All news in category “Security Advisory and Patch Watch”

🔒 Microsoft’s October Patch Tuesday delivers updates for 172 vulnerabilities, including six classed as zero-days. Three of those zero-days are being actively exploited, affecting the Windows Remote Access Connection Manager (CVE-2025-59230), an Agere modem kernel driver, and a secure-boot bypass in IGEL OS (CVE-2025-47827). Microsoft has removed the legacy Agere driver rather than patch it, citing risks in modifying unsupported code. This release also marks the final free Patch Tuesday for Windows 10; continued updates will require the Extended Security Updates (ESU) program.

🔒 Microsoft released updates addressing 183 vulnerabilities across its products, including three flaws now known to be exploited in the wild. Two Windows zero-days — CVE-2025-24990 (Agere modem driver, ltmdm64.sys) and CVE-2025-59230 (RasMan) — can grant local elevation of privilege; Microsoft plans to remove the legacy Agere driver rather than patch it. A third exploited issue bypasses Secure Boot in IGEL OS (CVE-2025-47827). With Windows 10 support ending unless enrolled in ESU, organizations should prioritize these fixes; CISA has added the three to its KEV catalog and set a federal remediation deadline.

🔒 Claroty Team82 disclosed two critical vulnerabilities (CVE-2023-40151 and CVE-2023-42770) affecting Red Lion Sixnet SixTRAK and VersaTRAK RTUs, both rated 10.0 on the CVSS scale. One flaw is an authentication bypass that accepts unauthenticated TCP messages on port 1594; the other enables remote shell execution via the Sixnet Universal Driver (UDR), allowing commands to run as root. Chaining the issues permits unauthenticated remote root code execution, creating substantial risk to industrial automation. Users are advised to apply vendor patches, enable and correctly configure authentication, and block TCP access to affected devices immediately.

🔒 Researchers warn of a critical unauthenticated command injection in ICTBroadcast (CVE-2025-2611, CVSS 9.3) that allows attackers to inject shell commands via the BROADCAST session cookie. Exploits observed since October 11 used a time-based probe followed by Base64-encoded payloads to establish reverse shells. Approximately 200 internet-facing instances running versions 7.4 and earlier appear exposed; vendor comment and patch status remain unclear.

🔒 SAP has released security updates addressing 13 vulnerabilities, including a maximum-severity insecure deserialization flaw in NetWeaver AS Java (CVE-2025-42944, CVSS 10.0) that can lead to arbitrary OS command execution via the RMI‑P4 module. The vendor's latest patch adds a JVM-wide serial filter (jdk.serialFilter) to block dangerous classes and packages — a list curated with the ORL and recommended by security firm Onapsis — and complements an earlier remediation issued last month. Other critical fixes include a directory traversal in SAP Print Service (CVE-2025-42937, 9.8) and an unrestricted file upload in SAP Supplier Relationship Management (CVE-2025-42910, 9.0); administrators are urged to apply patches and mitigations immediately.

🔒 Microsoft’s October Patch Tuesday addresses 167 vulnerabilities, including seven rated critical that require immediate CISO attention. Notable fixes include a 9.8 RCE in Windows Server Update Service (WSUS) (CVE-2025-59287) and two Office RCEs exploitable via the Preview Pane. Two legacy Agere modem driver flaws include an in-the-wild zero day and a prior public disclosure, prompting Microsoft to remove ltmdm64.sys from Windows. Administrators should prioritize internet-facing services, kernel-mode drivers, and review WSUS exposure and patch management architecture.

⚠️ Microsoft’s October 2025 updates close 172 security holes and include at least two actively exploited zero‑days. The company removed a decades-old Agere modem driver to mitigate CVE-2025-24990 and patched an elevation-of-privilege zero-day in RasMan (CVE-2025-59230). A critical unauthenticated RCE in WSUS (CVE-2025-59287) carries a 9.8 threat score and should be prioritized. This release also marks the end of security updates for Windows 10, prompting ESU enrollment or migration options.

🛡️ Microsoft’s October 2025 Patch Tuesday addresses 175 Microsoft CVEs and 21 non‑Microsoft CVEs, including 17 rated critical and 11 marked important, with three already observed exploited in the wild. Talos highlights active exploitation of CVE-2025-24990 (Agere Modem driver), CVE-2025-59230 (Remote Access Connection Manager), and CVE-2025-47827 (IGEL OS Secure Boot bypass) and urges prompt remediation. Cisco Talos also published new Snort rules to detect many of these exploits and recommends updating patches, removing unsupported drivers, and refreshing IDS/IPS signatures.

🔔 Microsoft has issued the final cumulative update for Windows 10, KB5066791, as the OS reaches end of support on October 14, 2025. The mandatory update delivers Microsoft's October 2025 Patch Tuesday fixes, closing six zero-day vulnerabilities and addressing 172 additional flaws. After installation, Windows 10 22H2 and 21H2 are updated to builds 19045.6456 and 19044.6456; users can install via Windows Update or the Microsoft Update Catalog and may schedule restarts to complete the process.

🔍 A new side‑channel attack called Pixnapping allows a permissionless Android app to infer and reconstruct on‑screen pixels and steal sensitive content such as one‑time authentication codes, chat messages, and emails. The technique abuses Android intents and SurfaceFlinger compositing to isolate and enlarge individual pixels, then uses a GPU compression side channel to leak visual data. The proof‑of‑concept from a team of seven U.S. university researchers works on modern Pixel and Samsung devices and can extract 2FA codes in under 30 seconds; Google issued an initial mitigation (CVE‑2025‑48561) in September that was bypassed, and a broader fix is planned for December 2025, with Samsung committing to patches as well.

🔒 Microsoft released its October 2025 Patch Tuesday, addressing 172 vulnerabilities including six zero‑day flaws and eight Critical issues. The updates include five remote code execution and three elevation‑of‑privilege critical bugs, along with numerous information disclosure, denial‑of‑service and security feature bypass fixes. Notable actions include the removal of an Agere modem driver and patches for exploited elevation‑of‑privilege and SMB/SQL Server issues. Windows 10 reaches end of support with this release; Extended Security Updates remain available for organizations and consumers.

🔒 Microsoft has released cumulative updates KB5066835 and KB5066793 for Windows 11 versions 25H2/24H2 and 23H2 as part of the October 2025 Patch Tuesday. These mandatory updates move systems to Build 26200.6899 (25H2/24H2) and 226x1.6050 (23H2) and address recent security vulnerabilities plus several functional issues. Notable fixes include a Chromium print preview hang, PowerShell Remoting timeouts, Windows Hello USB IR camera setup failures, and a gaming sign-in input bug. The update also removes the ltmdm64.sys modem driver and rolls out new AI, accessibility, and File Explorer features gradually.

🔒 Oracle released an out-of-band security update addressing a pre-authentication SSRF vulnerability (CVE-2025-61884) in E-Business Suite after a proof-of-concept exploit was leaked by the ShinyHunters group. The update validates attacker-supplied return_url values with a strict regex to block injected CRLFs and other malformed inputs. Researchers from watchTowr Labs, and multiple customers, confirmed the patch closes the SSRF component that remained after Oracle's earlier Oct. 4 emergency updates. Customers should apply the update immediately or implement a temporary mod_security rule blocking access to /configurator/UiServlet.

⚠️ Oracle has quietly released an out-of-band update addressing CVE-2025-61884 in Oracle E-Business Suite, a pre-authentication SSRF exploited by a publicly leaked proof-of-concept published by the ShinyHunters extortion group. Oracle's advisory warns the flaw can expose sensitive resources but did not disclose active exploitation or the public exploit release, prompting follow-up from researchers. Independent testers confirm the new update now blocks the SSRF component that previously bypassed earlier patches.

🔒Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) after researchers confirmed the update blocks a pre-authentication SSRF used by a leaked ShinyHunters proof-of-concept. Oracle issued an out-of-band security update over the weekend and warned the flaw could allow access to sensitive resources. The vendor did not disclose that the issue was actively exploited or that a public exploit had been released, drawing criticism from researchers and customers.

🔍 A public dispute has emerged between FuzzingLabs and Gecko Security after FuzzingLabs accused Gecko of copying vulnerability PoCs, backdating blog posts, and filing duplicate CVEs for flaws FuzzingLabs disclosed in late 2024 and early 2025. Gecko denies wrongdoing, says overlaps arose from coordinating directly with maintainers, and has updated credits and dates. The episode underscores tensions in responsible disclosure and CVE attribution.

🔒 October's Cybersecurity Awareness Month is a reminder that timely software patching is essential to reduce risk. Last year saw around 40,000 newly disclosed vulnerabilities — roughly a 30% increase — and 2025 is on track to set another record, while attackers increasingly exploit unpatched flaws. In a video, ESET Chief Security Evangelist Tony Anscombe explains why delayed patching effectively invites threat actors into your network. Stay tuned for more awareness videos and consider ESET's cybersecurity awareness training.

🔒 Eclypsium discovered that Framework shipped signed UEFI shells containing a dangerous mm (memory modify) command that can directly read and write system RAM and be leveraged to disable Secure Boot. By overwriting the gSecurity2 security handler pointer to NULL or redirecting it to a stub that always returns success, the mm command stops signature verification and can permit bootkits to load. Framework estimates roughly 200,000 affected units; users should apply available firmware and DBX updates, restrict physical access, or temporarily remove Framework's DB key in BIOS until patches are applied.

⚠️ Researchers at Eclypsium warn that roughly 200,000 Framework Linux systems shipped with legitimately signed UEFI shells containing a dangerous mm (memory modify) command. The command can read and write physical memory and be used to overwrite the gSecurity2 pointer that enforces UEFI signature checks, effectively disabling verification. That failure allows persistent bootkits to load at boot time and survive OS reinstalls. Framework is issuing firmware and DB/DBX updates; users should apply patches or follow temporary mitigations until fixes are available.

⚠️ Rockwell Automation disclosed two remotely exploitable vulnerabilities in the 1715 EtherNet/IP Comms Module (versions 3.003 and earlier) that have a CVSS v4 base score of 7.7. One issue (CWE-770, CVE-2025-9177) allows resource exhaustion of the device web server causing a crash; the other (CWE-787, CVE-2025-9178) permits crafted CIP payloads to trigger an out-of-bounds write and loss of CIP communication. Rockwell has released firmware version 3.011 to address both flaws; operators who cannot immediately upgrade should implement recommended network segmentation, firewalling, and secure remote-access controls.