< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2054 articles · page 8 of 103

SAP patches critical NetWeaver and Commerce Cloud flaws

🔒 SAP released its June 2026 security update addressing 15 vulnerabilities, including four critical issues affecting SAP NetWeaver and SAP Commerce Cloud. The critical flaws include XML Signature Wrapping (CVE-2026-44748), a memory corruption bug (CVE-2026-27671), a Spring Security-related issue (CVE-2026-22732), and a directory traversal in the Java web container (CVE-2026-40128). Organizations should prioritize patching these high-impact defects immediately.
read more →

Microsoft issues Windows 10 KB5094127 update

🔒 Microsoft released the Windows 10 KB5094127 Extended Security Update, which applies June 2026 Patch Tuesday fixes and adds functionality to monitor the rollout of renewed Secure Boot certificates. The update brings Windows 10 to build 19045.7417 and Windows 10 Enterprise LTSC 2021 to build 19044.7417, and is available to Enterprise LTSC and ESU-enrolled systems via Windows Update. It also improves File Explorer search, enables dynamic Secure Boot status reporting, introduces the LimitSecureBootRequiredServiceData policy, and expands targeted delivery of new Secure Boot certificates. Microsoft warns of a known BitLocker recovery prompt issue for certain TPM/PCR7 and Secure Boot configurations and suggests a temporary Group Policy workaround while a permanent fix is prepared.
read more →

Microsoft June 2026 Patch Tuesday fixes 200 flaws

🛡️ Microsoft released its June 2026 Patch Tuesday addressing 200 vulnerabilities, including three publicly disclosed zero-day flaws. The update includes 33 Critical issues — 28 of them remote code execution — and a broad mix of elevation of privilege, information disclosure, spoofing, and DoS bugs. Microsoft also provided mitigations and new settings, such as MaxHeadersCount for HTTP/2, and highlighted that some fixes were issued earlier for cloud and Edge components.
read more →

Microsoft June 2026 Patch Tuesday: 200 Flaws Fixed

🛡️ Microsoft released its June 2026 Patch Tuesday addressing 200 vulnerabilities, including five publicly disclosed zero-days and one actively exploited flaw. The updates cover 33 Critical issues, with numerous RCE, elevation of privilege, information disclosure, and other vulnerabilities across Windows, Exchange, BitLocker, HTTP/2 and more. Microsoft also provided mitigations and new settings such as a MaxHeadersCount registry key for HTTP/2.
read more →

Windows 11 June 2026 Cumulative Updates Released

🔔 Microsoft released Windows 11 cumulative updates KB5094126 and KB5093998 for 25H2/24H2 and 23H2 on Patch Tuesday, delivering security fixes, bug patches, and new features. The updates change build numbers and add capabilities like Shared Audio and expanded Xbox mode, plus Task Manager NPU visibility and Multi‑App Camera. Install via Settings > Windows Update or the Microsoft Update Catalog for the June 2026 security rollup.
read more →

Veeam issues patch for critical Backup & Replication RCE

🛡️ Veeam released patches for a critical remote code execution flaw in Backup & Replication, tracked as CVE-2026-44963 with a CVSS score of 9.4. The issue allowed an authenticated domain user to execute code on the Backup Server and affects 12.3.2.4465 and earlier 12.x builds; version 13.x is not vulnerable. The flaw was reported by watchTowr researcher Sina Kheirkhah and fixed in build 12.3.2.4854; users are urged to update promptly.
read more →

Critical Veeam RCE Flaw Affects Domain-Joined Servers

🔒 Veeam released updates to fix a critical remote code execution vulnerability in Backup & Replication (CVE-2026-44963) that affects 12.x builds up to 12.3.2.4465 and was patched in 12.3.2.4854. Any authenticated low-privilege domain user can exploit the issue, but only domain-joined installations are impacted. Veeam noted version 13.x is not affected due to architectural changes and urged customers to apply updates promptly as attackers commonly reverse-engineer patches.
read more →

Critical phpBB authentication bypass risks accounts

🛡️ A critical authentication bypass in phpBB forum software allows an attacker to hijack any account, including administrators, with a single unauthenticated request and no password. Tracked as PTT-2026-004 and rated 9.4, the flaw affects all versions up to 3.3.16 (and 4.0.0 alpha) using default database authentication, while a second OAuth-related issue (PTT-2026-005, 8.3) can bind attacker credentials via CSRF and missing state checks. phpBB released 3.3.17 on June 6 to fix both issues and urged immediate upgrades; temporary mitigations include disabling OAuth and auditing OAuth bindings.
read more →

EcoStruxure Panel Server insecure default credentials

🔒 Schneider Electric disclosed a CWE-1188 vulnerability in EcoStruxure Panel Server products that may cause credentials to revert to insecure defaults in rare circumstances, permitting unauthorized authentication and disclosure of sensitive information. A vendor firmware update (version 002.006.000) is available for affected PAS400/PAS600/PAS800 and V2 variants and requires a reboot. Users are advised to apply the update and follow recommended ICS segmentation and hardening best practices.
read more →

KACO Blueplanet Inverters: Credential and SQL Injection Risk

🔒 KACO blueplanet inverters contain vulnerabilities that can expose service credentials and allow SQL injection against management components. Siemens and KACO new energy have released updates for some models and recommend updating to the latest firmware where fixes exist. Operators should minimize network exposure, segment control networks, and apply vendor security updates after validation and supervised deployment.
read more →

RADIUS Message Integrity Flaw in Modicon Switches

🔒 Schneider Electric disclosed a RADIUS protocol vulnerability (CVE-2024-3596) affecting Modicon Network Managed Switches when the RADIUS Server Message Authenticator option is disabled. The flaw can allow forged RADIUS responses, potentially causing denial of service and loss of confidentiality or integrity for devices connected to the switch. Default configurations are not vulnerable; vendors provide CLI and MIB guidance to ensure msgauth remains enabled. CISA republished the advisory to increase visibility and recommends standard ICS network hardening practices.
read more →

Check Point warns of IKEv1 VPN authentication flaw

🔒 Check Point released emergency hotfixes for IKEv1-related VPN vulnerabilities after confirming active exploitation of a critical authentication bypass. The primary flaw (CVE-2026-50571) can let unauthenticated attackers establish VPN sessions without valid passwords, providing a foothold for further intrusions. A second issue (CVE-2026-50752) risks MITM interference in site-to-site VPNs. Check Point urges immediate patching and migration to IKEv2 where possible.
read more →

Chrome V8 zero-day patched; urgent user update

🛡️ Google released fixes for 74 vulnerabilities in Chrome, including an actively exploited high-severity V8 issue, CVE-2026-11645 (CVSS 8.8). The flaw is an out-of-bounds memory access in the V8 JavaScript and WebAssembly engine that could allow code execution inside a sandbox via a crafted HTML page. Researcher "303f06e3" reported the bug on April 27, 2026, and received a $55,000 bounty. Users should update Chrome to the latest 149.0.7827.102/.103 versions and apply corresponding updates for other Chromium-based browsers.
read more →

Google issues emergency Chrome update addressing zero-day

🔒 Google has released an emergency update for Chrome addressing 74 vulnerabilities, including a high-severity zero-day that has been exploited in the wild. The bulletin, published on June 8, fixes 17 critical, 55 high-severity and two medium-severity flaws, with updates rolling out to Windows, Mac and Linux users over the coming days and weeks. The exploited V8 bug, CVE-2026-11645, was reported April 27 and earned the researcher $55,000.
read more →

CISA orders patch for Check Point VPN zero-day

🔒 CISA has directed U.S. federal agencies to patch a critical Check Point Remote Access VPN and Mobile Access vulnerability (CVE-2026-50751) that has been exploited in active attacks since May 7. The flaw allows unauthenticated remote attackers to bypass authentication on systems using the deprecated IKEv1 key exchange and legacy remote access clients. Check Point released updates and provided mitigations for organizations that cannot immediately patch, while CISA added the issue to its KEV Catalog and set a June 11 compliance deadline for federal agencies.
read more →

Google issues emergency Chrome zero-day patch

🔒 Google has released an emergency update to address CVE-2026-11645, the fifth Chrome zero-day fixed this year. The flaw, an out-of-bounds read/write in the V8 JavaScript engine, can be exploited by crafted HTML to achieve arbitrary code execution from within the browser sandbox. Patched Stable channel versions for Windows, macOS, and Linux are rolling out, and Google warns details may stay restricted until most users are updated.
read more →

Active privilege escalation flaw in Cisco SD‑WAN Manager

🔒 Cisco warns of an actively exploited high-severity vulnerability in Catalyst SD‑WAN Manager that allows authenticated attackers to escalate privileges to root. The flaw, tracked as CVE-2026-20245, requires local access and netadmin privileges but can be chained with prior authentication bypass bugs. Cisco recommends upgrading to the latest versions, checking edge device configurations, saving logs, and contacting TAC if indicators of compromise are found.
read more →

One-character Linux kernel flaw enables local root

🔒 Security researchers published a working exploit for a Linux kernel use-after-free, CVE-2026-23111, allowing unprivileged local users to escalate to root and escape containers. The bug resides in nf_tables packet-filtering code and was patched upstream on February 5, 2026; public exploit write-ups appeared in April and June. The reachable setup requires nf_tables and unprivileged user namespaces, common defaults on many desktops and server builds. Administrators should update their kernel packages and reboot to mitigate the issue.
read more →

Critical Zcash Orchard Vulnerability Disclosed and Patched

🔒 On May 29, researcher Taylor Hornby discovered a critical flaw in Zcash's Orchard shielded pool; the Zcash team had contracted him specifically for this audit. The vulnerability involved a missing enforcement in a validation check that could have allowed creation of ZEC out of thin air despite valid-looking zero-knowledge proofs. The issue has been patched, but there is no reliable way to determine whether the bug was exploited prior to the fix.
read more →

Gogs patches critical zero-day enabling RCE

🛡️ Gogs has released version 0.14.3 to patch a critical argument-injection zero-day that allows authenticated non-admin users to execute remote code and access any repository, including private ones. The flaw affects all releases up to 0.14.2 and 0.15.0+dev and was reported by Rapid7 researcher Jonah Burgess. Rapid7 urges immediate upgrades and provided mitigations such as disabling open registration and restricting repo creation for instances that cannot be patched immediately.
read more →