All news in category “Security Advisory and Patch Watch”

⚠️ Researchers demonstrated remote control of WHILL wheelchairs via unsecured Bluetooth connections. CISA has issued an advisory noting the devices did not enforce pairing authentication, allowing attackers within Bluetooth range to pair and control movement, override speed restrictions, and alter configuration profiles without credentials or user interaction. Users and operators should follow the advisory, apply vendor updates, and disable Bluetooth when not required.

🔓 A critical FortiSIEM vulnerability, tracked as CVE-2025-25256, enables remote unauthenticated attackers to execute arbitrary commands by invoking exposed phMonitor handlers. Horizon3.ai disclosed technical details and published a demonstrative exploit after Fortinet issued patches across supported branches. The flaw combines arbitrary write with privilege escalation to root and affects a range of FortiSIEM releases; Fortinet advises applying the supplied updates or restricting access to the phMonitor port (7900) as a temporary mitigation.

🔔 Microsoft has released updates to WinSqlite3.dll after third-party security tools began flagging the Windows core DLL as vulnerable to CVE-2025-6965. The company said the false positive affected Windows 10, Windows 11, and server editions through Windows Server 2025. Microsoft resolved the detection in updates released January 13, 2026 and later and urges users to install the latest patches. It also clarified WinSqlite3.dll is distinct from sqlite3.dll.

⚠️ Festo SE & Co. KG and CISA report that numerous Festo firmware products contain undocumented remote-accessible functions and missing port/protocol documentation, tracked as CVE-2022-3270 with a CVSS v3.1 base score of 9.8. An unauthenticated remote attacker could leverage these undocumented protocol functions to cause full loss of confidentiality, integrity, and availability. Festo intends to address the issue by updating technical user manuals in the next product versions; operators should meanwhile reduce network exposure, enforce firewalls, and use VPNs and encrypted links.

🔒 Siemens SIMATIC and SIPLUS ET 200 family devices contain a denial-of-service vulnerability triggered by a valid S7 protocol Disconnect Request (COTP DR TPDU) received on TCP port 102. Affected modules can enter an improper session state and become unresponsive, requiring a power cycle to recover. Siemens has released firmware updates for multiple affected products and recommends applying vendor-released fixes; where updates are not available, network mitigations such as filtering TCP port 102 to trusted addresses and isolating control networks are advised.

⚠ Siemens disclosed a local privilege escalation vulnerability (CVE-2025-40942) in TeleControl Server Basic affecting product versions earlier than V3.1.2.4. The flaw could allow an attacker with local access to execute arbitrary code with elevated privileges and is rated High under CVSS 3.1 (8.8). Siemens released V3.1.2.4 to remediate the issue. Administrators should apply the update promptly and follow network-segmentation and access-control best practices to reduce exposure.

🔒 Users of Siemens Industrial Edge Device Kit should apply updates immediately. CISA reports an authorization bypass (CVE-2025-40805) that enables unauthenticated attackers to impersonate legitimate users by abusing unsecured API endpoints; the issue is rated CVSS v3.1 10.0. Siemens has published patches for multiple arm64 and x86-64 builds (for example V1.24.2 and V1.25.1) and advises restricting network access where fixes are not yet available.

🔒Siemens has disclosed multiple vulnerabilities affecting RUGGEDCOM APE1808 devices, tied to cross-site scripting and a path traversal flaw (CVE-2025-40891, CVE-2025-40892, CVE-2025-40893, CVE-2025-40898). The issues include stored HTML/JavaScript injection in Time Machine Snapshot Diff, Reports, and Asset List features, and an authenticated path traversal in Arc data import that can enable arbitrary file writes. Siemens is preparing fixes and advises contacting Siemens ProductCERT, segregating and protecting device networks, and following Siemens operational security guidance until patches are available.

🔒 Siemens has released a security update for SINEC Security Monitor addressing two vulnerabilities (CVE-2025-40830, CVE-2025-40831) in versions before V4.10.0. The flaws allow an authenticated user to read or write arbitrary files via the ssmctl-client file_transfer feature and to cause a report-generation denial-of-service. Siemens recommends updating to V4.10.0 or later and reducing network exposure per operational guidance.

⚠️ Siemens reports a temporary denial-of-service vulnerability in RUGGEDCOM ROS devices that can be triggered via the TLS certificate upload process. Authenticated remote attackers may upload malformed certificate data to cause a crash and an automatic reboot (CVE-2025-40935, CWE-20), producing a brief availability outage. Siemens has published fixed firmware; update affected systems to V5.10.1 or later. CISA advises isolating control networks, minimizing internet exposure, using secure remote access, and performing impact analysis before applying mitigations.

🔒 Siemens and CISA report an authorization bypass in multiple Siemens Industrial Edge and related devices (CVE-2025-40805) that can allow an unauthenticated remote attacker who knows a legitimate user's identity to impersonate that user. Siemens has released firmware and software updates for many affected models and is preparing additional fixes. Where updates are not yet available, Siemens and CISA advise network isolation, minimizing internet exposure, use of secure remote access (VPNs), and other compensating controls to limit risk.

🔒 Schneider Electric disclosed vulnerabilities in EcoStruxure Power Build Rapsody that can cause memory corruption and buffer overflows when importing project (SSD) files. Two tracked issues — CVE-2025-13844 (double free, CVSS 5.3) and CVE-2025-13845 (use-after-free, CVSS 7.8) — may allow local attackers to execute code if a user opens a malicious file. Schneider released regional fixed builds; users should install the appropriate update, restart services, and follow recommended mitigations if patching is delayed.

🔒 Fortinet issued patches for a critical FortiSIEM vulnerability (CVE-2025-64155, CVSS 9.4) that permits unauthenticated OS command injection and remote code execution via the phMonitor service on TCP port 7900. The flaw enables argument injection leading to arbitrary file writes as admin and a cron-triggered escalation to root. Affected releases span 6.7–7.4 with fixed builds; 7.5 and FortiSIEM Cloud are not impacted. Apply vendor updates or restrict access to port 7900 as a temporary mitigation.

🔒 Microsoft released updates addressing over 100 CVEs on the first Patch Tuesday of 2026, including three zero-day vulnerabilities. CVE-2026-20805 is an actively exploited information-disclosure flaw in the Desktop Window Manager that can undermine ASLR; CVE-2026-21265 concerns a secure-boot certificate-expiration bypass affecting many devices; CVE-2023-31096 is an elevation-of-privilege in legacy Agere modem drivers that Microsoft is removing. Administrators should prioritize patching, review firmware and UEFI certificates, and audit hardware where updates may require manual acceptance.

🔒 Microsoft released its first security update of 2026 addressing 114 vulnerabilities across Windows, including one actively exploited in the wild. The set includes eight Critical and 106 Important flaws, spanning privilege escalation, information disclosure, and remote code execution issues. Administrators are urged to prioritize the exploited CVE-2026-20805 and VBS-related fixes, and to follow guidance for Secure Boot certificate updates to avoid disruption.

⚠️ Node.js has released critical updates to address a bug that can force the runtime to exit rather than throw a catchable error when a stack overflow occurs with async_hooks enabled. The defect causes Node.js to terminate with exit code 7, creating a potential Denial-of-Service vector for applications whose recursion is controlled by unsanitized input. A fix is available in Node.js 20.20.0, 22.22.0, 24.13.0, and 25.3.0; older, EOL releases remain vulnerable. Users and maintainers are urged to update promptly.

🛡️ Microsoft’s January 2026 Patch Tuesday addresses eight critical vulnerabilities and an actively exploited zero-day, with many high‑score flaws affecting Office and SharePoint. The Desktop Window Manager information-disclosure bug (CVE-2026-20805) is already being exploited and can leak memory to enable follow-on attacks. Other priorities include an RRAS heap overflow (CVE-2026-20868), Secure Boot certificate updates (CVE-2026-21265), and multiple NTFS and WinSock elevation issues. Administrators should accelerate patching, restrict local access, and monitor for suspicious activity.

🔒 Microsoft released January 2026 security updates addressing 113 vulnerabilities across Windows and supported products, including eight rated Critical. The company confirmed active exploitation of a Desktop Window Manager information disclosure flaw, CVE-2026-20805, which researchers say can be chained to code execution bugs. Other prominent fixes include two Office RCEs exploitable via the Preview Pane, a critical Secure Boot bypass, and removal of legacy modem drivers. Experts urge rapid, risk-based patching and careful BIOS/bootloader preparation.

🔴 On Dec. 19, 2025, MongoDB disclosed MongoBleed (CVE-2025-14847), a critical unauthenticated memory-disclosure in MongoDB Server stemming from handling of zlib-compressed wire messages. An attacker with network access to TCP/27017 can cause the server to return heap memory that may include cleartext credentials, API keys, session tokens, and PII. A public PoC and active exploitation were observed; MongoDB Atlas was auto-patched while self-hosted deployments require immediate manual updates and mitigations such as disabling zlib compression and restricting inbound access.

🔒 Microsoft has begun automatically replacing expiring Secure Boot certificates on eligible Windows 11 24H2 and 25H2 systems via Windows Update. The rollout uses high-confidence device targeting and phased signals to ensure only devices with sufficient successful update telemetry receive the new certificates, while administrators can also deploy them using registry keys, WinCS, or Group Policy. Organizations are urged to inventory fleets, verify Secure Boot status, apply firmware updates as needed, and install the certificate updates before existing credentials expire to preserve Secure Boot and pre-boot patching.