< ciso
brief />
Tag Banner

All news with #patch release tag

438 articles

CISA urges immediate patching of Fortinet FortiSandbox

🛡️ The US Cybersecurity and Infrastructure Security Agency (CISA) has added two critical FortiSandbox vulnerabilities, CVE-2026-39808 and CVE-2026-25089, to its Known Exploited Vulnerabilities catalog and ordered federal agencies to apply patches by July 19. Both flaws are OS command injection bugs with CVSS scores of 9.1 and have documented in-the-wild exploitation. Fortinet released fixes in FortiSandbox versions 4.4.9 and 5.0.6; CISA advised discontinuing cloud services where mitigations are unavailable.
read more →

Zoom fixes critical account-takeover vulnerability

🔒 Zoom disclosed and patched a critical vulnerability that could allow an unauthenticated attacker to perform an account takeover via network access, affecting several Windows clients and VDI branches. The company also fixed three privilege-escalation bugs across Zoom Workplace, Zoom Rooms, and related VDI plugins. Security experts warned the flaw is highly dangerous due to low complexity and no user interaction required, while praising Zoom for discovering and patching the issues.
read more →

Windows 11 24H2 Home and Pro reach end of support

🛡️ Microsoft announced that Windows 11 version 24H2 Home and Pro editions and Windows 10 Enterprise LTSB 2016 will stop receiving monthly updates after October 13, 2026. Enterprise and Education editions remain supported until October 12, 2027. Users are advised to upgrade to Windows 11 25H2, which is available via an enablement package and will be offered automatically to unmanaged Home and Pro devices. Devices can defer the update or choose restart timing through Settings > Windows Update.
read more →

Zoom issues urgent Windows security updates

🔒 Zoom released updates to patch a critical account-takeover vulnerability affecting several Windows clients and SDKs. The flaw, tracked as CVE-2026-53412 (CVSS 9.8), impacts Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows and could allow unauthenticated remote takeover. The advisory also fixes three high-severity escalation-of-privilege and TOCTOU bugs in various Workplace, VDI, plugin, Rooms, and Remote Control components; no active exploitation has been reported.
read more →

Zoom warns of critical Windows account takeover flaw

🛡️ Zoom has disclosed a critical vulnerability in its Windows desktop client and Meeting SDK that could allow an unauthenticated attacker to hijack accounts. Tracked as CVE-2026-53412 with a 9.8 severity score, the flaw affects several Windows releases including Zoom Workplace and VDI clients prior to the listed patched versions. The vendor described the issue as an improper input validation vulnerability and urged users to apply the latest updates to mitigate risk.
read more →

Mozilla, Google, Adobe and VMware issue critical patches

🛡️ Mozilla, Google, Adobe and VMware released updates addressing multiple critical vulnerabilities across Firefox, Chrome, Adobe products, and VMware Avi Load Balancer. Mozilla patched two critical Firefox bugs (CVE-2026-15718, CVE-2026-15719) with exploit code publicly disclosed and fixed in Firefox 152.0.6. Google fixed 15 Chrome vulnerabilities including two critical Ozone use-after-free flaws, and Adobe addressed 88 issues across ColdFusion, Commerce, Experience Manager, and Illustrator. Broadcom remediated a critical authentication bypass in VMware Avi Load Balancer (CVE-2026-47865). Organizations are advised to apply updates promptly to mitigate risk.
read more →

Progress restores ShareFile after security suspension

🔒 Progress has restored access to its ShareFile Storage Zones Controller after a four-day suspension following the detection of a credible external security threat on July 10. The incident involved exploitation of a high-severity path traversal vulnerability in Storage Zones Controller versions 5.x and 6.x, and patched releases 5.12.5 and 6.0.2 have been issued. Progress reported no evidence of unauthorized access and is withholding the CVE to allow customers time to patch.
read more →

SAP July 2026 fixes critical NetWeaver ABAP flaw

🔒 SAP released its July 2026 security updates to remediate multiple serious vulnerabilities, including a critical NetWeaver Application Server ABAP out-of-bounds write (CVE-2026-44747). Vendors and customers are urged to apply the ABAP Kernel patch because the suggested workaround—disabling specific ICF nodes via SICF—may break SAP GUI for HTML. Other addressed issues include an HTTP request/response smuggling bug in Approuter (CVE-2026-27690) and a default-credential OAuth client issue in Commerce Cloud (CVE-2026-44761). SAP notes no evidence of active exploitation but recommends immediate patching and auditing of production instances for sample OAuth clients.
read more →

Windows 11 July 2026 Cumulative Updates Released

🛈 Microsoft released Windows 11 cumulative updates KB5101650 and KB5099414 for 25H2/24H2 and 23H2 to deliver July 2026 Patch Tuesday fixes addressing security vulnerabilities, bug fixes, and feature refinements. The rollouts update build numbers and include notable Bluetooth pairing improvements, a quieter Widgets experience, enhanced accessibility controls, File Explorer and networking fixes, and Point-in-Time restore availability. Install via Settings > Windows Update or the Microsoft Update Catalog.
read more →

Progress confirms ShareFile zero‑day behind shutdown

🛡️ Progress Software confirmed a high‑severity zero‑day in ShareFile Storage Zone Controller that prompted an emergency shutdown of customer Windows servers. The flaw is a path traversal impacting all 5.x and 6.x releases, allowing an authenticated admin to read arbitrary files, write attacker‑controlled content, or enumerate the filesystem. Progress released patches (5.12.5 and 6.0.2), reserved a CVE to be published in two weeks, and currently reports no evidence of customer data breaches.
read more →

SAP patches critical NetWeaver, Commerce Cloud flaws

🔒 SAP released July 2026 security updates addressing 16 vulnerabilities across multiple products, including three critical flaws in NetWeaver, Commerce Cloud, and AppRouter. The issues include a memory corruption bug in NetWeaver AS ABAP, an HTTP request smuggling flaw in Approuter, and default-credential exposure in Commerce Cloud. SAP also fixed several high- and medium-severity bugs such as RCE, XSS, SQLi, and DLL hijacking.
read more →

Microsoft patches RoguePlanet Defender flaw

🛡️ Microsoft released a security update addressing a privilege escalation bug in the Microsoft Malware Protection Engine, tracked as CVE-2026-50656. The issue, dubbed RoguePlanet, is a race condition that can allow an attacker to spawn a SYSTEM-level shell to run arbitrary code. The fix is included in engine version 1.1.26060.3008 and includes defense-in-depth hardening.
read more →

Microsoft patches Defender RoguePlanet zero‑day

🛡️ Microsoft released a Malware Protection Engine update to fix a Defender zero-day tracked as CVE-2026-50656, dubbed "RoguePlanet." The vulnerability, disclosed by researcher "Nightmare Eclipse," allows spawning a SYSTEM command prompt via a Defender race condition and reportedly works on fully patched Windows 10 and 11 devices. Microsoft shipped version 1.1.26060.3008 to address the issue after confirming work on a patch on June 16.
read more →

Ubiquiti issues urgent UniFi security patches

🔒 Ubiquiti has released updates to remediate several critical vulnerabilities across UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS. The flaws include command injection, authenticated SQL injection, SSRF, and improper access control, with multiple CVSS scores at or near 10.0. Affected versions are identified for each product and updated builds are available that address the issues.
read more →

Ubiquiti patches max-severity UniFi OS flaws

🔒 Ubiquiti released updates addressing seven critical UniFi OS vulnerabilities, including a maximum-severity command injection flaw (CVE-2026-50746) in the UniFi Connect Application. The flaw affects versions 3.4.16 and earlier and could allow a network-based attacker to execute commands on the host. Users are advised to upgrade UniFi Connect to version 3.4.20 or later. Six additional critical issues across UniFi Talk, Access, Protect, UniFi OS Server, and multiple devices were also patched.
read more →

Adobe warns of exploited maximum severity ColdFusion flaw

🛡️ Adobe has urged ColdFusion customers to patch immediately after at least one maximum severity flaw was reported as being exploited. The company released fixes for 11 CVEs in the APSB26-68 bulletin on June 30, six carrying a CVSS score of 10. Researchers reported that CVE-2026-48282, a path traversal allowing potential arbitrary code execution, was targeted within hours of disclosure. There are 775 exposed ColdFusion instances online, increasing the risk for rapid exploitation.
read more →

BeyondTrust patches critical remote access authentication flaws

🔒 BeyondTrust has issued urgent patches for critical authentication flaws affecting its Remote Support (RS) and Privileged Remote Access (PRA) products. Two pre-authentication vulnerabilities (CVE-2026-40138 and CVE-2026-40139) could allow attackers to bypass access controls under specific authentication configurations. Additional high-severity issues (CVE-2026-40140 and CVE-2026-40141) address potential denial-of-service and restricted-resource access. Cloud instances were patched on April 21, 2026; self-hosted customers must apply the April security rollup or upgrade to RS/PRA 25.3.3+.
read more →

BeyondTrust issues critical authentication patches

🔒 BeyondTrust released updates to address multiple critical vulnerabilities in its Remote Support (RS) and Privileged Remote Access (PRA) products. The flaws include pre-authentication authentication-bypass and input-validation issues that could allow unauthenticated attackers to gain elevated access or cause denial-of-service. Fixes are available in RS/PRA 25.3.3 and later; users are urged to patch promptly.
read more →

Adobe adds second monthly Patch Tuesday cycle

🛡️ Adobe will publish security updates twice each month to address faster vulnerability discovery and exploitation. The company will keep its existing second-Tuesday schedule and add a fourth-Tuesday release starting July, applying to advisories with CVEs needing customer action. Adobe cited increased threats and investment in vulnerability discovery as drivers for the new cadence. The change mirrors industry trends toward more frequent patching.
read more →

Adobe fixes critical ColdFusion and Campaign flaws

🛡️ Adobe released urgent patches addressing multiple maximum-severity vulnerabilities in ColdFusion and Adobe Campaign Classic, including several CVSS 10.0 issues. The ColdFusion fixes are included in ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10, while the Campaign patch is in ACC v7: 7.4.3 build 9397. Adobe reports no known active exploitation and credited external researchers for several reports.
read more →