All news in category “Security Advisory and Patch Watch”

🔒 Microsoft released the KB5073724 Extended Security Update for Windows 10, available to Windows 10 Enterprise LTSC and systems enrolled in the ESU program. Install via Settings → Windows Update by performing a manual “Check for Updates”; installs update and raises builds to 19045.6809 (Windows 10) and 19044.6809 (Enterprise LTSC 2021). The update contains only security and bug fixes — including patches for three zero-days, an actively exploited elevation-of-privilege fix in Agere modem drivers, an updated WinSqlite3.dll, and targeted handling for expiring Secure Boot certificates.

🛡️ Microsoft released Windows 11 cumulative updates KB5074109 and KB5073455 as the January 2026 Patch Tuesday rollups for 25H2/24H2 and 23H2. The updates are mandatory and advance affected systems to new builds (25H2: 26200.7623 / 24H2: 26100.7462 / 23H2: 226x1.6050), addressing security vulnerabilities, stability fixes, and feature changes. Key fixes include removal of specific legacy modem drivers that will disable dependent hardware, networking repairs for WSL and Azure Virtual Desktop RemoteApp, an NPU idle power fix, an update to WinSqlite3.dll, and a new phased Secure Boot certificate targeting mechanism; Microsoft notes only a minor bug that can hide the password visibility button.

🔒Microsoft released its January 2026 Patch Tuesday updates addressing 114 vulnerabilities, including three zero-day flaws and one actively exploited issue. The bulletin patches an actively exploited Desktop Window Manager information disclosure (CVE-2026-20805), renews expiring Secure Boot certificates, and removes legacy Agere modem drivers (agrsm64.sys, agrsm.sys). Eight vulnerabilities are rated Critical, including six remote code execution flaws. Administrators should prioritize these cumulative updates and apply them promptly to reduce exposure.

🔒 Microsoft released its January 2026 security updates addressing 112 vulnerabilities across Windows and Office, including eight marked critical. One important issue, CVE-2026-20805, was observed exploited in the wild. Critical flaws include RCEs in LSASS, Word, Excel and Office, plus EoP in the Windows Graphics component and VBS Enclave. Cisco Talos published Snort rules to detect exploitation attempts (Snort 2: 65498, 65499, 65663–65676; Snort 3: 301344, 301368–301374).

⚠️ CISA has added a high-severity flaw in Gogs to its Known Exploited Vulnerabilities list after active attacks were observed. Tracked as CVE-2025-8110 (CVSS v4.0 8.7), the issue stems from improper handling of symbolic links in the PutContents API and allows authenticated users to overwrite files outside repositories, potentially enabling remote code execution. Wiz reported hundreds of compromises and Censys shows over 1,600 exposed instances; no official patch is yet available, so administrators should apply immediate mitigations such as disabling open registration and restricting access.

⚠️ Researchers at Black Duck's Cybersecurity Research Center found a high-severity flaw in Broadcom WiFi chipset software that lets an unauthenticated attacker within radio range disable all clients on the 5 GHz band by sending a single crafted 802.11 frame. The behavior was observed while testing ASUS routers but was traced to Broadcom's chipset code rather than router firmware. Broadcom issued a patched software build to customers and ASUS released firmware updates, although a comprehensive list of affected devices has not been published. Recommended mitigations include segmenting wireless networks, auditing legacy access points, and prioritizing firmware updates based on business criticality.

⚠️ CISA warns of a high-severity denial-of-service vulnerability in Rockwell Automation 432ES-IG3 Series A (CVE-2025-9368) that can render the device unresponsive and requires a manual power cycle to recover. The issue affects firmware V1.001 and has a CVSS v3.1 base score of 7.5 (High). Rockwell Automation has released a firmware update; CISA advises implementing network segmentation, firewalling, and secure remote access while planning the upgrade.

🔒 CISA reported several vulnerabilities in the YoSmart YoLink ecosystem impacting the cloud server, Smart Hub, and mobile application. Exploitation could let attackers remotely control other users' devices, intercept unencrypted MQTT traffic, and hijack sessions. YoSmart pushed server-side fixes and will deliver a hub firmware update over-the-air; users should update the YoLink mobile app to 1.40.45 or later.

🔒 A SQL injection vulnerability (CVE-2025-12807) in Rockwell Automation's FactoryTalk DataMosaix Private Cloud could allow low-privilege users to perform unauthorized, sensitive database operations through exposed API endpoints. Affected versions include 7.11, 8.00, and 8.01; vendor updates are available. Rockwell Automation and CISA advise updating to Version 8.01.02 or later and applying network isolation and secure remote access mitigations.

🔔 CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-20805, a Microsoft Windows information disclosure issue identified as being actively exploited. This vulnerability type is a common attack vector and presents significant risks to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV entries by prescribed due dates, and CISA strongly urges all organizations to prioritize timely remediation. CISA will continue to update the KEV Catalog as new exploited CVEs meet its criteria.

🔒 ServiceNow has released fixes for a critical flaw in its ServiceNow AI Platform that could allow an unauthenticated actor to impersonate other users and perform arbitrary actions. Tracked as CVE-2025-12420 with a CVSS score of 9.3, the issue was addressed on October 30, 2025 and deployed to the majority of hosted instances. Patches were also shared with partners and self-hosted customers; administrators are advised to apply updates promptly to mitigate risk.

🔒 Three widely used open-source AI/ML Python libraries — NVIDIA NeMo, Salesforce uni2TS, and Apple ml-flextok — were found vulnerable to remote code execution when model metadata was treated as executable configuration. The root cause is unsafe use of configuration-driven instantiation (for example Hydra's instantiate()) that accepts attacker-controlled _target_ values. Vendors released patches and CVE notices; users should apply fixes, restrict allowed targets, and avoid loading models from untrusted sources.

⚠️ CISA has added CVE-2025-8110 to its Known Exploited Vulnerabilities catalog after reports of active exploitation targeting Gogs. The high-severity (CVSS 8.7) flaw is a path traversal in the repository file editor's PutContents API that mishandles symbolic links and can lead to remote code execution. There is not yet an official upstream patch, though GitHub pull requests show fixes have been merged and maintainers say new images will include the correction once built. Until patched, users should disable default open-registration, restrict server access behind VPNs or allow-lists, and apply other access controls; FCEB agencies must implement mitigations by Feb 2, 2026.

🔔 Microsoft released its January 2026 Patch Tuesday addressing 114 vulnerabilities, including three zero-days and several Critical flaws. Notable fixes include an actively exploited information-disclosure issue in Windows Desktop Window Manager (CVE-2026-20805) and publicly disclosed zero-days in Agere Soft Modem and Secure Boot. The release also remediates multiple Critical RCE and elevation-of-privilege issues across Windows and Microsoft Office. Organizations should prioritize testing and deployment and apply compensating controls where immediate patching is impractical.

⚠️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a high-severity remote code execution flaw in Gogs tracked as CVE-2025-8110. The issue is a path traversal weakness in the PutContents API that lets authenticated attackers overwrite files outside repositories via symbolic links, enabling arbitrary command execution. Patches released last week add symlink-aware path validation; agencies must remediate by February 2, 2026. Administrators are advised to disable default open registration and restrict server access.

🔒 Researchers showed that tapping what looks like a Telegram username can trigger the app to auto-connect to a proxy and reveal your real IP address. The issue arises from how MTProto proxy links (t.me/proxy?...) are parsed on Android and iOS: the client performs an automatic test connection before the proxy is added. Attackers can host malicious proxies and disguise links as benign usernames or URLs to log IPs for location, profiling, or DDoS. Telegram says IP visibility is not unique to its platform and will add warnings for proxy links; users should be cautious with unfamiliar t.me links.

⚠️ A maximum-severity flaw dubbed Ni8mare (CVE-2026-21858) affects n8n and can allow unauthenticated remote attackers to take control of local instances by exploiting improper input validation in Form Submission triggers. Researchers say the bug enables secret exfiltration, session forgery, file injection, and command execution. Administrators should upgrade to n8n 1.121.0 immediately or restrict public webhook/form endpoints as a temporary mitigation.

🔍 Mandiant introduces AuraInspector, an open-source CLI to detect access-control misconfigurations in Salesforce Aura implementations. The post explains common Aura endpoint methods attackers misuse, a GraphQL technique to bypass the 2,000-record retrieval limit, and how action bulking can enumerate records. It also outlines remediation steps and security best practices to restrict Guest and authenticated user privileges.

⚠️ CISA added CVE-2025-8110 to its Known Exploited Vulnerabilities (KEV) Catalog for a Gogs path traversal vulnerability after evidence of active exploitation. The advisory cites BOD 22-01 requirements for Federal Civilian Executive Branch agencies to remediate cataloged KEV entries by the due date. CISA strongly urges all organizations to prioritize timely patching to reduce exposure. CISA will continue to add vulnerabilities that meet the specified criteria.

🛡️ Trend Micro has released a security update for Apex Central after vulnerability management vendor Tenable identified multiple serious flaws affecting all on-premises builds earlier than 7190. The most severe is a 9.8-rated LoadLibraryEX issue that can allow an unauthenticated attacker to force the server to load and execute an attacker-controlled DLL as SYSTEM. Two additional high-severity, unauthenticated flaws can cause denial-of-service. Trend Micro urges customers to apply build 7190 and review remote access controls immediately.