All news with #patch management tag

🔍 In this Talos Threat Perspective episode, Hazel Burton explores how vulnerabilities are being converted into working exploits far faster than before. Where remediation once took weeks or months, weaponization now occurs in days, hours, and sometimes immediately after disclosure, helped by proof-of-concept code, automation, and AI-assisted tooling such as demonstrated with React2Shell. Attackers are targeting what is exposed, accessible, and valuable, compressing the defender's patch window and forcing new approaches to risk prioritization.

🔍Analysis of more than one billion CISA KEV remediation records across 10,000 organizations over four years shows defensive operations have hit a human ceiling. Time-to-Exploit averages negative seven days while vulnerability volume rose 6.5× since 2022. Qualys identifies a Manual Tax and recommends shifting to autonomous, closed-loop Risk Operations Centers that measure Risk Mass rather than raw CVE counts.

⚠️ Rapid7's Cyber Threat Landscape Report shows confirmed exploitation of newly disclosed high- and critical-severity vulnerabilities surged 105% year-over-year, while median time to CISA KEV inclusion fell to 5.0 days and mean time-to-exploit dropped to 28.5 days. Industry observers cite the industrialization of cybercrime and the use of AI to speed discovery and exploit development. Experts warn that patches increasingly act as roadmaps for attackers, and urge adoption of secure-by-design, aggressive pre-release testing, and faster isolation or rebuild capabilities to counter the collapsing patch window.

🔁 Microsoft has begun force-upgrading unmanaged devices running Windows 11 24H2 Home and Pro editions to Windows 11 25H2. The company says its machine-learning-based intelligent rollout now targets all Home and Pro 24H2 systems not managed by IT, and those devices will stop receiving fixes, time zone updates, technical support, and monthly security updates once 24H2 reaches end of support on October 13, 2026. Users can manually check for the 25H2 update in Settings > Windows Update, pause updates temporarily, or follow Microsoft's support guidance if issues occur.

🔁 Amazon WorkSpaces Applications introduces a drain mode for multi-session fleets that prevents instances from accepting new user sessions while allowing existing sessions to continue uninterrupted. Administrators can use this capability to perform maintenance, apply security patches, or scale down resources without forcibly terminating users. The change routes new connections to other available instances, improving stability and end-user experience, and is available at no additional cost in all supported AWS Regions.

🔒 Business resilience begins at the endpoint. Drawing on N-able SOC data, the article highlights that over 900,000 alerts were processed between March and December 2025 and that 18% originated from network and perimeter exploits—threats many endpoint-only tools missed. It prescribes continuous asset visibility, standardized secure configurations, automated patching and remediation, EDR for behavioral detection and response, and integrated backup and recovery to minimize downtime.

🔒 CrowdStrike explains how Falcon for IT helps enterprises manage the transition from the Windows UEFI CA 2011 certificate to Windows UEFI CA 2023 ahead of Microsoft’s 2026 enforcement. The content pack provides fleet-wide Secure Boot posture assessment, controlled enrollment into Microsoft’s managed rollout, emergency blocking for incompatible hardware, and centralized audit logging. It emphasizes validating virtualization stacks, coordinating endpoint and server teams, and completing staged rollouts before enforcement to avoid inconsistent firmware trust states and compressed remediation windows.

🔔 AWS Batch now reports the AMI status for Batch-provided default Amazon Machine Images when you describe a compute environment, indicating LATEST or UPDATE_AVAILABLE. It also publishes AWS Health Planned Lifecycle Events to provide advance notification of scheduled changes such as AMI deprecations and other lifecycle activities. Both capabilities are available today in all Regions where AWS Batch runs and can be integrated with Amazon EventBridge to automate monitoring and remediation.

🛡️Research by Absolute Security finds endpoint cybersecurity software fails to protect one in five enterprise devices, creating an equivalent of 76 days per year of increased exposure to attackers. The 2026 Resilience Risk Index, published March 23, ties this gap to patch delays and rising endpoint complexity, with 24% of vulnerability platforms out of compliance. The report urges stronger enforcement of patch and update policies to reduce downtime and remediation costs.

⚙️ Amazon RDS Custom for SQL Server now enables customers to view and schedule operating system updates for RDS provided engine versions (RPEV), where each RPEV is a SQL Server version pre-installed on an Amazon Machine Image. Customers can check pending updates via the describe-pending-maintenance-actions API or subscribe to event RDS-EVENT-0230 for alerts. They can apply updates immediately or use apply-pending-maintenance-action to schedule installation during the next maintenance window. These capabilities are available in all AWS Regions that offer RDS Custom for SQL Server.

🔒 The article argues the cyber perimeter was never dead but was abandoned, leaving unsupported firewalls, routers, and remote access appliances as easy footholds for attackers. It outlines the FBI’s Operation Winter SHIELD, a concentrated two-month effort targeting weak authentication, excessive privileges, and unpatched edge devices, and CISA’s BOD 26‑02, which mandates removal of end-of-life perimeter hardware within 18 months. The piece warns that neglecting edge devices undermines identity-first strategies and urges CISOs to regain total edge visibility and enforce disciplined asset lifecycles, strong hardware-based authentication, rapid patching, and strict privilege controls.

🔔 Starting with the May 2026 Windows security update, Microsoft will enable hotpatch security updates by default for all eligible devices managed via Microsoft Intune and the Microsoft Graph API. The updates will be delivered through Windows Autopatch and are intended to halve the time to reach 90% patch compliance by applying fixes without requiring immediate restarts. Organizations can opt out at the tenant level through Intune controls that go live April 1, 2026, and administrators should use the Hotpatch quality updates report to confirm device readiness.

🔔 CISA has added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The new entries affect Hikvision, Rockwell, and multiple Apple products and include CVE-2017-7921, CVE-2021-22681, CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000. Under BOD 22-01 Federal Civilian Executive Branch agencies must remediate listed CVEs by the required due dates; CISA strongly urges all organizations to prioritize timely remediation to reduce exposure to common attack vectors.

🔒 The UK’s new vulnerability monitoring service (VMS) continuously scans more than 6,000 public bodies, detecting around 1,000 vulnerability types and processing roughly 400 confirmed findings a month. The service reduced median remediation for general vulnerabilities from 53 to 32 days and cut DNS fix times from 50 to eight days. VMS provides specific, actionable guidance and tracks issues until closure, while the government pairs the platform with a £210m Cyber Action Plan and a new Cyber Profession to address skills gaps.

🔒 Third-party utilities — PDF readers, archives, email clients, browsers, and remote-access tools — form a predictable business footprint attackers favor because of their ubiquity and users' routine behavior. These background applications often drift unpatched across endpoints, creating high-probability targets that scale across organizations. Continuous visibility and consistent third-party patching are presented as practical levers to reduce real-world exploit risk. Organizations should inventory required tools, remove unused defaults, and prioritize remediation to shrink the exposure window.

⚠ CISA has added four vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The additions are CVE-2008-0015 (Microsoft Windows Video ActiveX remote code execution), CVE-2020-7796 (Synacor Zimbra SSRF), CVE-2024-7694 (TeamT5 ThreatSonar unrestricted upload of dangerous files), and CVE-2026-2441 (Google Chromium CSS use-after-free). BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate KEV entries by the due date, and CISA strongly urges all organizations to prioritize timely remediation as part of vulnerability management.

🔒 CISA warns that unsupported edge hardware and software pose systemic risks and highlights Binding Operational Directive BOD 26-02 as a federal step to identify, replace, and patch end-of-support (EOS) devices. The article introduces OpenEoX, an OASIS OPEN, machine-readable JSON standard that standardizes product lifecycle information and integrates with SBOMs and CSAF. By enabling producers to publish EOS milestones and consumers to automate lifecycle tracking, OpenEoX aims to reduce exposure and streamline vulnerability management. The piece urges rapid, communitywide adoption to close doors on threat actors exploiting outdated products.

🔍 A new forecast from FIRST projects a median of roughly 59,000 CVEs in 2026 and warns that under extreme scenarios the count could approach 118,000, up from about 48,000 in 2025. Experts stress this growth reflects improved discovery and disclosure — more CNAs, bug bounties, and scrutiny of long-neglected code — rather than a sudden rise in attacker capability. Historically, only a small fraction of published CVEs are weaponized: recent data shows fewer than 3,000 had public proof-of-concept exploits and only about 700 showed evidence of exploitation in the wild. The primary challenge for CISOs is separating signal from noise through prioritization, automation, and capacity planning rather than trying to patch every disclosed flaw.

🔒 CISA ordered federal agencies to remove edge devices that no longer receive vendor security updates and to strengthen lifecycle management within 12–18 months. Directive 26-02 requires agencies to catalog devices, update supported software immediately, report end-of-support items in three months, and decommission listed devices in 12 months and others in 18 months. CISA published an end-of-support edge device list and highlighted routers, firewalls, load balancers, wireless access points and IoT edge gear as high-risk targets for exploitation.

🔒 CISA has ordered Federal Civilian Executive Branch agencies to inventory, update where possible, and remove all end-of-support edge devices—firewalls, routers, VPN gateways, load balancers, and other network security appliances—within an 18-month timeline. Agencies must report inventories within three months and begin removals within 12 months. CISA warned unsupported devices represent a substantial and constant threat and urged private sector adoption of similar measures.