All news with #patch release tag

🛡️ Oracle's January quarterly update delivers 337 security fixes across its product portfolio, including 27 rated critical. The vendor reports no known in-the-wild exploitation at release, but urges priority attention to the 13 CVEs mapped to critical severity. A substantial share of patches address third-party and open-source components such as Apache Tika, creating cross-product CVE overlap and assessment complexity.

🔒 Zoom and GitLab released security updates to address multiple vulnerabilities that could enable denial-of-service, remote code execution, and a two-factor authentication bypass. The most severe is a critical command injection in Zoom Node Multimedia Routers (CVE-2026-22844, CVSS 9.9) that may allow remote code execution; Zoom reports no evidence of active exploitation. GitLab patched several high-severity DoS and 2FA-bypass issues across CE and EE releases. Administrators should apply the provided patches, upgrade affected modules, and review exposure to untrusted networks immediately.

🛡️ The CERT/CC has warned of a code-injection vulnerability in the binary-parser npm library (CVE-2026-1245) that can permit execution of arbitrary JavaScript when parser source is dynamically generated at runtime. The flaw arises from unsanitized, attacker-controlled values — such as parser field names and encoding parameters — being embedded into code compiled with the Function constructor. Applications that accept untrusted parser definitions are at risk; static, hard-coded parsers are not affected. Users should upgrade to binary-parser 2.3.0 and avoid passing user-controlled values into parser definitions.

⚠️ A critical vulnerability in ACF Extended (CVE-2025-14533) allows unauthenticated attackers to obtain administrative privileges by abusing the plugin's 'Insert User / Update User' form action in versions up to 0.9.2.1. The flaw fails to enforce role restrictions at the form level, enabling attackers to set arbitrary roles, including administrator, when a role field is present. The vendor released a patch in version 0.9.2.2 on December 14, 2025; administrators should update immediately and audit any forms that create or update users because roughly 50,000 sites may still be exposed.

🔒 Chainlit, a widely used framework for building conversational AI applications, contained two server-side vulnerabilities (CVE-2026-22218 and CVE-2026-22219) that allow authenticated users to read arbitrary files and trigger SSRF in affected deployments. The flaws stem from insufficient validation of user-controlled properties in custom elements and SQLAlchemy-backed storage. Combined, they can expose environment variables, cached prompts, API keys and cloud metadata, enabling lateral movement beyond the app layer. Chainlit released 2.9.4 on 24 December 2025 and users are advised to apply the patch immediately; temporary WAF signatures were published as mitigation.

🛡️ Amazon announced quarterly security and critical updates for Amazon Corretto LTS distributions on January 20, 2026. Updated builds — Corretto 25.0.2, 21.0.10, 17.0.18, 11.0.30, and 8u482 — are available for download. Customers can obtain releases from the Corretto home page or configure Apt, Yum, or Apk repositories on Linux to receive updates. Feedback and issue reports are invited via the Corretto GitHub repository.

🔒 Rockwell Automation reported two high-severity vulnerabilities in Verve Asset Manager affecting legacy components: the ADI server and the Ansible playbook. Both issues can result in unencrypted sensitive information being stored in environment variables or during playbook execution and are rated CVSS 7.2 and 7.9. Rockwell states the flaws are resolved in 1.42; organizations should upgrade and contact Rockwell TechConnect for assistance. CISA also recommends minimizing network exposure and using secure remote access such as up-to-date VPNs.

⚠️ Schneider Electric warns that multiple vulnerabilities in the CODESYS Runtime System V3 communication server affect many Schneider products and third-party devices embedding CODESYS. Exploitable issues include denial-of-service and, in some configurations, remote code execution; several CVEs carry CVSS scores up to 8.8. Schneider has published patches and mitigations for many affected product families; operators should apply vendor updates and follow immediate network and access controls to reduce exposure.

⚠️ Microsoft is enforcing new Intune MAM security requirements beginning January 19 (or shortly after), requiring updated iOS SDKs/wrappers and an updated Android Company Portal to keep apps running. Enterprises that don’t update wrapped or SDK-integrated apps — including Outlook and Teams — risk having those apps blocked from launching. Admins should rebuild or rewrap affected apps, push updates, enable conditional launch policies, and monitor App Protection Status to avoid user outages.

🔧 Microsoft has issued out-of-band Windows updates to address two issues introduced by the January 2026 security updates: credential prompt failures that can block Microsoft 365 Cloud PC and remote desktop sign-ins, and a shutdown/hibernate failure on Windows 11 23H2 when Secure Launch is enabled. The fix packages must be manually downloaded from the Microsoft Update Catalog, and administrators can deploy Known Issue Rollback (KIR) installers via Group Policy for enterprise-managed devices when immediate deployment is required.

⚠️ Cisco has released patches for a critical zero-day, CVE-2025-20393, in AsyncOS that affects Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The flaw allows a remote attacker to gain root by sending a crafted HTTP request to the Spam Quarantine interface when it is enabled and reachable from the internet. Cisco first learned of exploitation in December, issued a public advisory on Dec. 17, and has now published fixes to address the issue.

🔓 Modular DS versions 2.5.1 and earlier contain a critical privilege-escalation bug (CVE-2026-23550) that lets unauthenticated attackers gain full WordPress admin access by calling unprotected API routes under /api/modular-connector/. Patchstack reported active exploitation and the vendor released Modular DS 2.5.2 on January 14, 2026. Administrators should update immediately, check for rogue admin accounts, enable two-factor authentication, apply IP restrictions, and consider Patchstack’s mitigation rules if immediate patching isn’t possible.

⚠️ Check Point Research links the Linux-based RondoDox botnet to a coordinated exploitation campaign against HPE OneView, leveraging the critical RCE flaw CVE-2025-37164. The vulnerability, published to the NVD on 16 December 2025 and rated CVSS 3.1 = 10 by HPE, has been the subject of tens of thousands of automated attack attempts. Check Point reported blocking more than 40,000 hits on 7 January 2026 and urged organizations to patch immediately and implement compensating controls.

🔔 Amazon RDS for SQL Server now supports Microsoft SQL Server GDR updates for 2016 SP3, 2017 CU31, 2019 CU32 and 2022 CU22 (RDS versions 13.00.6475.1.v1, 14.00.3515.1.v1, 15.00.4455.2.1.v1, 16.00.4225.2.1.v1). These GDRs address vulnerabilities tracked as CVE-2025-59499. We recommend upgrading instances via the Amazon RDS Console, SDK, or CLI and consult the RDS SQL Server upgrade guide to plan and apply the updates.

🔒 Amazon RDS Custom for SQL Server now supports the latest General Distribution Release (GDR) updates, enabling SQL Server 2019 CU32+GDR (KB5068404) and SQL Server 2022 CU21+GDR (KB5068406) on managed instances. These releases correspond to RDS builds 15.00.4455.2.1.v1 and 16.00.4222.2.1.v1 and address vulnerabilities referenced by CVE-2025-59499. We recommend that you upgrade affected RDS Custom instances using the Amazon RDS Management Console, AWS SDK, or CLI and consult the Amazon RDS Custom User Guide for upgrade procedures. Before applying updates in production, review release notes and test the patches in non-production environments to validate application compatibility and backups.

🚨 A critical remote code execution vulnerability, CVE-2026-21858 (CVSS 10.0), has been disclosed in n8n, allowing attackers to fully compromise locally deployed instances. Researchers estimate roughly 100,000 servers are affected and there are no official workarounds available. The n8n project has released a patched build; users must upgrade to n8n version 1.121.0 or later to remediate the issue. Administrators should prioritize patching and follow vendor advisories immediately.

🔒 Palo Alto Networks has released patches for a high-severity denial-of-service vulnerability (CVE-2026-0227, CVSS 7.7) affecting GlobalProtect Gateway and Portal components. The flaw, caused by an improper check for exceptional conditions (CWE-754), can be triggered by an unauthenticated attacker and may force affected firewalls into maintenance mode. A proof-of-concept exploit exists and there are no workarounds, so administrators should prioritize applying the vendor updates.

🔓 A critical FortiSIEM vulnerability, tracked as CVE-2025-25256, enables remote unauthenticated attackers to execute arbitrary commands by invoking exposed phMonitor handlers. Horizon3.ai disclosed technical details and published a demonstrative exploit after Fortinet issued patches across supported branches. The flaw combines arbitrary write with privilege escalation to root and affects a range of FortiSIEM releases; Fortinet advises applying the supplied updates or restricting access to the phMonitor port (7900) as a temporary mitigation.

🔔 Microsoft has released updates to WinSqlite3.dll after third-party security tools began flagging the Windows core DLL as vulnerable to CVE-2025-6965. The company said the false positive affected Windows 10, Windows 11, and server editions through Windows Server 2025. Microsoft resolved the detection in updates released January 13, 2026 and later and urges users to install the latest patches. It also clarified WinSqlite3.dll is distinct from sqlite3.dll.

⚠️ Pax8 confirmed it mistakenly emailed a CSV attachment on January 13 that contained internal pricing and Microsoft licensing data to fewer than 40 UK-based partners. Recipients reported the file listed about 56,000 entries covering roughly 1,800 partners, with fields including partner and customer IDs, SKUs, license counts, renewal dates, and booking details. Pax8 asked recipients to delete the message, required deletion confirmations, and said it launched an internal review. The company maintains the file did not contain personally identifiable information and that marketplace availability and security controls were not affected.