All news with #patch management tag

⚠️ CISA has issued BOD 26-02 requiring U.S. federal agencies to identify and remove end-of-life (EOL) network edge devices such as routers, firewalls, and switches that no longer receive security updates. Agencies must inventory devices on CISA's end-of-support list within three months, decommission pre-directive EOL devices within 12 months, and replace all identified EOL edge equipment within 18 months. The directive also requires agencies to implement continuous discovery processes within 24 months and encourages non-federal organizations to follow CISA's guidance to mitigate exploitation risks.

🔒 This fact sheet from CISA, the FBI, and the U.K. NCSC urges organizations to mitigate risks posed by end-of-support (EOS) edge devices such as firewalls, routers, load balancers, and VPN gateways. It highlights BOD 26-02 for U.S. federal agencies and recommends maintaining asset inventories, replacing EOS hardware, and applying timely updates and patches to reduce exposure to nation-state threat actors.

🔐 The FBI has launched Operation Winter SHIELD, a ten-week campaign outlining ten concrete actions organisations should adopt to improve cyber resilience across IT and OT environments. Developed with domestic and international partners and informed by recent investigations, the initiative connects observed adversary behaviour to practical defenses such as phish-resistant authentication, immutable offline backups, vulnerability management and reduced administrator privileges. Aligned with the US National Cyber Strategy and the FBI Cyber Strategy, the effort aims to harden critical infrastructure and reduce the attack surface.

⚠️ CISA added CVE-2025-8110 to its Known Exploited Vulnerabilities (KEV) Catalog for a Gogs path traversal vulnerability after evidence of active exploitation. The advisory cites BOD 22-01 requirements for Federal Civilian Executive Branch agencies to remediate cataloged KEV entries by the due date. CISA strongly urges all organizations to prioritize timely patching to reduce exposure. CISA will continue to add vulnerabilities that meet the specified criteria.

🔒 CISA has retired 10 Emergency Directives issued between 2019 and 2024 that were intended to protect Federal Civilian Executive Branch (FCEB) agencies from high-risk vulnerabilities. The directives covered DNS tampering, multiple Windows Patch Tuesday flaws, SolarWinds, Microsoft Exchange, Pulse Connect Secure, Print Spooler, VMware, and a nation-state compromise of Microsoft corporate email. CISA said the required actions were completed or are now enforced through BOD 22-01, and emphasized continued advancement of Secure by Design principles across federal systems.

🛡️ CISA has retired ten Emergency Directives issued between 2019 and 2024, stating the required mitigations have been completed or are now encompassed by BOD 22-01. The agency said this is the largest single closure of Emergency Directives to date. The action moves responsibility for ongoing remediation to the Known Exploited Vulnerabilities (KEV) catalog and its mandated federal patching timelines. CISA retains authority to require accelerated fixes for high-risk flaws, as in a recent one-day order for exploited Cisco CVEs.

🔒 Cyber hygiene is presented as an essential, routine set of practices to reduce digital risk and protect personal data. The article gives targeted, practical advice for three audiences: beginners (use a password manager, create long random passwords and enable MFA), intermediate users (prioritize patch management, remove unused extensions, secure home routers and IoT, and use VPNs), and cybersecurity professionals (model good behavior and build a security-aware culture). Small, regular actions can greatly reduce exposure and improve resilience.

🔔 SecAlerts provides a streamlined, cloud-native vulnerability notification service that maps new advisories directly to the software you run, avoiding intrusive scans or local installs. Using near-real-time sources rather than relying solely on the NVD, it reduces alert noise through configurable Stacks, Channels, and Alerts, so teams only receive actionable notifications. The platform includes a searchable Feed, visualised severity metrics, per-client properties for MSSPs, an API for integrations, and audit-ready reporting to accelerate remediation.

🔒 Community-driven package managers like Chocolatey and Winget speed deployments but can introduce supply-chain risks when packages are added or updated without rigorous vetting. Gene Moody, Field CTO at Action1, will lead a free webinar that tests these tools in practice, highlights common weak points, and demonstrates pragmatic safeguards such as source pinning, allow-lists, and hash/signature verification. The session focuses on actionable steps to help teams prioritize updates using known-exploited vulnerability data (KEV) and to choose whether to rely on community repos, vendor sources, or a hybrid approach while maintaining operational velocity.

😴 At the Global Cyber Conference 2025 in Zurich, CISOs openly confronted a profession-wide exhaustion tied to escalating cyber risk. Tim Brown distilled the anxiety into five core threats: shrinking exploit windows, persistent adversaries, third-party risk, an AI arms race, and staff burnout. The Swiss Cyber Institute's vendor-free format created a trust-based forum where peers share IOCs, run joint table-tops and adopt risk-based patching and UEBA to speed response and restore resilience.

☁️ Legacy Windows patching tools like SCCM and WSUS are struggling to meet the needs of distributed workforces because they depend on LAN or VPN check‑ins. The piece highlights WSUS deprecation and frequent synchronization, database, and re‑indexing failures that stall remediation. Cloud‑native, SaaS patch management (for example, Action1) allows endpoints to check in securely over the internet, use global delivery networks, and deliver faster, more consistent compliance without on‑prem infrastructure.

⚠️ Microsoft announced that WINS support will be removed from Windows Server releases after Windows Server 2025, with standard support for that final LTSC build continuing through November 2034. The legacy NetBIOS name registration and resolution service was deprecated in Windows Server 2022. Microsoft said WINS components, management snap-ins and automation APIs will be removed, and urged administrators to audit dependencies and migrate to DNS-based solutions to avoid disruptions.

🔔 AWS Organizations now supports an upgrade rollout policy for Amazon Aurora and Amazon RDS, enabling staggered automatic minor version upgrades across accounts and resources. Administrators can define simple sequences (first, second, last) via account-level policies or resource tags so upgrades begin in development and progress to production only after validation. AWS Health notifications between phases, built-in validation periods, and the ability to pause progression provide control and observability. The feature is available in all commercial Regions and AWS GovCloud (US); RDS for Oracle support applies to engine versions released after January 2026.

🔒 Organizations should treat the Windows 11 migration as a strategic security opportunity rather than a routine OS update. While some users resist moving from Windows 10 or explore alternatives like Linux or legacy releases, those choices can introduce operational headaches and security gaps, especially as Microsoft phases out support. Use the transition to validate backups, recovery objectives, and patch posture to reduce exposure to unpatched vulnerabilities that increasingly target MSPs and their clients.

📦 AWS announced the general availability of Supplementary Packages for Amazon Linux (SPAL), a curated repository offering thousands of pre-built EPEL9-compatible packages for Amazon Linux 2023 (AL2023). SPAL reduces the need to compile software from source, accelerating deployments and lowering operational overhead for developers, system administrators, and DevOps teams. Packages are derived from community EPEL9 sources with AWS applying security patches as they become available upstream. SPAL is available across all AWS Commercial Regions, including GovCloud and China.

🐘 Amazon RDS for PostgreSQL now supports minor versions 17.7, 16.11, 15.15, 14.20, and 13.23; AWS recommends upgrading to address known security vulnerabilities and receive community bug fixes. The release adds the pgcollection extension for RDS PostgreSQL 15.15 and above (including 16.11 and 17.7), providing an ordered, efficient key-value collection type usable inside PostgreSQL functions to speed in-memory data processing. Extension updates include pg_tle 1.5.2 and H3_PG 4.2.3, and operators can use automatic minor version upgrades or Blue/Green deployments to minimize disruption during upgrades.

🔔 CISA released implementation guidance for Cisco ASA and Firepower devices to support Emergency Directive 25-03. The guidance lists minimum software versions that remediate CVE-2025-20333 and CVE-2025-20362 and directs agencies to perform corrective patching. CISA warns multiple organizations believed they had applied updates but had not and recommends all operators verify exact versions. Agencies with devices not yet updated or updated after Sept. 26, 2025, should follow additional temporary mitigations.

⚠️ CISA released Implementation Guidance for Emergency Directive 25‑03 addressing ongoing exploitation of Cisco ASA and Firepower devices, identifying minimum software versions that remediate known vulnerabilities. The guidance directs federal agencies to perform corrective patching and recommends all organizations verify and apply the specified minimum updates. CISA also provides the RayDetect scanner to analyze ASA core dumps for RayInitiator compromise and offers temporary mitigation recommendations for agencies still completing compliance.

🔍 New research from Palo Alto Networks shows enterprise networks remain sprawling and poorly controlled: telemetry from 27 million devices across 1,800 enterprises found 26% of Linux and 8% of Windows systems running on end-of-life OS versions, 39% of directory-registered devices lack active endpoint protection, and 32.5% operate outside IT control. Poor segmentation — present in 77% of networks — and unmanaged edge devices increase attacker opportunities.

⚠️ Microsoft confirmed that Windows 11, version 23H2 Home and Pro editions reached end of servicing on November 11, 2025; the November 2025 monthly security update is the last patch for those SKUs. Devices running those editions will no longer receive monthly security or preview updates protecting against the latest threats. Users are advised to upgrade to Windows 11, version 25H2, available to eligible devices via Settings > Windows Update.