< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2056 articles · page 18 of 103

Windows 11 May 2026 Cumulative Updates KB5089549/KB5087420

🔒 Microsoft released Windows 11 cumulative updates KB5089549 (25H2/24H2) and KB5087420 (23H2) as the May 2026 Patch Tuesday rollout. The mandatory updates address 120 security vulnerabilities, deliver bug fixes, and introduce features such as desktop Xbox mode, expanded File Explorer archive support, haptic input signals, and Drop Tray. They also improve Windows Hello, taskbar reliability, printing, and add an optional registry control to harden batch-file processing. Install via Settings > Windows Update or the Microsoft Update Catalog.
read more →

Microsoft May 2026 Patch Tuesday: 120 Vulnerabilities Fixed

🔔 Today's May 2026 Patch Tuesday from Microsoft delivers security updates addressing 120 distinct vulnerabilities, including 17 rated Critical. The release corrects multiple remote code execution, elevation-of-privilege, information disclosure, denial-of-service, spoofing, and security feature bypass flaws across Windows, Office, SharePoint, and developer tools. Notable patches close dangerous RCE vectors in Microsoft Office (Word, Excel, PowerPoint) that can be exploited via malicious attachments or the preview pane, and key fixes include Windows GDI EMF parsing, SharePoint server RCE, and a Windows DNS Client RCE. Administrators are strongly advised to prioritize and deploy updates promptly to reduce exposure.
read more →

Exim BDAT Use-After-Free 'Dead.Letter' Patch Released

🔒 Exim has issued emergency updates to fix CVE-2026-45185, dubbed Dead.Letter, a critical use-after-free in BDAT message body parsing that manifests when TLS is handled via GnuTLS. The flaw is triggered when a client sends a TLS close_notify during an active BDAT transfer and then follows up with a final cleartext byte on the same TCP connection, which can corrupt heap metadata and enable code execution. It affects Exim 4.97 through 4.99.2 built with USE_GNUTLS=yes and is fixed in 4.99.3; there are no mitigations, so administrators should apply the update immediately.
read more →

ABB AC500 V3: Stack Buffer Overflow in CMS AES-GCM

ABB reports a stack-based buffer overflow in AC500 V3 when parsing CMS (Auth)EnvelopedData with AEAD ciphers like AES-GCM. An oversized IV in ASN.1 parameters may be copied into a fixed-size stack buffer without length checks, allowing an out-of-bounds write before authentication. This can cause crashes, DoS, or potential RCE. ABB issued firmware 3.9.0 HF1 to correct the issue; no workaround exists.
read more →

Fuji Electric Tellus Privilege Escalation Advisory

🔒 CISA published an advisory describing a privilege-escalation vulnerability in Fuji Electric Tellus arising from a kernel driver that grants all users read and write permissions. Successful exploitation could elevate a user to system privileges and may enable temporary denial of service, file opening, or file deletion. The vendor recommends installing Tellus only with administrator privileges; CISA notes the issue is not remotely exploitable and no public exploitation has been reported. CISA advises implementing ICS defensive measures and following established reporting procedures.
read more →

Subnet Solutions PowerSYSTEM Center: Auth and CRLF Flaws

🔒 CISA reports multiple authorization flaws and a CRLF injection affecting Subnet Solutions PowerSYSTEM Center. Authenticated users with limited permissions can expose administrative data via the REST API, delete project groups, or exploit SMTPS notification handling. Subnet Solutions advises upgrading to PSC 2020 Update 29, PSC 2024 Update 2, or the PSC 2026 GA Hotfix and contacting support for assistance.
read more →

ABB Automation Builder Gateway insecure default access

⚠️ ABB reported a vulnerability in the Windows Gateway component of Automation Builder that leaves its TCP listener bound to all interfaces by default on port 1217, enabling remote discovery of AC500 PLCs. The gateway may be installed standalone or bundled with other setups such as CODESYS, and unauthenticated actors can scan for PLCs; PLC user management normally prevents control unless disabled. ABB advises restricting access by setting [CmpGwCommDrvTcp] LocalAddress=127.0.0.1 in Gateway.cfg and restarting the gateway, or upgrading to Automation Builder 2.9.0 where the default is local-only.
read more →

ABB AC500 V3 Multiple Vulnerabilities and Fixes Notice

⚠️ABB disclosed multiple vulnerabilities in AC500 V3 PLCs that can bypass user management, expose visualization files, compromise PKI certificates, or cause denial-of-service (CVE-2025-2595, CVE-2025-41659, CVE-2025-41691). The issues stem from forced browsing, a permission flaw in the optional CmpOpenSSL component, and a NULL pointer dereference in CmpDevice. ABB corrected the issues in firmware 3.9.0 via Automation Builder 2.9.0; no workarounds are available and customers should apply the update promptly.
read more →

ABB WebPro SNMP Card PowerValue: Multiple Vulnerabilities

🔒 ABB disclosed multiple vulnerabilities in the WebPro SNMP Card PowerValue affecting earlier firmware releases. The flaws include an authentication bypass (the device validates only the first character of session cookies and tokens), insufficient session expiration and uncontrolled resource consumption that can cause DoS and Modbus instability on port 502. ABB issued fixes in v1.1.8.p and recommends contacting ABB Digital Service Support and applying defensive measures from the product manual.
read more →

Critical Linux Kernel LPE 'copy.fail' Vulnerability

⚠ copy.fail is a severe Linux kernel local privilege escalation disclosed on 29 April 2026 with a working proof-of-concept. It abuses the kernel crypto API (AF_ALG sockets) together with splice() to write four bytes at a time directly into the page cache of files the attacker does not own, leaving on-disk files unchanged. The exploit works unmodified across Ubuntu, RHEL, Debian, SUSE, Amazon Linux and Fedora, bypasses checksum-based monitoring, and has no race or per-distro offsets; the mainline fix landed on 1 April and distros are rolling patches.
read more →

SAP May 2026 Fixes Critical Flaws in Commerce Cloud

🔒 SAP released its May 2026 security updates addressing 15 vulnerabilities across multiple products, including two critical flaws affecting Commerce Cloud and S/4HANA. The most severe (CVE-2026-34263) is a missing authentication check in Commerce Cloud that can allow unauthenticated remote code execution via improper Spring Security configuration. The other critical (CVE-2026-34260) permits low-complexity SQL injection by attackers with basic privileges, risking sensitive data exposure and potential service crashes. SAP also patched one high and 11 medium-severity issues and reports no evidence of in-the-wild exploitation to date.
read more →

cPanel Vulnerability Exposes Hosting Supply Chain Risks

🔒 A recently disclosed cPanel vulnerability, tracked as CVE-2026-41940, is being exploited at scale to deploy backdoors, plant SSH keys, steal credentials, and compromise hosting systems. Researchers at XLab link much of the activity to a long-running group called Mr_Rot13, with automated scans from over 2,000 attacker IPs observed after the late-April disclosure. The incident highlights weak visibility into hosting control planes and urges organizations to treat exposed control panels as high-priority incidents: patch immediately, rotate credentials, hunt for webshells, and review logs for persistence.
read more →

Linux kernel kill switch proposal divides security experts

🛡️A proposal from Linux kernel co-maintainer Sasha Levin would add a configurable kill switch allowing privileged operators to disable specific kernel functions as an emergency mitigation until a patch can be built and deployed. Levin and colleagues provided a suggested implementation and argue it reduces exposure when fleets cannot be rebooted immediately. The suggestion has split experts and admins, with some warning of operational risk and others, including Red Hat, supporting non-disruptive mitigations.
read more →

Dirty Frag: Chained Linux Kernel Flaws Prompt Patch Rush

🛡️ Major Linux distributions are rushing to apply fixes after the embargo on a two‑bug kernel exploit, dubbed Dirty Frag, was broken. The flaw chains CVE-2026-43284 (xfrm‑ESP write‑what‑where, CVSS 8.8) and CVE-2026-43500 (RxRPC out‑of‑bounds write, CVSS 7.8) to enable local privilege escalation to root. Researcher Hyunwoo Kim published a proof‑of‑concept after coordinating with maintainers. Vendors recommend temporarily blacklisting esp4/esp6/rxrpc modules and prioritising immediate patching.
read more →

Dirty Frag Linux Exploit Enables Reliable Root Escalation

🔒 Microsoft warns of a new local Linux privilege escalation called Dirty Frag that abuses fragmented page-cache handling to gain root. The chain uses two kernel flaws — CVE-2026-43284 (ESP) and CVE-2026-43500 (RxRPC) — and is already observed in post-compromise attacks. Administrators are urged to disable esp4, esp6, and rxrpc modules, limit local shell access, and monitor for abnormal privilege escalation while vendors roll out patches.
read more →

Critical Ollama GGUF Vulnerability Exposes Heap Data

⚠️ Security researchers disclosed a critical out-of-bounds read in Ollama that can leak process memory and is tracked as CVE-2026-7482 (CVSS 9.1), dubbed "Bleeding Llama". The flaw arises in the GGUF model loader's WriteTo() flow due to use of the unsafe package, allowing a crafted model upload to read past heap bounds. Successful exploitation can reveal environment variables, API keys, prompts, and user conversation data and exfiltrate it via the /api/push endpoint. Users are urged to apply fixes, restrict network exposure, and place an authentication proxy before Ollama instances.
read more →

cPanel/WHM Fixes Three Vulnerabilities in May 2026

🔒 cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could enable privilege escalation, arbitrary code execution, and denial-of-service. The flaws are tracked as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, with CVSS scores up to 8.8. Multiple release lines and the WP Squared build are patched, and a direct 110.0.114 update is available for CentOS 6/CloudLinux 6 users. Administrators are advised to apply updates promptly.
read more →

Ivanti EPMM: Five Vulnerabilities, One Actively Exploited

🔐 Ivanti disclosed five vulnerabilities in its on‑premises Endpoint Manager Mobile (EPMM) suite, and one—CVE-2026-6973—has been added to CISA’s Known Exploited Vulnerabilities Catalog due to active exploitation. Updated EPMM releases resolving the issues are available and administrators are urged to apply patches and rotate administrative credentials immediately. The defects include improper input validation, access control failures, and certificate validation errors, and Ivanti says it is using AI tools to help identify additional vulnerabilities. Organizations should also review enrollment settings such as Apple Device Enrollment and assess whether legacy on‑premises MDM fits a Zero Trust model.
read more →

Dirty Frag Linux Vulnerability Widens Post-Compromise Risk

⚠ Microsoft Defender researchers describe Dirty Frag, a Linux local privilege escalation that abuses kernel networking and memory-fragment handling in esp4, esp6, and rxrpc. Public proof-of-concept activity and active targeting suggest the exploit yields more reliable escalation from unprivileged user to root across multiple distributions. Microsoft recommends immediate mitigations—disable unused modules, harden containers, increase monitoring, clear caches cautiously, and prioritize vendor kernel patches—while Defender expands detections.
read more →

CISA Orders Federal Agencies to Patch Ivanti EPMM Zero-Day

⚠ CISA has ordered U.S. federal agencies to patch a high-severity vulnerability in Ivanti Endpoint Manager Mobile within four days after the flaw was observed exploited as a zero-day (CVE-2026-6973). Ivanti published updates (12.6.1.1, 12.7.0.1, 12.8.0.1) and urged customers to review and rotate Admin credentials. The issue requires administrative authentication, affects only on-prem EPMM appliances, and Shadowserver reports over 800 exposed instances online.
read more →