< ciso
brief />
Tag Banner

All news with #patch release tag

439 articles · page 20 of 22

Windows 11 23H2 Home and Pro reach end of support soon

⚠ Microsoft warned that devices running Windows 11 23H2 Home and Pro editions will stop receiving security updates after November 11, 2025. The November 2025 monthly security update will be the final update for those editions. Users should upgrade to Windows 11 24H2 or later to remain protected; note that some PCs may be prevented from upgrading by a safeguard for SenseShield code-obfuscation drivers.
read more →

Redis 13-Year Use-After-Free Flaw Rated CVSS 10.0 Severity

⚠️ Redis disclosed a maximum-severity vulnerability, CVE-2025-49844 (RediShell), a use-after-free bug in its Lua scripting implementation that has been assigned a CVSS score of 10.0. An authenticated user can submit crafted Lua scripts to manipulate the garbage collector, trigger a use-after-free, and potentially achieve remote code execution on the host. The issue affects all Redis versions with Lua and was fixed in 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2 (released Oct 3, 2025). Administrators should immediately restrict EVAL/EVALSHA via ACLs, avoid exposing Redis instances to the internet, enforce strong authentication, and apply the patches without delay.
read more →

Oracle issues emergency patch for EBS zero-day RCE

🔴 Oracle has released an emergency patch addressing a critical zero-day remote code execution flaw, CVE-2025-61882, in the E-Business Suite BI Publisher Integration component. The vulnerability (affecting versions 12.2.3–12.2.14) is rated 9.8 on the CVSS scale and is exploitable remotely without authentication. Cl0p actors are linked to active exploitation and high-value extortion demands; Oracle published IoCs and strongly urges immediate patching and aggressive compromise hunting.
read more →

Steam, Microsoft Warn of Unity Flaw Exposing Gamers

⚠️ A code execution vulnerability in Unity's Runtime (CVE-2025-59489) can allow unsafe file loading and local file inclusion, enabling code execution on Android and privilege escalation on Windows. Valve/Steam issued a Client update to block launching custom URI schemes and urges publishers to rebuild with a safe Unity version or replace the UnityPlayer.dll. Microsoft published guidance recommending users uninstall vulnerable games until patched, and Unity advises developers to update the Editor, recompile, and redeploy.
read more →

Oracle issues emergency patch for CVE-2025-61882 exploit

🔒 Oracle has released an emergency update to address CVE-2025-61882, a critical (CVSS 9.8) vulnerability in the E-Business Suite Concurrent Processing component that can be exploited over HTTP without authentication. Oracle warned the flaw may allow remote code execution and issued additional fixes after discovering further potential exploitation vectors. Indicators shared with the advisory point to activity linked to Cl0p and a group associated with Scattered LAPSUS$ Hunters; organizations are urged to apply the patch and hunt for signs of compromise.
read more →

Broadcom Patches VMware NSX and vCenter Vulnerabilities

🔒 Broadcom has released security updates for VMware vCenter and NSX addressing multiple high-severity vulnerabilities, including CVE-2025-41250, CVE-2025-41251 and CVE-2025-41252. The most serious, an SMTP header injection in vCenter (CVSSv3 8.5), allows non-administrative users to tamper with scheduled email notifications and has no available workaround. Two NSX flaws permit unauthenticated username enumeration, which can facilitate brute-force or credential-stuffing attacks. Administrators are urged to apply the fixed versions immediately.
read more →

Windows 11 25H2 (2025 Update) Now Generally Available

ℹ️ Windows 11 25H2 (2025 Update) is now generally available. The minor release shares the same platform as 24H2 and is rolled out gradually, with devices on 24H2 updated via small enablement packages (<200 KB) while systems on 23H2 receive a full OS swap. Enterprise-focused changes include Wi‑Fi 7 support, improved vulnerability detection, and an optional Group Policy to remove select preinstalled Store apps. Microsoft also removed legacy tools such as PowerShell 2.0 and WMIC.
read more →

Critical WD My Cloud Bug Allows Remote Command Injection

🔒 Western Digital issued firmware 5.31.108 to fix a critical OS command injection (CVE-2025-30247) in the My Cloud web UI that allows remote execution via crafted HTTP POST requests. The update addresses multiple consumer and small-business NAS models, though My Cloud DL2100 and DL4100 have reached end of support and may not receive fixes. WD urges immediate patching; affected owners should apply the firmware or disconnect devices from the internet until updated.
read more →

Windows 11 KB5065789: 41 fixes and new AI actions now

🛠 Microsoft released the optional preview cumulative update KB5065789 for Windows 11 24H2 (build 26100.6725), delivering 41 non-security changes and fixes. Highlights include new AI actions in File Explorer, an updated Click to Do menu, an Administrator Protection Preview, and passkey plugin integration. The update addresses high CPU usage in Windows Sandbox (VmmemCMFirstBoot), WSUS-related update failures, Windows Hello 0x80090010 errors on Entra ID–joined devices, HDR and Hyper-V TPM issues, and gaming performance with overlays. Microsoft lists a known DRM-related playback issue; install via Settings > Windows Update or the Microsoft Update Catalog.
read more →

Amazon RDS for PostgreSQL Extended Support Updates

🔒 Amazon RDS for PostgreSQL now provides Extended Support minor versions 12.22-rds.20250814 and 11.22-rds.20250814, delivering critical security patches and bug fixes for affected instances. We recommend upgrading RDS instances to these releases to maintain security and performance. Extended Support offers up to three years of additional fixes after community support ends. Use automatic minor upgrades or RDS Blue/Green deployments to apply updates during maintenance windows.
read more →

Microsoft issues final Windows 10 22H2 preview update

🔧 Microsoft released the final non-security preview update for Windows 10 22H2 (KB5066198), delivering fixes for the out-of-box experience and SMBv1 connectivity over NetBIOS over TCP/IP (NetBT). This optional cumulative update lets administrators test improvements before they roll into the next month’s Patch Tuesday and raises systems to build 19045.6396. KB5066198 also resolves an Autopilot Enrollment Status Page (ESP) OOBE loading issue and includes prior fixes for unexpected UAC prompts and NDI streaming performance regressions. Install via Windows Update by choosing 'Download and install' for optional updates or obtain the package from the Microsoft Update Catalog.
read more →

Microsoft to Provide Free Windows 10 Security Updates in EEA

🛡️ Microsoft will provide no-cost Extended Security Updates (ESU) for Windows 10 consumer users across the European Economic Area (EEA). The company adjusted enrollment so consumers can access critical patches without tying updates to Windows Backup or Microsoft Rewards, following pressure from Euroconsumers. Microsoft says the change aims to support customers transitioning to Windows 11 before Windows 10 reaches end of support on October 14, 2025.
read more →

SolarWinds Patches Third Bypass for Web Help Desk Bug

🔒SolarWinds has issued a third patch for a critical Java deserialization vulnerability in its Web Help Desk product. The vendor describes the new advisory as a patch bypass of CVE-2024-28988, which itself bypassed CVE-2024-28986, and has designated the latest issue CVE-2025-26399. The underlying unsafe Java deserialization flaw in the AjaxProxy component can permit unauthenticated remote code execution and is rated 9.8/10 on the CVSS scale.
read more →

Libraesva ESG issues emergency fix for exploited bug

⚠ Libraesva issued an emergency update for ESG to fix a command injection vulnerability (CVE-2025-59689) triggered by a specially crafted compressed email attachment. The flaw allowed arbitrary shell commands to run as a non-privileged user and was confirmed exploited by actors believed to be state-sponsored. Fixed releases were auto-deployed to cloud and on-premise customers; end-of-life versions require manual upgrades.
read more →

SolarWinds issues third patch for Web Help Desk RCE

🔒 SolarWinds has released a hotfix addressing a critical unauthenticated remote code execution vulnerability in Web Help Desk tracked as CVE-2025-26399. The flaw affects WHD 12.8.7 and is caused by unsafe deserialization in the AjaxProxy component, described as a patch bypass of earlier CVE-2024-28986/28988 fixes. Administrators should obtain the hotfix from the SolarWinds Customer Portal and follow the vendor’s JAR replacement steps promptly.
read more →

SonicWall SMA100 Firmware Removes OVERSTEP Rootkit

🛡️ SonicWall has released firmware 10.2.2.2-92sv for the SMA 100 series that adds additional file checking and the ability to remove known user‑mode rootkit malware. The update targets the OVERSTEP rootkit observed by Google's GTIG and is recommended for SMA 210, 410, and 500v customers. SonicWall urges immediate upgrade and adherence to earlier mitigations, including credential resets and forensic review.
read more →

SolarWinds Issues Hotfix for Critical Web Help Desk RCE

🔧 SolarWinds has released a hotfix to address a critical deserialization vulnerability in Web Help Desk that affects versions up to 12.8.7, tracked as CVE-2025-26399 (CVSS 9.8). The unauthenticated AjaxProxy flaw can enable remote command execution on vulnerable hosts if exploited. An anonymous researcher working with the Trend Micro Zero Day Initiative reported the issue. SolarWinds recommends immediate upgrade to 12.8.7 HF1 to mitigate risk.
read more →

CISA Adds Chromium V8 Type-Confusion CVE to KEV Catalog

⚠️ CISA has added CVE-2025-10585, a Google Chromium V8 type confusion vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. This class of flaw is a common browser attack vector and poses substantial risk to browsers and systems that embed V8. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged vulnerabilities by required due dates; CISA strongly urges all organizations to prioritize timely remediation and continued vigilance.
read more →

GitHub mandates 2FA, short-lived tokens for npm publishing

🔐 GitHub said it will change npm authentication and publishing practices in the near future to address recent supply-chain attacks, including the Shai-Hulud incident. The company will require 2FA for local publishes, deprecate legacy tokens and TOTP in favor of FIDO, introduce seven-day granular publishing tokens, and enable OIDC-based trusted publishing. The npm CLI will also auto-generate provenance attestations to prove source and build environment.
read more →

Microsoft Removes Windows 11 24H2 Safeguard Hold After Fix

🔧 Microsoft removed a compatibility hold that prevented devices with integrated cameras from installing Windows 11, version 24H2 after fixing a face/object detection bug that could cause the Camera app, Windows Hello facial sign-in, and other camera-using apps to freeze. The safeguard (ID 53340062) has been lifted; eligible devices with no other holds should be offered the update via Windows Update within 48 hours, and restarting may speed the offer. Microsoft recommends installing the latest security update, which includes the fix.
read more →