All news with #patch management tag

🔐 On December 2 at 2:00 PM ET, BleepingComputer and SC Media will host a live webinar featuring Gene Moody, Field CTO at Action1, on modern patch management strategies to reduce risk and speed remediation. The session, titled Winning the 2026 vulnerability race, explains how cloud-native, policy-driven tools can address limitations of legacy systems like WSUS. Attendees will learn prioritization techniques, visibility practices, and automation use cases to align patching with business impact.

⚠️ The German Federal Office for Information Security (BSI) warns that the majority of an estimated 33,000 publicly reachable Microsoft Exchange Server 2016 and 2019 installations still operate without vendor support after 14 October 2025. Without security updates, new critical Exchange vulnerabilities cannot be patched and affected systems may need to be taken offline to avoid compromise. The BSI highlights rapid network-wide compromise and ransomware risk and urges prompt upgrades, migrations, or protective measures such as VPNs or IP restrictions.

🔍 Modern patch management demands centralized visibility, faster prioritization, and accountable remediation to close growing exposure gaps. The article highlights how legacy systems such as WSUS and SCCM struggle with mixed environments, remote endpoints, and third-party applications, producing inconsistent patch states and unnoticed failures. Action1 is presented as a cloud-native platform that inventories endpoints, maps missing updates to CVEs, automates targeted deployments and retries failures, and provides audit-ready reporting to unify security and IT workflows.

🛡️ AWS Systems Manager Patch Manager now notifies when Windows security updates are available but not approved by a customer's patch baseline. The feature adds a new patch state, AvailableSecurityUpdate, and by default surfaces these instances as Non-Compliant, helping administrators spot missing security patches even when using long ApprovalDelay windows. Organizations can preserve existing reporting by configuring patch baseline behavior. The capability is available in all Regions and incurs no additional charges; administrators can enable it from the Patch Manager console or documentation.

⚠️ Microsoft has reminded customers that Office 2016 and Office 2019 reached the end of extended support on October 14, 2025. These releases will continue to operate but will no longer receive security updates, bug fixes, or technical support, increasing exposure to threats and compliance issues. Microsoft recommends migrating to Microsoft 365 Apps or newer perpetual releases such as Office 2024 or Office LTSC 2024, and notes that Visio, Project, and Skype for Business 2016/2019 are also out of support.

🔒 October's Cybersecurity Awareness Month is a reminder that timely software patching is essential to reduce risk. Last year saw around 40,000 newly disclosed vulnerabilities — roughly a 30% increase — and 2025 is on track to set another record, while attackers increasingly exploit unpatched flaws. In a video, ESET Chief Security Evangelist Tony Anscombe explains why delayed patching effectively invites threat actors into your network. Stay tuned for more awareness videos and consider ESET's cybersecurity awareness training.

🛡️ As of October 14, 2025, Microsoft has ended support for non‑LTSC releases of Windows 10, leaving installations without default security patches unless organizations purchase Extended Security Updates (ESUs). CrowdStrike advises inventorying assets, evaluating ESU costs, and prioritizing migration while ensuring continuous endpoint protection. The Falcon platform delivers cloud‑native detection, behavioral AI, and visibility across mixed Windows environments to help reduce risk during transition. Note that EDR complements but does not replace operating system updates.

⚠️ A significant proportion of users and organisations remain on Windows 10 just days before Microsoft ends support on October 14, meaning no more security or feature updates. Remote-access vendor TeamViewer reports over 40% of endpoints it recently supported still run the OS, while a Which? survey found 26% of UK users do not plan to upgrade and 11% are undecided. Experts warn this creates a cybersecurity and compliance 'cliff edge' that could expose systems to unpatched vulnerabilities and increased attacker activity.

🔔 CISA has added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after observing evidence of active exploitation. The additions are CVE-2014-6278 (GNU Bash), CVE-2015-7755 (Juniper ScreenOS), CVE-2017-1000353 (Jenkins), CVE-2025-4008 (Smartbedded Meteobridge), and CVE-2025-21043 (Samsung mobile). Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged CVEs by their due dates; CISA urges all organizations to prioritize timely mitigation and patching.

🔐 Fortinet’s 2025 Global Threat Landscape Report underscores that two fundamentals — protecting against phishing and keeping software up to date — remain the most effective defenses. Attackers are scaling campaigns with automation and generative AI to produce more convincing messages, and they combine email, SMS, and voice techniques to raise success rates. Organizations should strengthen employee training, deploy MFA, and adopt centralized or automated patch management to reduce exposure and limit lateral movement.

⚠️ Enterprises face an unprecedented surge in disclosed vulnerabilities — over 20,000 in H1 2025 — with roughly 35% (6,992) accompanied by public exploit code, according to Flashpoint. Security leaders are urged to adopt risk-based patching and intelligence-led remediation that prioritizes remotely exploitable and actively exploited flaws while factoring in business context. Relying solely on CVE and the NVD is increasingly impractical due to enrichment delays; experts recommend integrating threat context, exposure management, and CTEM-style operations to concentrate limited resources on what truly matters.

🔒 Security hardening boosts protection for organizations, especially SMBs, by reducing their attack surface without large additional investments. Key measures include strong authentication and authorization—enforcing strict passwords, multifactor authentication, least-privilege access and network access controls—alongside timely patching, data encryption and segmented, tested backups. Regular staff training, account audits and permission reviews complete a practical, low-cost defense posture.

🔒 CISA published an advisory summarizing lessons learned from an incident response engagement after its endpoint detection and response tool detected potential malicious activity. The guidance emphasizes expedited patching—highlighting exploitation of GeoServer CVE-2024-36401—alongside strengthened incident response planning and enhanced threat monitoring. Organizations are urged to prioritize fixes for public-facing systems, test response playbooks, and implement centralized logging to improve detection and reduce exposure.

🖥️ Valve announced that Steam will stop supporting 32-bit versions of Windows effective January 1, 2026. The company said Windows 10 32-bit is currently the only 32-bit build still in use and that existing Steam Client installations on those systems will continue to function for the near term but will no longer receive any updates, including security updates. Valve explained the change is required because core Steam features rely on drivers and libraries not maintained on 32-bit Windows. Gamers are urged to upgrade to a 64-bit version of Windows to maintain compatibility and keep receiving updates.

🔔Microsoft reminded customers that Office 2016 and Office 2019 will reach the end of extended support on 14 October 2025. Organizations using Visio 2016/2019, Project 2016/2019, and related apps are urged to upgrade to avoid security, compliance, and performance issues because no further updates or fixes will be provided. Microsoft recommends migrating to Microsoft 365 Apps or selecting a perpetual release such as Office 2024 or Office LTSC 2024 depending on licensing and connectivity needs.

⚠️ Microsoft has warned that Exchange Server 2016 and Exchange Server 2019 will reach end of extended support on October 14, 2025. After that date Microsoft will stop providing technical support, including bug fixes, time zone updates, and security patches, which could increase exposure to vulnerabilities. Administrators are advised to migrate to Exchange Online or upgrade to Exchange Server Subscription Edition, with documented migration and upgrade paths available.

⚠️ Microsoft warned that devices running Windows 11 23H2 Home and Pro editions will reach end of servicing on November 11, 2025, with the November 2025 monthly security update as the last release for those editions. Enterprise and Education SKUs will continue to receive mainstream support until November 10, 2026. Users are advised to upgrade to Windows 11 24H2, but Microsoft has applied safeguard holds for systems with incompatible Intel Smart Sound Technology audio drivers, SenseShield code‑obfuscation drivers, wallpaper customization tools, certain integrated cameras, and Dirac audio software.

🚨 The Australian Cyber Security Centre has observed increased exploitation of SonicWall SSL VPNs by the Akira ransomware group, leveraging CVE-2024-40766. The vulnerability, patched over a year ago, affects SonicWall Gen 5 and Gen 6 appliances and Gen 7 devices running SonicOS 7.0.1-5035 and earlier. Organisations remain at risk if they did not both install firmware updates and immediately rotate administrative credentials after migration. Security vendors Rapid7 and Recorded Future report automated intrusions tied to this issue; operators are advised to patch, reset passwords, restrict VPN access and enable robust MFA.

⚙️ This sponsored comparison contrasts Action1, a cloud-native patch management platform, with Microsoft's legacy WSUS. It examines installation, ongoing maintenance, patch coverage, remote delivery, automation, troubleshooting, and reporting. The piece argues that Action1 reduces infrastructure overhead, patches third-party apps, and supports remote endpoints without VPN. It concludes that Action1 better fits modern, hybrid environments and audit-driven compliance needs.

🩺 Cobalt's State of Pentesting in Healthcare 2025 report shows healthcare organizations take far longer than peers to remediate serious vulnerabilities, leaving systems and patient data exposed. The firm, using a decade of internal pentest data and a survey of 500 US security leaders, found only 57% of serious findings are fixed and the median time to resolve is 58 days, with a 244-day half-life for serious issues. While business-critical assets often see fixes within days, Cobalt warns that prioritizing SLA-bound remediation lets other serious but non-critical flaws linger and accrue security debt, increasing ransomware and data-exfiltration risk.