All news with #patch release tag

⚠️Siemens warns of a TCP sequence validation flaw in the Interniche IP-Stack (CVE-2025-40820) that can allow unauthenticated remote actors to interfere with TCP connection setup and cause denial of service. The defect accepts a broad range of sequence values, permitting precisely timed spoofed packets to disrupt TCP-based services. Siemens has released fixes for many affected SKUs and recommends updating to the published firmware versions; where fixes are not yet available, follow the vendor’s countermeasures and apply network controls to limit exposure.

⚠ National Instruments released patches addressing multiple vulnerabilities in LabVIEW that could allow information disclosure and arbitrary code execution if a user opens a specially crafted VI file. The flaws include out-of-bounds read/write, use-after-free, and a stack-based buffer overflow across several LabVIEW releases up to 2025_Q3. Administrators should apply the vendor Q3 patch updates and minimize exposure of LabVIEW files while performing risk assessments.

⚠️ HPE has released patches for a maximum-severity remote code execution vulnerability, CVE-2025-37164, in OneView that affects all versions prior to v11.00. Reported by Nguyen Quoc Khanh (brocked200), the flaw permits unauthenticated, low-complexity code injection leading to RCE on unpatched systems. There are no vendor-provided workarounds or mitigations, so administrators should upgrade to OneView v11.00 or apply the appropriate hotfixes without delay. Separate hotfix packages are available for virtual appliance and Synergy deployments.

⚠️ Microsoft has confirmed that recent Windows updates cause RemoteApp connection failures for Azure Virtual Desktop on Windows 11 24H2/25H2 and Windows Server 2025, triggered after the November 2025 non-security update KB5070311 or later. The issue affects RemoteApp streaming connections while full virtual desktop sessions remain functional and typically does not impact consumer Home or Pro devices. Microsoft advises a temporary mitigation — adding a registry DWORD (requires administrator privileges) and restarting the device — and has applied a Known Issue Rollback for Pro and Enterprise SKUs. Enterprise administrators can alternatively deploy the provided Group Policy MSI to apply the rollback centrally while Microsoft works on a permanent fix.

⚠ Microsoft has asked enterprise customers to contact support for guidance after a Message Queuing (MSMQ) change in recent December 2025 updates caused applications and IIS sites to fail. The bug, affecting Windows 10 22H2, Windows Server 2019, and 2016 systems with KB5071546/KB5071544/KB5071543 installed, alters NTFS permissions on C:\Windows\System32\MSMQ\storage, requiring write access and causing resource errors. Microsoft is investigating and advising businesses to seek tailored mitigations or consider rolling back updates.

🛡️ Notepad++ released version 8.8.9 to address a weakness in its WinGUp updater after reports that the updater retrieved and executed malicious binaries instead of legitimate update packages. The issue surfaced in community forums where a spawned %Temp%\AutoUpdater.exe executed reconnaissance commands and exfiltrated data to a public paste service. Version 8.8.9 now enforces code-signature verification for downloaded installers and aborts updates that fail signature checks.

🔒 Ivanti has released a critical patch for an unauthenticated Cross-Site Scripting (XSS) flaw in EPM that can allow attackers to inject malicious device scan data via the incoming API and execute JavaScript in administrator dashboards, enabling full admin-session takeover. The vendor shipped EPM 2024 SU4 SR1 to address CVE-2025-10573 (CVSS 9.6) and other arbitrary-code and file-write vulnerabilities; Ivanti said it had not observed customer exploitation at disclosure.

🛡️ CISA warns of multiple memory-corruption vulnerabilities in AzeoTech DAQFactory (release 20.7 and prior) that can be triggered by specially crafted .ctl files. The flaws include out-of-bounds read/write, heap and stack overflows, use-after-free, type confusion, and access of uninitialized pointers; several have CVSS v4 scores up to 8.4. DAQFactory 21.1 addresses these issues and AzeoTech advises avoiding untrusted documents, restricting .ctl file permissions, and using Safe Mode when loading unverified files.

🔒 Google released a Chrome security update on December 10 to patch three zero-day vulnerabilities, including a high-severity bug tracked internally as 466192044 for which an exploit is reported in the wild. Google has not published technical details and marks the issue as Under coordination, saying details may be restricted until most users are updated. The advisory also fixes two additional issues: CVE-2025-14372, a use-after-free in Chrome's Password Manager reported by Weipeng Jiang, and CVE-2025-14373, an inappropriate implementation in the Chrome toolbar reported by Khalil Zhani.

⚠️Microsoft has issued a fix for a known bug that caused File Explorer to briefly flash white when launched or navigated in dark mode after installing the optional KB5070311 update. The behavior also occurred when opening a new tab, toggling the Details pane, selecting 'More details' during file copy, or moving to/from Home or Gallery. Microsoft says the December cumulative KB5072033 update resolves the issue and includes related stability and PowerShell warnings.

🔔 Google has issued emergency updates for Chrome to address a zero-day tracked as Chromium bug 466192044 that is actively exploited in the wild. The vulnerability is a buffer overflow in the LibANGLE Metal renderer caused by improper buffer sizing and can lead to memory corruption, crashes, sensitive data leaks, or arbitrary code execution. Stable channel builds rolling out are Windows 143.0.7499.109, macOS 143.0.7499.110, and Linux 143.0.7499.109; users should update immediately or allow Chrome to install the update on restart.

🔐 Google released Chrome security updates addressing three vulnerabilities, including a high-severity flaw that is being actively exploited in the wild and is tracked as Chromium issue 466192044. Google withheld the CVE identifier, affected component, and technical details while coordinating disclosure to allow broader patching. The release also corrects two medium-severity issues in the Password Manager and Toolbar. Users should update to Chrome 143.0.7499.109/.110 (Windows/macOS) or 143.0.7499.109 (Linux) and apply vendor patches for other Chromium-based browsers when available.

🔒 Fortinet has released patches for two critical cryptographic signature vulnerabilities, CVE-2025-59718 and CVE-2025-59719, that can allow an unauthenticated attacker to bypass FortiCloud SSO using a crafted SAML message on affected FortiOS, FortiWeb, FortiProxy and FortiSwitchManager devices. Administrators are advised to disable FortiCloud SSO immediately if it is enabled, apply vendor updates to non‑vulnerable versions, and then re-enable SSO only after verifying patches. Fortinet notes the feature is not enabled by factory default but can be activated during FortiCare registration; the company and responders recommend using the System -> Settings toggle or the CLI command sequence to disable login until patched.

🔐 Fortinet, Ivanti, and SAP have released urgent patches to address high-severity authentication and code-execution flaws affecting FortiOS, FortiWeb, FortiProxy, FortiSwitchManager, Ivanti Endpoint Manager, and multiple SAP products. Fortinet's issues (CVE-2025-59718, CVE-2025-59719; CVSS 9.8) can allow FortiCloud SSO bypass via crafted SAML messages when that feature is enabled. Ivanti patched a stored XSS (CVE-2025-10573; CVSS 9.6) and additional bugs that could lead to remote code execution, while SAP's update remedies three critical flaws including a 9.9 CVSS code injection. Administrators are urged to apply vendor updates or temporarily disable affected features until systems are patched.

🔒 SAP released December security updates fixing 14 vulnerabilities across multiple products, including three critical flaws that could enable remote code execution and full system compromise. The most severe, CVE-2025-42880 (CVSS 9.9), is a code-injection issue in SAP Solution Manager ST 720. A Tomcat-related bundle tracked as CVE-2025-55754 (CVSS 9.6) affects SAP Commerce Cloud, and CVE-2025-42928 (CVSS 9.1) is a deserialization bug in SAP jConnect. Administrators are urged to deploy the provided fixes without delay.

🔒 Microsoft has released the KB5071546 extended security update for Windows 10 Enterprise LTSC and systems enrolled in the ESU program, addressing 57 security vulnerabilities including three zero-days. The mandatory patch updates Windows 10 to build 19045.6691 (LTSC 2021 to 19044.6691) and installs automatically, requiring a restart. Notably, it fixes a remote code execution zero-day in PowerShell (CVE-2025-54100) by adding a confirmation prompt and guidance to use -UseBasicParsing with Invoke-WebRequest to avoid parsing embedded scripts.

⚠️ Fortinet released patches for two critical FortiCloud SSO authentication bypass vulnerabilities (CVE-2025-59718, CVE-2025-59719) impacting FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb. Attackers can abuse improper cryptographic signature verification in crafted SAML messages to bypass FortiCloud SSO controls. Administrators should disable FortiCloud SSO until devices are patched — either via System -> Settings in the GUI or with the provided CLI command — and apply the vendor firmware updates promptly. Fortinet also fixed related credential and password-hash issues (CVE-2025-59808, CVE-2025-64471).

🔔 Microsoft released cumulative updates KB5072033 (25H2/24H2) and KB5071417 (23H2) as the December 2025 Patch Tuesday rollup. The mandatory updates include security fixes, bug patches, and new or enhanced features such as improved File Explorer dark mode, Virtual Workspaces advanced settings, and expanded Full‑Screen Experience for handheld devices. Install via Settings > Windows Update or the Microsoft Update Catalog; features will roll out gradually.

🔒 Microsoft has quietly altered how Windows displays .lnk shortcut Targets, addressing a long‑abused technique attackers used to hide malicious commands in trailing whitespace. The issue (tracked as CVE-2025-9491) stemmed from Explorer showing only the first 260 characters of a Target field, allowing long PowerShell or BAT scripts to be concealed. Third‑party vendor 0patch acknowledges the UI change but says Microsoft’s fix doesn't prevent execution and offers a micropatch that truncates long Targets and warns users.

🔒 Google released its December 2025 Android security bulletin addressing 107 vulnerabilities, including two zero-days (CVE-2025-48633 and CVE-2025-48572) that are reported to be under limited targeted exploitation. The flaws affect Android 13–16 and include information-disclosure and privilege‑escalation issues; the most critical fix this month is CVE-2025-48631 (DoS). Updates also include critical kernel fixes for Qualcomm and closed‑source vendors, and Samsung has ported fixes. Users should apply updates, keep Play Protect active, or move to supported builds.