All news with #patch release tag

🔴 A critical out-of-bounds write vulnerability (CVE-2025-9242) in WatchGuard Fireware OS could allow remote code execution via IKEv2 mobile VPN and Branch Office VPN when configured with dynamic gateway peers. Affected releases include Fireware OS 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3 and 2025.1, and WatchGuard warns devices previously configured with these peers may remain vulnerable. Shadowserver estimates over 71,000 potentially exposed devices; WatchGuard and the US NVD have published advisories and guidance, and a temporary workaround plus narrower BOVPN access policies are recommended if immediate upgrades are not possible.

🔧 Microsoft released an out-of-band cumulative update, KB5070773, to restore USB mouse and keyboard functionality in the Windows Recovery Environment (WinRE) after October 2025 security updates disabled USB input in recovery on affected client and server builds. The patch began rolling out on October 20, 2025 and Microsoft recommends installing the latest updates. If a device cannot boot to install the patch, workarounds include using a touchscreen’s touch keyboard, connecting PS/2 peripherals, or booting from a previously created USB recovery drive.

🔒 ConnectWise released a security update for Automate to fix two vulnerabilities including a critical 9.6-severity flaw (CVE-2025-11492) that can cause agents to use cleartext HTTP, enabling adversary-in-the-middle (AiTM) interception or modification of commands, credentials, and update payloads. A second 8.8-severity issue (CVE-2025-11493) omits integrity verification for update packages, allowing substituted malicious files. Cloud instances are patched to release 2025.9; on-premise administrators are urged to install the update within days.

✅ Microsoft removed two safeguard holds blocking Windows 11 24H2 installs. The April hold affecting systems using SenseShield's sprotect.sys driver—which could trigger BSODs—was lifted after a security.sys driver update; the feature update will be offered within 48 hours. The September 2024 hold for wallpaper customization apps that caused display and virtual-desktop issues was removed on October 15, 2025; affected devices may see a warning and must confirm before upgrading. Microsoft advises updating or uninstalling problematic apps or contacting their developers for support.

🔒 Microsoft patched a critical HTTP request smuggling vulnerability (CVE-2025-55315) in the Kestrel ASP.NET Core web server, which Microsoft described as the highest-severity ASP.NET Core flaw ever. An authenticated attacker could smuggle an additional HTTP request to hijack other users' credentials, bypass front-end security controls, or impact integrity and availability. Microsoft released updates for Visual Studio 2022, ASP.NET Core 2.3, 8.0 and 9.0 and advised developers to apply updates, recompile where required, and restart or redeploy affected applications.

🔧 Microsoft has fixed a known issue that broke HTTP/2 connections to localhost (127.0.0.1) and caused IIS sites to fail after recent Windows security updates. Affected systems included Windows 11 and Windows Server 2025, producing errors like “ERR_CONNECTION_RESET” and “ERR_HTTP2_PROTOCOL_ERROR”. Microsoft recommends checking Windows Update and restarting; it also enabled a Known Issue Rollback (KIR) for most home and non-managed devices, while enterprise admins can deploy a KIR group policy until a permanent update ships.

⚠️ Siemens disclosed a type confusion vulnerability (CVE-2025-6554) affecting HyperLynx and Industrial Edge App Publisher, which can enable remote arbitrary read/write and potential code execution via crafted HTML. The issue carries a CVSS v4 base score of 7.0 and a v3.1 score up to 8.1 depending on context. Siemens has released v1.23.5 for App Publisher; no fix is available yet for HyperLynx. Organizations should restrict network exposure, isolate control systems, use secure remote access, and follow Siemens and CISA guidance to mitigate risk.

⚠️ Hitachi Energy reported three vulnerabilities in MACH GWS (versions 3.0.0.0–3.4.0.0) that could enable local tampering, denial-of-service via IEC 61850 message handling, or remote man-in-the-middle attacks. The issues are categorized as Incorrect Default Permissions, Improper Validation of Integrity Check Value, and Improper Certificate Validation and carry CVSS v4 scores up to 7.1. Hitachi Energy recommends updating to MACH GWS 3.5 immediately and following deployment guidance such as network segregation, minimal exposed ports, scanning removable media, and enforcing strong password policies. CISA notes no known public exploitation at this time.

🛡️ AWS Security Hub CSPM now supports the CIS AWS Foundations Benchmark v5.0, introducing 40 automated configuration checks aligned to the industry standard. The new standard is available in all Regions where Security Hub CSPM operates, including AWS GovCloud (US) and the China Regions. AWS recommends using Security Hub CSPM central configuration to enable the standard across selected accounts and Regions with a single action. Customers can subscribe to the CSPM SNS topic for updates and try Security Hub free for 30 days.

🔒 F5 has released security updates for BIG-IP products to address vulnerabilities whose details were stolen during a state-linked breach detected on August 9, 2025. The vendor patched 44 issues across BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients and says it has not seen evidence the flaws were exploited or publicly disclosed. Customers are urged to apply updates immediately and follow F5's guidance to increase logging and monitoring.

🔒 Microsoft has released cumulative updates KB5066835 and KB5066793 for Windows 11 versions 25H2/24H2 and 23H2 as part of the October 2025 Patch Tuesday. These mandatory updates move systems to Build 26200.6899 (25H2/24H2) and 226x1.6050 (23H2) and address recent security vulnerabilities plus several functional issues. Notable fixes include a Chromium print preview hang, PowerShell Remoting timeouts, Windows Hello USB IR camera setup failures, and a gaming sign-in input bug. The update also removes the ltmdm64.sys modem driver and rolls out new AI, accessibility, and File Explorer features gradually.

🔒Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) after researchers confirmed the update blocks a pre-authentication SSRF used by a leaked ShinyHunters proof-of-concept. Oracle issued an out-of-band security update over the weekend and warned the flaw could allow access to sensitive resources. The vendor did not disclose that the issue was actively exploited or that a public exploit had been released, drawing criticism from researchers and customers.

🔒 Oracle released an out-of-band security update addressing a pre-authentication SSRF vulnerability (CVE-2025-61884) in E-Business Suite after a proof-of-concept exploit was leaked by the ShinyHunters group. The update validates attacker-supplied return_url values with a strict regex to block injected CRLFs and other malformed inputs. Researchers from watchTowr Labs, and multiple customers, confirmed the patch closes the SSRF component that remained after Oracle's earlier Oct. 4 emergency updates. Customers should apply the update immediately or implement a temporary mod_security rule blocking access to /configurator/UiServlet.

⚠️ Microsoft says Windows 10 reached end of support on October 14, 2025, and will no longer receive feature or security updates. Machines will continue to run but will be at greater risk of viruses and malware without patches. Microsoft advises customers to upgrade to Windows 11, migrate to Windows 365 in the cloud, enroll in Extended Security Updates (ESU), or use LTSC editions for specialized devices. ESU pricing and limited free enrollment options for home and EEA users are noted.

⚠️ Oracle released an emergency security alert on October 11 for CVE-2025-61884, a 7.5 CVSS information-disclosure flaw in the Runtime UI component of E-Business Suite (versions 12.2.3–12.2.14). The vulnerability allows unauthenticated remote attackers with network access to steal sensitive data. The patch arrives one week after an emergency fix for a Cl0p-exploited RCE, and experts urge administrators to apply updates, hunt for prior compromise, and restrict outbound traffic from EBS servers.

🔒 Microsoft’s October 2025 Patch Tuesday addresses 172 vulnerabilities, including two publicly disclosed issues, three zero‑day flaws and eight Critical CVEs. The bulk of fixes target Windows (134 patches), Microsoft Office (18) and Azure (6), with elevation-of-privilege and remote code execution as the primary risks. Windows 10 reaches end of life on October 14, 2025; hosts must be on 22H2 to receive Extended Security Updates. CrowdStrike recommends prioritizing patches for actively exploited zero‑days and using Falcon Exposure Management dashboards to track and remediate affected systems.

🛡️Amazon Relational Database Service (Amazon RDS) now supports the latest General Distribution Release (GDR) and Cumulative Update packages for Microsoft SQL Server, including SQL Server 2016 SP3+GDR (KB5065226), 2017 CU31+GDR (KB5065225), 2019 CU32+GDR (KB5065222) and 2022 CU21 (KB5065865). These updates address multiple security vulnerabilities tracked as CVE-2025-47997, CVE-2025-55227 and CVE-2024-21907. AWS recommends that customers upgrade their RDS SQL Server instances using the Amazon RDS Management Console, AWS SDKs or the AWS CLI and follow the RDS SQL Server upgrade guidance.

🔒 Oracle released an emergency update to address CVE-2025-61884, an information disclosure flaw in the E-Business Suite Runtime UI that affects versions 12.2.3 through 12.2.14. The vulnerability is remotely exploitable without authentication and has been assigned a CVSS base score of 7.5, meaning a successful exploit could expose sensitive resources. Oracle strongly urges customers to apply the out-of-band patch or recommended mitigations immediately, particularly for internet-facing instances.

⚠ Microsoft warned that devices running Windows 11 23H2 Home and Pro editions will stop receiving security updates after November 11, 2025. The November 2025 monthly security update will be the final update for those editions. Users should upgrade to Windows 11 24H2 or later to remain protected; note that some PCs may be prevented from upgrading by a safeguard for SenseShield code-obfuscation drivers.

⚠️ Redis disclosed a maximum-severity vulnerability, CVE-2025-49844 (RediShell), a use-after-free bug in its Lua scripting implementation that has been assigned a CVSS score of 10.0. An authenticated user can submit crafted Lua scripts to manipulate the garbage collector, trigger a use-after-free, and potentially achieve remote code execution on the host. The issue affects all Redis versions with Lua and was fixed in 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2 (released Oct 3, 2025). Administrators should immediately restrict EVAL/EVALSHA via ACLs, avoid exposing Redis instances to the internet, enforce strong authentication, and apply the patches without delay.