is classified as highly severe. Although exploiting the vulnerability is not trivial due to the high attack complexity (AC), the lack of required privileges (PR) and user interaction (UI) make it an attractive target for attackers. The impacts on confidentiality, integrity, and availability are also high, meaning that a successful attack can have serious consequences for the affected system.

Further information is available from the National Vulnerability Database (NVD).

Affected Versions

The vulnerability affects OpenSSH versions from 8.5p1 to 9.7p1, as well as versions older than 4.4p1 if they have not been patched for CVE-2006-5051 and CVE-2008-4109. OpenBSD systems are not affected due to a special security mechanism introduced in 2001.

Impacts and Exploitation

Successful exploitation of this vulnerability can lead to complete system compromise. Attackers can install malware, exfiltrate sensitive data, and create persistent backdoors. Researchers have identified over 14 million potentially vulnerable OpenSSH instances exposed to the internet, with 700,000 confirmed cases according to Qualys data.

OpenSSH RCE Vulnerability – Comparison with other vulnerabilities

While regreSSHion poses a serious threat, it is often compared to the Log4Shell vulnerability (CVE-2021-44228). Log4Shell was far more critical due to its broader reach and easier exploitation. It affected numerous applications and services using the Apache Log4j library, leading to immediate and widespread malicious activity. In contrast, regreSSHion targets specific OpenSSH server instances on glibc-based Linux systems and requires complex exploitation attempts.

Indicators of Compromise (IOCs) – Potential Signs of Exploitation

Clear and openly communicated IOCs have not yet been communicated. However, the following general indicators may indicate suspicious activity:

• Unusual SSH Login Attempts
  • An increase in failed SSH login attempts, especially from unknown IP addresses, may warrant investigation. You can identify exploit attempts for this vulnerability by checking the logs for numerous “Timeout before authentication” lines. Example log entry:
    • sshd[132456]: fatal: Timeout before authentication for 198.51.100.23 port 41022
• Unexpected Processes
  • The presence of unauthorized or unknown processes running on the system, especially with root privileges, is a warning sign.
• File Changes
  • Unexplained changes to system files, especially those related to SSH configuration or user accounts, could indicate manipulation.

Mitigation Measures

To mitigate the risk of the regreSSHion vulnerability, the following steps are recommended:

• Update OpenSSH – install the latest available update (version 9.8p1), which fixes the vulnerability.
• Restrict SSH access – use network-based security measures such as firewalls and network segmentation to prevent lateral movement. Defense in Depth!
• Change configuration – If immediate updates are not possible, set the LoginGraceTime parameter in the sshd configuration file to 0. Caution! This increases the risk of denial-of-service attacks.

OpenSSH RCE Vulnerability CVE-2024-6387 – Conclusion

The regreSSHion vulnerability poses a significant threat due to its potential exploitation and the large number of affected systems. Organizations should take immediate action to update their OpenSSH installations and implement additional security measures. Regular monitoring of SSH authentication logs for signs of exploitation attempts and maintaining a robust asset inventory are crucial for effective vulnerability management.

Der Beitrag OpenSSH RCE Schwachstelle CVE-2024-6387 erschien zuerst auf Ilja Schlak InfoSec Blog.