All news with #patch release tag

🚨 HPE has released patches for a critical remote code execution vulnerability in OneView Software, tracked as CVE-2025-37164 with a CVSS score of 10.0. The flaw affects all versions prior to 11.00; HPE published version 11.00 and hotfixes for 5.20–10.20 to mitigate it. Administrators should apply the update or hotfix promptly; certain hotfixes must be reapplied after specific upgrades or Synergy Composer reimaging.

⚠️Siemens warns of a TCP sequence validation flaw in the Interniche IP-Stack (CVE-2025-40820) that can allow unauthenticated remote actors to interfere with TCP connection setup and cause denial of service. The defect accepts a broad range of sequence values, permitting precisely timed spoofed packets to disrupt TCP-based services. Siemens has released fixes for many affected SKUs and recommends updating to the published firmware versions; where fixes are not yet available, follow the vendor’s countermeasures and apply network controls to limit exposure.

🔒 CISA warns of two denial-of-service vulnerabilities in Rockwell Automation Micro820, Micro850, and Micro870 controllers (CVE-2025-13823, CVE-2025-13824) that can render devices unresponsive. One flaw is in the IPv6 stack and the other stems from improper handling of malformed CIP packets; both can cause faults that impact availability. Rockwell Automation has released firmware updates (Micro820 L20E V23.011 or later; Micro850/870 V12.013 or later) and advises disabling IPv6 if not required. CISA recommends minimizing network exposure, isolating control networks behind firewalls, and using secure remote access methods.

⚠️ CISA warns of critical vulnerabilities in AXIS Camera Station products, including AXIS Camera Station Pro and AXIS Device Manager. Successful exploitation could allow remote code execution, authentication bypass, man-in-the-middle attacks, or local privilege escalation; CVEs include CVE-2025-30023, -30024, -30025, and -30026 (maximum CVSS v3 base score 9.0). Vendor-identified affected releases are older than Pro 6.9, Camera Station 5.58, and Device Manager 5.32; upgrades to these versions or later are the recommended fixes and administrators should minimize network exposure.

⚠️ CISA reports CVE-2025-11774, a high-severity vulnerability in the software 'keypad' function of ICONICS Suite, GENESIS64, MobileHMI, and MC Works64. An attacker who tampers with the keypad configuration file can trigger execution of arbitrary EXE files when a legitimate user uses the keypad, enabling information disclosure, tampering, deletion, or a denial-of-service. The issue is rated CVSS 3.1 8.2 (CWE-78). Upgrade affected ICONICS products to GENESIS64 v10.97.3 or V11; MC Works64 users should migrate per vendor guidance.

⚠ National Instruments released patches addressing multiple vulnerabilities in LabVIEW that could allow information disclosure and arbitrary code execution if a user opens a specially crafted VI file. The flaws include out-of-bounds read/write, use-after-free, and a stack-based buffer overflow across several LabVIEW releases up to 2025_Q3. Administrators should apply the vendor Q3 patch updates and minimize exposure of LabVIEW files while performing risk assessments.

⚠️ HPE has released patches for a maximum-severity remote code execution vulnerability, CVE-2025-37164, in OneView that affects all versions prior to v11.00. Reported by Nguyen Quoc Khanh (brocked200), the flaw permits unauthenticated, low-complexity code injection leading to RCE on unpatched systems. There are no vendor-provided workarounds or mitigations, so administrators should upgrade to OneView v11.00 or apply the appropriate hotfixes without delay. Separate hotfix packages are available for virtual appliance and Synergy deployments.

⚠️ Microsoft has confirmed that recent Windows updates cause RemoteApp connection failures for Azure Virtual Desktop on Windows 11 24H2/25H2 and Windows Server 2025, triggered after the November 2025 non-security update KB5070311 or later. The issue affects RemoteApp streaming connections while full virtual desktop sessions remain functional and typically does not impact consumer Home or Pro devices. Microsoft advises a temporary mitigation — adding a registry DWORD (requires administrator privileges) and restarting the device — and has applied a Known Issue Rollback for Pro and Enterprise SKUs. Enterprise administrators can alternatively deploy the provided Group Policy MSI to apply the rollback centrally while Microsoft works on a permanent fix.

⚠ Microsoft has asked enterprise customers to contact support for guidance after a Message Queuing (MSMQ) change in recent December 2025 updates caused applications and IIS sites to fail. The bug, affecting Windows 10 22H2, Windows Server 2019, and 2016 systems with KB5071546/KB5071544/KB5071543 installed, alters NTFS permissions on C:\Windows\System32\MSMQ\storage, requiring write access and causing resource errors. Microsoft is investigating and advising businesses to seek tailored mitigations or consider rolling back updates.

🛡️ Notepad++ released version 8.8.9 to address a weakness in its WinGUp updater after reports that the updater retrieved and executed malicious binaries instead of legitimate update packages. The issue surfaced in community forums where a spawned %Temp%\AutoUpdater.exe executed reconnaissance commands and exfiltrated data to a public paste service. Version 8.8.9 now enforces code-signature verification for downloaded installers and aborts updates that fail signature checks.

🔒 Ivanti has released a critical patch for an unauthenticated Cross-Site Scripting (XSS) flaw in EPM that can allow attackers to inject malicious device scan data via the incoming API and execute JavaScript in administrator dashboards, enabling full admin-session takeover. The vendor shipped EPM 2024 SU4 SR1 to address CVE-2025-10573 (CVSS 9.6) and other arbitrary-code and file-write vulnerabilities; Ivanti said it had not observed customer exploitation at disclosure.

🛡️ CISA warns of multiple memory-corruption vulnerabilities in AzeoTech DAQFactory (release 20.7 and prior) that can be triggered by specially crafted .ctl files. The flaws include out-of-bounds read/write, heap and stack overflows, use-after-free, type confusion, and access of uninitialized pointers; several have CVSS v4 scores up to 8.4. DAQFactory 21.1 addresses these issues and AzeoTech advises avoiding untrusted documents, restricting .ctl file permissions, and using Safe Mode when loading unverified files.

🔒 Google released a Chrome security update on December 10 to patch three zero-day vulnerabilities, including a high-severity bug tracked internally as 466192044 for which an exploit is reported in the wild. Google has not published technical details and marks the issue as Under coordination, saying details may be restricted until most users are updated. The advisory also fixes two additional issues: CVE-2025-14372, a use-after-free in Chrome's Password Manager reported by Weipeng Jiang, and CVE-2025-14373, an inappropriate implementation in the Chrome toolbar reported by Khalil Zhani.

⚠️Microsoft has issued a fix for a known bug that caused File Explorer to briefly flash white when launched or navigated in dark mode after installing the optional KB5070311 update. The behavior also occurred when opening a new tab, toggling the Details pane, selecting 'More details' during file copy, or moving to/from Home or Gallery. Microsoft says the December cumulative KB5072033 update resolves the issue and includes related stability and PowerShell warnings.

🔔 Google has issued emergency updates for Chrome to address a zero-day tracked as Chromium bug 466192044 that is actively exploited in the wild. The vulnerability is a buffer overflow in the LibANGLE Metal renderer caused by improper buffer sizing and can lead to memory corruption, crashes, sensitive data leaks, or arbitrary code execution. Stable channel builds rolling out are Windows 143.0.7499.109, macOS 143.0.7499.110, and Linux 143.0.7499.109; users should update immediately or allow Chrome to install the update on restart.

🔐 Google released Chrome security updates addressing three vulnerabilities, including a high-severity flaw that is being actively exploited in the wild and is tracked as Chromium issue 466192044. Google withheld the CVE identifier, affected component, and technical details while coordinating disclosure to allow broader patching. The release also corrects two medium-severity issues in the Password Manager and Toolbar. Users should update to Chrome 143.0.7499.109/.110 (Windows/macOS) or 143.0.7499.109 (Linux) and apply vendor patches for other Chromium-based browsers when available.

🔒 Fortinet has released patches for two critical cryptographic signature vulnerabilities, CVE-2025-59718 and CVE-2025-59719, that can allow an unauthenticated attacker to bypass FortiCloud SSO using a crafted SAML message on affected FortiOS, FortiWeb, FortiProxy and FortiSwitchManager devices. Administrators are advised to disable FortiCloud SSO immediately if it is enabled, apply vendor updates to non‑vulnerable versions, and then re-enable SSO only after verifying patches. Fortinet notes the feature is not enabled by factory default but can be activated during FortiCare registration; the company and responders recommend using the System -> Settings toggle or the CLI command sequence to disable login until patched.

🔐 Fortinet, Ivanti, and SAP have released urgent patches to address high-severity authentication and code-execution flaws affecting FortiOS, FortiWeb, FortiProxy, FortiSwitchManager, Ivanti Endpoint Manager, and multiple SAP products. Fortinet's issues (CVE-2025-59718, CVE-2025-59719; CVSS 9.8) can allow FortiCloud SSO bypass via crafted SAML messages when that feature is enabled. Ivanti patched a stored XSS (CVE-2025-10573; CVSS 9.6) and additional bugs that could lead to remote code execution, while SAP's update remedies three critical flaws including a 9.9 CVSS code injection. Administrators are urged to apply vendor updates or temporarily disable affected features until systems are patched.

🔒 SAP released December security updates fixing 14 vulnerabilities across multiple products, including three critical flaws that could enable remote code execution and full system compromise. The most severe, CVE-2025-42880 (CVSS 9.9), is a code-injection issue in SAP Solution Manager ST 720. A Tomcat-related bundle tracked as CVE-2025-55754 (CVSS 9.6) affects SAP Commerce Cloud, and CVE-2025-42928 (CVSS 9.1) is a deserialization bug in SAP jConnect. Administrators are urged to deploy the provided fixes without delay.

🔒 Microsoft has released the KB5071546 extended security update for Windows 10 Enterprise LTSC and systems enrolled in the ESU program, addressing 57 security vulnerabilities including three zero-days. The mandatory patch updates Windows 10 to build 19045.6691 (LTSC 2021 to 19044.6691) and installs automatically, requiring a restart. Notably, it fixes a remote code execution zero-day in PowerShell (CVE-2025-54100) by adding a confirmation prompt and guidance to use -UseBasicParsing with Invoke-WebRequest to avoid parsing embedded scripts.