< ciso
brief />
Tag Banner

All news with #patch release tag

438 articles · page 2 of 22

Adobe fixes seven critical ColdFusion and Campaign flaws

🛡️ Adobe released patches addressing seven maximum-severity vulnerabilities in ColdFusion and Campaign Classic. These issues allow low-complexity, no-interaction attacks and were assigned priority 1, prompting administrators to update within 72 hours. Six flaws impact ColdFusion 2025.9, 2023.20 and earlier, enabling remote code execution, while one affects on-premises Campaign Classic builds and may permit arbitrary code execution in the user context.
read more →

Citrix issues patches for six NetScaler vulnerabilities

🔒 Citrix released security updates to address six vulnerabilities in NetScaler ADC and NetScaler Gateway that could allow arbitrary file reads or trigger denial-of-service conditions. The flaws include memory overread/overflow issues and an external control of file name vulnerability, each with CVSS scores ranging from 6.9 to 8.8. Fixed builds are available for 14.1 and 13.1 branches, with additional configuration changes required for one HTTP/2 issue. Citrix credited multiple external researchers and said there is no evidence of in-the-wild exploitation.
read more →

Critical Progress Kemp LoadMaster API RCE Patch

🛡️ A critical vulnerability in Progress Kemp LoadMaster allows unauthenticated attackers to execute arbitrary commands as root by sending a crafted request to the appliance API. Tracked as CVE-2026-8037 with a ZDI CVSS of 9.8, Progress published an advisory on June 4 and released patches (GA v7.2.63.2 and LTSF v7.2.54.18). Researchers at watchTowr Labs published a technical write-up and proof-of-concept on June 29; administrators should update immediately if the API is enabled.
read more →

Apple issues urgent iOS, macOS and Safari security updates

🔒 Apple released security updates for iOS, macOS, and Safari to address over three dozen vulnerabilities, including four WebKit flaws discovered with AI tools such as Anthropic Claude and OpenAI Codex Security. The fixes target memory corruption, out-of-bounds write, use-after-free, and other WebKit issues, plus several kernel-level bugs that could leak or corrupt memory. Updates are available for iOS 26.5.2, iPadOS 26.5.2, macOS Tahoe 26.5.2, and Safari 26.5.2, and Apple noted no active exploitation has been reported.
read more →

Critical PTC Windchill PLM Flaw Under Active Exploitation

🛡️ Hackers are exploiting a critical unsafe deserialization vulnerability in PTC Windchill and FlexPLM that enables remote code execution. The flaw, tracked as CVE-2026-12569 and scored 9.3 CVSS, affects the Windchill PDMLink web component. PTC issued mitigations and patches on June 17–19 and provided indicators of compromise after reports of web shell deployment. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog.
read more →

CISA Adds PTC Windchill RCE to KEV Catalog

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical RCE vulnerability affecting PTC Windchill PDMlink and PTC FlexPLM to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The flaw, tracked as CVE-2026-12569 with a CVSS score of 9.3, allows arbitrary code execution via improper input validation and deserialization of untrusted data. Patches were released last week, but PTC warns of ongoing attacks deploying JSP web shells and published IoCs and mitigations.
read more →

Amazon RDS Custom adds latest Microsoft SQL Server updates

🛈 Amazon RDS Custom for SQL Server now supports the latest Cumulative Updates (CU) and General Distribution Release (GDR) updates for Microsoft SQL Server, including SQL Server 2019 CU32+GDR (KB5090407) and SQL Server 2022 CU25 (KB5081477). These GDR updates address vulnerabilities described in CVE-2026-40370. You can apply the updates via the Amazon RDS Management Console, AWS SDK, or AWS CLI, and guidance is available in the Amazon RDS Custom User Guide.
read more →

Amazon RDS Adds Latest Microsoft SQL Server GDRs

🔄 Amazon RDS for SQL Server now supports the latest General Distribution Release (GDR) updates across SQL Server 2016 SP3, 2017, 2019, and 2022, corresponding to specific RDS engine versions. These GDRs address vulnerabilities identified as CVE-2026-32167 and CVE-2026-32176. AWS recommends upgrading instances via the Amazon RDS Management Console, AWS SDK, or CLI and refers users to the RDS SQL Server User Guide for upgrade instructions.
read more →

Windows update breaks some Office OLE automations

🛠️ Microsoft’s June update has caused Office apps like Word and Excel to fail when launched via third-party software that relies on OLE automation. Affected integrations include CCH Engagement, Workpaper Manager, Zotero and dental systems such as Dentrix and Softdent, with users reporting files won’t open and no clear error is shown. Microsoft acknowledged the issue and is working on a fix, and also noted a separate cosmetic Recycle Bin filename display problem stemming from the same update.
read more →

Apple patches Beats Studio Buds high-severity bug

🔒 Apple released a Beats Firmware Update (1B211) to address a high-severity Bluetooth authorization flaw (CVE-2025-20701, CVSS 8.8) in the Airoha audio SDK that could allow attackers within Bluetooth range to pair and eavesdrop without user consent. The issue, reported by ERNW researchers in 2025 alongside related Airoha SoC flaws, enables remote privilege escalation and unauthorized microphone access. Apple’s advisory confirms the risk and the firmware update resolves the vulnerability.
read more →

Oracle issues 245 high-priority security fixes

🔒 Oracle released a Critical Security Patch update containing 245 fixes for supported on-premises products, including Enterprise Manager, JD Edwards, Fusion Middleware, MySQL and PeopleSoft. The update provides targeted, high-priority fixes outside the quarterly cadence to reduce disruption and speed remediation. Several patches address remote, unauthenticated exploits—most notably in WebLogic Server, Oracle Coherence and PeopleSoft—some of which are already actively exploited or present immediate risk. Vendors and analysts warn that the scale and placement of these flaws, especially in Fusion Middleware components nearing end of support, create significant control-plane and pivot risks.
read more →

F5 issues patches for two critical NGINX flaws

🛡️ F5 released updates to fix two critical vulnerabilities in NGINX Open Source that can allow remote code execution. CVE-2026-42530 is a use-after-free in the HTTP/3 QUIC module and CVE-2026-42055 is a heap-based buffer overflow affecting proxy and gRPC modules when specific directives are set. Patches are available across NGINX Open Source, NGINX Plus, Gateway Fabric, Instance Manager, WAF, DoS modules and Ingress Controller versions. Mitigations include disabling HTTP/3 for CVE-2026-42530 and adjusting ignore_invalid_headers or large_client_header_buffers settings for CVE-2026-42055.
read more →

Apple patches Beats Studio Buds eavesdropping flaw

🔒 Apple released a security update to fix a high-severity vulnerability in Beats Studio Buds that could let attackers within Bluetooth range listen through an unpaired device's microphone. The flaw (CVE-2025-20701) was found in Airoha SoC open-source code and disclosed by ERNW researchers at TROOPERS. Apple deployed Beats Firmware Update 1B211, which installs automatically when paired and in range; users can verify the firmware via Bluetooth settings. Chained with related CVEs, attackers could hijack HFP connections to issue phone commands or access contacts, though practical attacks are complex and require proximity.
read more →

F5 issues out‑of‑band patches for critical NGINX flaws

🔒 F5 released out-of-band updates to fix multiple NGINX vulnerabilities, including two critical flaws in the ngx_http_v3_module and ngx_http_proxy_v2/_grpc modules that can lead to DoS or code execution. The bugs cause use‑after‑free or heap buffer overflow in worker processes and affect NGINX Plus, Open Source, Gateway Fabric, and Instance Manager. Mitigations include disabling HTTP/3 and adjusting header buffer directives until patches are applied.
read more →

Microsoft fixes Windows Server 2016 update failures

🔧 Microsoft resolved a known issue that caused the June 2026 security update (KB5094122) to fail on Windows Server 2016 systems that were missing the prior month's KB5087537 update. Administrators had reported 0x80070002 or FILE_NOT_FOUND errors during installation. Microsoft confirmed the installation issue is fixed and affected devices should no longer experience failures deploying the June 2026 update. This follows several recent fixes for update- and boot-related problems across Windows releases.
read more →

Microsoft Confirms RoguePlanet Defender Zero-Day

🛡️ Microsoft disclosed it is preparing a patch for a Defender zero-day tracked as RoguePlanet, now identified as CVE-2026-50656 with a CVSS score of 7.8. The company classifies the issue as a privilege escalation in the Microsoft Malware Protection Engine and says it is working on a quality security update. The exploit was publicly released by researcher Chaotic Eclipse (aka Nightmare-Eclipse), who described it as a race condition that can yield SYSTEM-level shells and may work irrespective of real-time protection settings.
read more →

Microsoft developing patch for Defender RoguePlanet zero-day

🔒 Microsoft is investigating and preparing a security update for a Microsoft Defender elevation-of-privilege vulnerability publicly dubbed RoguePlanet. The flaw, now tracked as CVE-2026-50656, was disclosed with a proof-of-concept last week and reportedly allows spawning SYSTEM-level command prompts via a Defender race condition on fully patched Windows 10 and 11 devices. Microsoft confirmed it is working on a high-quality security update and will publish details in the CVE entry when available.
read more →

CISA Adds LiteSpeed cPanel Plugin Flaw to KEV

🛡️ CISA added CVE-2026-54420 — a privilege escalation flaw in the LiteSpeed cPanel plugin — to its Known Exploited Vulnerabilities catalog, requiring Federal Civilian Executive Branch agencies to remediate by June 18, 2026. The vulnerability (CVSS 8.5) allows a user with FTP or web shell access to escalate to root on shared hosting running CloudLinux/CageFS. LiteSpeed advised running a specific grep check in cPanel logs to detect exploitation and recommended upgrading to LiteSpeed WHM Plugin v5.3.2.1 (with cPanel plugin v2.4.8) or later. Namecheap reported the issue on May 31, 2026.
read more →

Amazon RDS MySQL Extended Support for 5.7.44-RDS

🔧 Amazon RDS for MySQL now offers an Extended Support minor version, 5.7.44-RDS.20260521, addressing known security vulnerabilities and bugs. Amazon RDS Extended Support gives customers up to three additional years to upgrade past a major community support end date while receiving critical fixes. Review the Amazon RDS User Guide for upgrade guidance and Pricing FAQs for costs.
read more →

Amazon RDS adds support for MariaDB minor versions

🔔 Amazon RDS for MariaDB now supports community minor versions 10.6.27, 10.11.18, 11.4.12, and 11.8.8. AWS recommends upgrading to the latest minor releases to address known security vulnerabilities and to gain bug fixes, performance improvements, and new functionality from the MariaDB community. You can use automatic minor version upgrades during scheduled maintenance or RDS Managed Blue/Green deployments for safer and faster updates. See the Amazon RDS User Guide for details on upgrading, and consult pricing and regional availability in the Amazon RDS documentation.
read more →