All news in category “Security Advisory and Patch Watch”

🔒 Cisco has released a fix for a maximum‑severity AsyncOS zero‑day (CVE-2025-20393) that has been exploited since November 2025. The flaw impacts Cisco Secure Email Gateway and Secure Email and Web Manager appliances with non-standard configurations when the Spam Quarantine feature is exposed to the internet, permitting arbitrary command execution as root. Cisco Talos links the intrusions to a Chinese-nexus actor tracked as UAT-9686, which deployed persistence and tunneling implants and a log-wiping utility. CISA has added the vulnerability to its known exploited vulnerabilities catalog and ordered federal remediation under BOD 22-01.

⚠️ Check Point Research links the Linux-based RondoDox botnet to a coordinated exploitation campaign against HPE OneView, leveraging the critical RCE flaw CVE-2025-37164. The vulnerability, published to the NVD on 16 December 2025 and rated CVSS 3.1 = 10 by HPE, has been the subject of tens of thousands of automated attack attempts. Check Point reported blocking more than 40,000 hits on 7 January 2026 and urged organizations to patch immediately and implement compensating controls.

⚠️ Microsoft has confirmed that the January 13, 2026 cumulative update (KB5073455) can prevent some Windows 11, version 23H2 devices with System Guard Secure Launch enabled from shutting down or entering hibernation, causing them to restart instead. The issue is limited to Enterprise and IoT editions where the update is offered. Microsoft recommends the temporary workaround shutdown /s /t 0 for shutdowns and warns there is currently no hibernation workaround. Users should save work and perform manual shutdowns to avoid battery drain.

🔒 Cisco has released patches for a maximum-severity remote command execution vulnerability (CVE-2025-20393, CVSS 10.0) in AsyncOS that affects Cisco Secure Email Gateway and Secure Email and Web Manager. The defect stems from insufficient validation of HTTP requests in the Spam Quarantine feature and can allow arbitrary commands to run as root when the feature is enabled and reachable from the internet. Cisco says a China-nexus APT tracked as UAT-9686 exploited the bug in the wild, deploying tunneling tools, a log-cleaner and a Python backdoor, and that fixes remove persistence artifacts. Administrators should apply the provided fixed releases and follow the vendor's hardening guidance to restrict access and monitor for anomalous activity.

🔒 Palo Alto Networks has released patches for PAN-OS after a researcher disclosed CVE-2026-0227, a high-severity (CVSS 7.7) vulnerability in GlobalProtect gateway and portal components that can trigger a denial-of-service and force affected firewalls into maintenance mode. The vendor reports no known in-the-wild exploitation but acknowledges proof-of-concept code exists. Prisma Access customers have largely been upgraded; on-premises NGFWs must apply vendor updates per the posted remediation table. There are no official workarounds; temporarily disabling the VPN interface may reduce risk while patching.

🔒 Hackers are actively exploiting a maximum-severity authentication bypass in the Modular DS WordPress plugin (CVE-2026-23550) to gain admin-level access on vulnerable installs. The flaw affects versions 2.5.1 and earlier and was first observed in the wild on January 13; the vendor released a fix in version 2.5.2 shortly after disclosure. Site owners should update immediately, review server logs, verify admin accounts, and regenerate WordPress salts after patching.

⚠️ A critical CodeBuild misconfiguration, dubbed CodeBreach by Wiz, could have allowed attackers to take over several AWS-managed GitHub repositories, including aws-sdk-js-v3, by bypassing webhook actor ID filters. The flaw—missing ^ and $ anchors in regex filters—enabled unauthorized build triggers and potential leakage of privileged GitHub tokens. AWS fixed the issue in September 2025, rotated credentials, implemented mitigations, and reported no evidence of exploitation.

🔒 Security researchers at KU Leuven disclosed a critical flaw dubbed WhisperPair (CVE-2025-36911) in the Fast Pair protocol that lets attackers forcibly pair with and control Bluetooth audio accessories. The issue stems from devices failing to enforce the Fast Pair requirement to ignore pairing requests when not in pairing mode, enabling silent hijacking and eavesdropping. Hundreds of millions of headphones, earbuds, and speakers from vendors including Google, Jabra, Sony, OnePlus, Xiaomi, and others are affected, and patches are being coordinated with manufacturers.

🔒 Researchers disclosed a critical vulnerability in Google's Fast Pair protocol, tracked as CVE-2025-36911 and dubbed WhisperPair. The flaw stems from many accessories failing to ignore pairing requests when not in pairing mode, enabling attackers to pair without user consent. Exploits can hijack audio devices, enable eavesdropping and location tracking, and affect hundreds of millions of headsets from vendors including Google, Sony, Jabra, JBL, OnePlus. Only manufacturer firmware updates mitigate the risk; disabling Fast Pair on phones does not protect accessories.

⚠️ Patchstack reports a maximum-severity vulnerability (CVE-2026-23550, CVSS 10.0) in the Modular DS WordPress plugin affecting all versions up to and including 2.5.1. The flaw permits unauthenticated privilege escalation via routes under /api/modular-connector/ when the "direct request" mode with an "origin=mo" parameter is used, bypassing authentication. Exploitation was observed beginning Jan 13, 2026, and the issue is patched in 2.5.2; administrators should update immediately.

🔔 Amazon RDS for SQL Server now supports Microsoft SQL Server GDR updates for 2016 SP3, 2017 CU31, 2019 CU32 and 2022 CU22 (RDS versions 13.00.6475.1.v1, 14.00.3515.1.v1, 15.00.4455.2.1.v1, 16.00.4225.2.1.v1). These GDRs address vulnerabilities tracked as CVE-2025-59499. We recommend upgrading instances via the Amazon RDS Console, SDK, or CLI and consult the RDS SQL Server upgrade guide to plan and apply the updates.

⚠️ A critical CodeBuild misconfiguration discovered by Wiz Research allowed untrusted pull requests to run privileged builds, enabling potential injection of malicious code into core AWS repositories—including the AWS SDK for JavaScript that underpins the AWS Console. The flaw was an unanchored regex in an ACTOR_ID webhook filter that let attacker-controlled GitHub IDs bypass restrictions and access credentials stored in build memory. AWS patched the issue within 48 hours, revoked exposed credentials, added protections to block memory-based credential theft and introduced a Pull Request Comment Approval build gate. Wiz advises blocking untrusted PRs, using fine‑grained tokens and anchoring webhook regexes.

🔒 Amazon RDS Custom for SQL Server now supports the latest General Distribution Release (GDR) updates, enabling SQL Server 2019 CU32+GDR (KB5068404) and SQL Server 2022 CU21+GDR (KB5068406) on managed instances. These releases correspond to RDS builds 15.00.4455.2.1.v1 and 16.00.4222.2.1.v1 and address vulnerabilities referenced by CVE-2025-59499. We recommend that you upgrade affected RDS Custom instances using the Amazon RDS Management Console, AWS SDK, or CLI and consult the Amazon RDS Custom User Guide for upgrade procedures. Before applying updates in production, review release notes and test the patches in non-production environments to validate application compatibility and backups.

🔐 Mandiant and Google Cloud published a comprehensive dataset of Net-NTLMv1 rainbow tables to accelerate defender validation and mitigation of this long-deprecated protocol. The tables make known-plaintext attacks trivial, enabling recovery of authenticating password hashes in under 12 hours on consumer hardware costing less than $600. The release includes SHA512 checksums, usage guidance with tools like rainbowcrack and ntlmv1-multi, and prescriptive remediation steps to disable Net-NTLMv1 and monitor for coercion-based authentications.

🚨 A critical remote code execution vulnerability, CVE-2026-21858 (CVSS 10.0), has been disclosed in n8n, allowing attackers to fully compromise locally deployed instances. Researchers estimate roughly 100,000 servers are affected and there are no official workarounds available. The n8n project has released a patched build; users must upgrade to n8n version 1.121.0 or later to remediate the issue. Administrators should prioritize patching and follow vendor advisories immediately.

🚨 Check Point Research reports large-scale active exploitation of CVE-2025-37164, a critical remote code execution flaw in HPE OneView. The campaign, attributed to the RondoDox botnet, generated tens of thousands of automated attack attempts that were blocked by Check Point defenses. The issue was reported to CISA and added to the Known Exploited Vulnerabilities catalog on January 7, 2026; organizations should patch immediately.

⚠️ AVEVA has released patches for multiple vulnerabilities in Process Optimization that could allow remote code execution, SQL injection, privilege escalation, and disclosure of sensitive data. The most severe, CVE-2025-61937, permits unauthenticated remote code execution at OS System privileges (CVSS 10.0). AVEVA's remediation requires updating to Process Optimization v2025; CISA and the vendor also recommend firewall restrictions, ACLs, and ensuring encrypted channels.

⚠️ A critical command injection vulnerability in Fortinet FortiSIEM (phMonitor, tracked as CVE-2025-64155) enables unauthenticated attackers to inject commands and write files that are executed as the root user. Exploit code was disclosed publicly after a responsible disclosure to Fortinet in August 2025, and researchers warn the flaw may have allowed remote root access for nearly three years. Fortinet has released patched builds and advises restricting access to TCP port 7900 and applying updates immediately.

⚠️ Palo Alto Networks patched a high-severity flaw (CVE-2026-0227) in PAN-OS that can allow unauthenticated actors to trigger a denial-of-service, forcing affected firewalls into maintenance mode when GlobalProtect gateway or portal features are enabled. The issue impacts PAN-OS 10.1 and later and some Prisma Access configurations; most cloud Prisma Access instances have been upgraded. Administrators should apply vendor-supplied fixes for their PAN-OS branch immediately to prevent potential disruptions.

🔒 Palo Alto Networks has released patches for a high-severity denial-of-service vulnerability (CVE-2026-0227, CVSS 7.7) affecting GlobalProtect Gateway and Portal components. The flaw, caused by an improper check for exceptional conditions (CWE-754), can be triggered by an unauthenticated attacker and may force affected firewalls into maintenance mode. A proof-of-concept exploit exists and there are no workarounds, so administrators should prioritize applying the vendor updates.