All news in category “Security Advisory and Patch Watch”

🔒 Microsoft has resolved a Windows 11 sign-in issue that caused the password icon to disappear from lock screen options after installing August 2025 updates and later. Affected users with multiple sign-in methods could still sign in by hovering over the placeholder to reveal the hidden button. The fix is included in the optional January 2025 KB5074105 preview update released January 29; install via Settings > Windows Update or the Microsoft Update Catalog.

🔒 Unit 42 researchers discovered CVE-2025-0921, a privileged file system operations vulnerability in Iconics Suite (GENESIS64) that can be abused to corrupt critical binaries and cause a denial-of-service. The issue affects certain Windows deployments of Iconics Suite and can be chained with CVE-2024-7587 (GenBroker32 installer) to gain effective write access to protected log paths. Iconics released an advisory and a workaround that, if applied, mitigates the reported issues; organizations should apply vendor guidance and limit local write access to application directories.

🔒 Ivanti released stand‑alone RPM patches for Endpoint Manager Mobile (EPMM) to fix two unauthenticated code‑injection vulnerabilities, CVE-2026-1281 and CVE-2026-1340, each rated 9.8 by CVSS. The flaws affect EPMM’s In‑House Application Distribution and Android File Transfer Configuration features and are already being exploited in a limited number of customer environments. Administrators must manually install version-specific RPMs; Ivanti says a permanent fix will arrive in the 12.8.0.0 release.

🛡️ This case study details a high-severity serialization injection vulnerability (CVE-2025-68664, “LangGrinch”) in LangChain's langchain-core package that arises from improper handling of a reserved lc marker during dumps/dumpd operations. The flaw can enable unauthorized secret extraction, unintended class instantiation, or malicious side effects when attacker-controlled dictionaries are deserialized. Microsoft recommends immediate upgrades to patched versions and demonstrates how Defender for Cloud and Defender XDR can identify, remediate, and detect exposed workloads across code, build, and runtime stages. The post also offers practical hunting queries and remediation workflows to accelerate fixes.

✅ Microsoft has issued a fix for a known issue that prevented Microsoft 365 customers from opening Encrypt Only messages in classic Outlook after a December update. Impacted users saw a message_v2.rpmsg attachment instead of readable content and a 'restricted permission' notice in the Reading Pane. Microsoft says the repair is available in the Beta Channel now and will roll to Current Channel and Current Channel Preview in February. Temporary workarounds are provided for users who cannot upgrade immediately.

🔧 Microsoft released the optional January 2026 preview cumulative update KB5074105 for Windows 11, delivering 32 non-security quality fixes administrators can validate before Patch Tuesday. The preview moves 25H2 devices to build 26200.7705 and 24H2 devices to 26100.7705 and can be installed via Settings > Windows Update or the Microsoft Update Catalog. Key fixes address sign-in and boot failures, activation problems during license migrations, expanded Cross-Device Resume for Android-to-PC activity continuation (examples include resuming Spotify, Office work, or browsing sessions), and broader Windows Hello Enhanced Sign-in Security support for peripheral fingerprint sensors. Additional reliability fixes target UAC elevation hangs, graphics-related system errors (dxgmms2.sys, KERNEL_SECURITY_CHECK_FAILURE), Windows Sandbox startup failures (0x800705b4), startup/login hangs and iSCSI boot issues. Administrators are advised to test the update in lab environments before wide deployment.

⚠️ SmarterTools released builds addressing critical vulnerabilities in SmarterMail, including an unauthenticated remote code execution flaw (CVE-2026-24423) rated CVSS 9.3. The flaw in the ConnectToHub API allowed an attacker to direct SmarterMail to a malicious HTTP server that serves OS commands, which the application could execute; this was fixed in Build 9511 on January 15, 2026. A separate NTLM-related path coercion issue (CVE-2026-25067, CVSS 6.9) that could force outbound SMB authentication and enable NTLM relay was patched in Build 9518 (January 22, 2026). Administrators should update immediately.

⚠️ Ivanti has released security updates addressing two critical zero-day code-injection flaws in Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340 (both CVSS 9.8) — which enable unauthenticated remote code execution and have been observed in limited attacks. One of the defects, CVE-2026-1281, was added to CISA’s KEV catalog, imposing a Federal remediation deadline of February 1, 2026. A temporary RPM patch is available for affected 12.x releases but does not persist through upgrades; Ivanti plans a permanent fix in EPMM 12.8.0.0 due Q1 2026. Customers are urged to check Apache access logs using the provided regex, inspect administrative and configuration changes, and restore or rebuild compromised appliances if indicators of attack are found.

⚠️ Microsoft says recent Windows 11 boot failures following the January 2026 cumulative update are tied to earlier failed attempts to install the December 2025 security update, which left some systems in an "improper state." After applying KB5074109, affected devices showed a BSOD with stop error UNMOUNTABLE_BOOT_VOLUME. Microsoft is working on a partial resolution to prevent new no-boot cases, but it warns this fix will not repair devices already unable to boot or stop systems from entering the improper state. The company also says the issue appears limited to physical machines.

⚠ Ivanti disclosed two critical code-injection vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), CVE-2026-1281 and CVE-2026-1340, both rated 9.8 and observed in limited zero-day exploitation. The flaws allow unauthenticated remote arbitrary code execution and exposure of administrator, user, and managed-device data. Ivanti published RPM hotfixes to mitigate affected builds, advised immediate application, and warned hotfixes must be reapplied after upgrades until a permanent 12.8.0.0 fix is released in Q1 2026.

⚠️ Microsoft released three out-of-band updates in January 2026, including a security update addressing CVE-2026-21509 in Microsoft Office, which has been reportedly exploited in the wild. The vulnerability is rated Important with a CVSS 3.1 score of 7.8 and is considered local, requiring a user to open a malicious Office document or for an attacker to have system access. Microsoft notes the issue cannot be triggered via the Preview Pane and has published mitigation guidance. Talos published Snort and ClamAV detections and advises customers to apply the latest rules and SRU updates.

⚠️Two critical sandbox escape vulnerabilities in n8n allow authenticated users to achieve remote code execution on affected instances. JFrog researchers reported that flaws in the JavaScript expression engine and the Python Code node can bypass sandboxing protections, exposing workflow engines to host-level compromise. The JavaScript issue stems from a missed edge case in AST-based sanitization when expressions are passed to a Function constructor; the Python escape affects Internal execution mode. Both flaws carry high severity and have been patched—organizations should update to the specified releases and restrict who can create or edit workflows until upgrades are applied.

🔔 CISA added CVE-2026-1281, a code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), to its Known Exploited Vulnerabilities (KEV) Catalog after confirmed active exploitation in the wild. The advisory notes that code injection is a common and dangerous attack vector that can enable unauthorized execution and data compromise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed vulnerabilities by set deadlines, and CISA strongly urges all organizations to prioritize timely remediation.

⚠ Rockwell Automation's ArmorStart LT devices are affected by multiple vulnerabilities that can cause denial-of-service conditions. Affected models include 290D, 291D, and 294D running firmware versions <=V2.002; each issue is rated CVSS v3.1 7.5 (High). Observed impacts include unresponsive CIP ports, unexpected device reboots, ICMP loss, and web application inaccessibility during fuzzing and active scanning. No patch is available; operators should apply network segmentation and secure remote access best practices to reduce exposure.

⚠️ CISA warns of a critical Missing Authentication for Critical Function vulnerability (CVE-2026-1453) in KiloView Encoder Series devices that could let an unauthenticated attacker create or delete administrator accounts and gain full administrative control. Multiple E1, E1-s, E2, G1, P1, P2 and RE1 hardware and firmware builds are affected. No public exploitation has been reported to CISA, and KiloView has not engaged with CISA; users should minimize network exposure, ensure devices are not directly reachable from the Internet, and contact KiloView support for guidance.

⚠️ Multiple denial-of-service vulnerabilities in Rockwell Automation ControlLogix Redundancy Enhanced Modules (catalogs 1756-RM2 and 1756-RM2XT) can be triggered by crafted inputs, including malformed Class 3 messages and resource exhaustion. Exploitation may render devices unresponsive or cause major nonrecoverable faults, potentially requiring a restart. The issues carry a CVSS 3.1 base score of 7.5 (High). Rockwell recommends upgrading to 1756-RM3 and following advisory SD1769; if immediate upgrade is not possible, apply segmentation, firewalling, and other security best practices to reduce exposure.

🔎 The EU-hosted GCVE.eu aggregates advisories from more than 25 public sources and is operated by CIRCL with co-funding from the EU's FETTA project, aiming to reduce reliance on the US-run CVE/NVD. Experts applaud redundancy but warn that without enforced mapping, automated cross-referencing, and strong governance, parallel identifiers risk creating fragmented silos. GCVE.eu says it supports cross-referencing, distributed allocation, and open-source tooling to aid coordinated disclosure and integration.

⚠️ SolarWinds has released updates for Web Help Desk to address multiple high‑severity vulnerabilities, including four critical flaws that can enable authentication bypass and remote code execution. Affected issues include deserialization and hard‑coded credential bugs tracked as CVE‑2025‑40536 through CVE‑2025‑40554. Rapid7 highlights that the deserialization flaws are particularly exploitable without authentication. SolarWinds fixed the issues in WHD 2026.1 and customers are urged to upgrade immediately.

⚠️ SolarWinds has issued emergency updates for Web Help Desk (WHD) to patch six vulnerabilities—four rated critical—that include unauthenticated data deserialization RCEs and authentication bypasses. Researchers from watchTowr and Horizon3.ai disclosed the flaws, which could let attackers execute commands, access protected functions, or leverage hardcoded credentials. Administrators should upgrade to WHD 2026.1 immediately and investigate any anomalous activity on affected servers.

⚠️ A critical vulnerability in vm2, a widely used Node.js sandboxing library, allows attackers to escape the sandbox and execute arbitrary code. Tracked as CVE-2026-22709, the flaw affects versions older than 3.10.2; users are urged to upgrade immediately. The issue stems from a bypass in Promise.prototype.then and Promise.prototype.catch callback sanitization, and the project maintainer warns that in-process sandboxing will remain a cat-and-mouse challenge. Where possible, combine vm2 with additional isolation, resource limits, and monitoring, or consider stronger isolation alternatives.