< ciso
brief />
Tag Banner

All news with #patch release tag

438 articles · page 3 of 22

Critical Splunk Enterprise Postgres Sidecar Flaw Fixed

🛡️ Splunk released security updates to remediate a critical unauthenticated file operation and remote code execution vulnerability (CVE-2026-20253, CVSS 9.8) affecting certain Splunk Enterprise versions. The flaw stemmed from an unauthenticated PostgreSQL sidecar service endpoint that allowed creation or truncation of arbitrary files. Splunk fixed the issue in 10.0.7 and 10.2.4; Splunk Cloud is not affected because it does not use Postgres sidecars. Users are urged to apply the updates promptly to mitigate exploitation risk.
read more →

Ivanti patches critical Sentry gateway vulnerabilities

🔒 Ivanti patched two critical vulnerabilities in Ivanti Sentry, an in-line secure mobile gateway formerly called MobileIron Sentry, that could allow unauthenticated remote attackers to take full control of devices. One flaw, CVE-2026-10523, lets attackers bypass authentication to create administrative accounts and is rated 9.9/10. The second, CVE-2026-10520, is a command injection leading to root remote code execution and is rated 10/10. Customers should upgrade to versions 10.5.2, 10.6.2, or 10.7.1 immediately.
read more →

Microsoft patches Exchange Server XSS zero-day exploit

🛡️ Microsoft released updates to fix an actively exploited Exchange Server XSS vulnerability (CVE-2026-42897) that allows remote attackers to execute arbitrary JavaScript in Outlook Web Access without privileges. The flaw affects Exchange Server 2016, 2019, and Subscription Edition; Microsoft initially deployed a temporary mitigation via the Exchange Emergency Mitigation Service and now urges admins to install the June 2026 security updates and retain mitigations for added protection.
read more →

Microsoft warns some upgraded Windows PCs fail updates

⚠️ Microsoft alerted users that a small subset of Windows devices upgraded to Windows 11 24H2 or 25H2 may fail to install the June 2026 cumulative updates, producing errors 0x80073712 or 0x800f0993. Affected systems show these errors in Update history and logs; Microsoft says a restart will roll out a fix to unmanaged and Home devices starting May 19, 2026. For other impacted machines, Microsoft published replacement KBs and recommends removing an impacted package or performing an in-place upgrade if needed.
read more →

Microsoft patches YellowKey, GreenPlasma and MiniPlasma zero-days

🔒 Microsoft released June 2026 updates fixing three zero-day vulnerabilities disclosed by a researcher known as "Nightmare Eclipse." The flaws—GreenPlasma and MiniPlasma (local privilege escalation) and YellowKey (WinRE backdoor)—allow attackers to escalate to SYSTEM or bypass BitLocker on affected Windows systems. Microsoft provided mitigations for YellowKey and criticized the public disclosure of proof-of-concepts.
read more →

Microsoft issues record June 2026 security fixes

🛡️ Microsoft released fixes for a record 206 security vulnerabilities in June 2026, including three publicly disclosed flaws. The update covers 39 Critical and 167 Important issues, spanning privilege escalation, RCE, information disclosure, spoofing, and more, and includes two non-Microsoft CVEs and numerous Chromium fixes affecting Edge. Notable patched bugs include a Windows Kernel use-after-free (CVE-2026-45657), HTTP.sys and DHCP client RCEs, and several BitLocker bypasses addressed after public PoCs.
read more →

Ivanti Sentry critical root code execution patched

🔒 Ivanti has released patches for two critical vulnerabilities in its Sentry secure mobile gateway, including a maximum-severity OS command injection (CVE-2026-10520) that allows remote code execution as root and a critical authentication bypass (CVE-2026-10523) permitting creation of rogue admin accounts. Patches are available in Sentry R10.5.2, R10.6.2, and R10.7.1, and the vendor reports no evidence of active exploitation at disclosure. Administrators are urged to apply updates promptly to prevent potential compromises.
read more →

SAP patches critical NetWeaver and Commerce Cloud flaws

🔒 SAP released its June 2026 security update addressing 15 vulnerabilities, including four critical issues affecting SAP NetWeaver and SAP Commerce Cloud. The critical flaws include XML Signature Wrapping (CVE-2026-44748), a memory corruption bug (CVE-2026-27671), a Spring Security-related issue (CVE-2026-22732), and a directory traversal in the Java web container (CVE-2026-40128). Organizations should prioritize patching these high-impact defects immediately.
read more →

Microsoft June 2026 Patch Tuesday fixes 200 flaws

🛡️ Microsoft released its June 2026 Patch Tuesday addressing 200 vulnerabilities, including three publicly disclosed zero-day flaws. The update includes 33 Critical issues — 28 of them remote code execution — and a broad mix of elevation of privilege, information disclosure, spoofing, and DoS bugs. Microsoft also provided mitigations and new settings, such as MaxHeadersCount for HTTP/2, and highlighted that some fixes were issued earlier for cloud and Edge components.
read more →

Windows 11 June 2026 Cumulative Updates Released

🔔 Microsoft released Windows 11 cumulative updates KB5094126 and KB5093998 for 25H2/24H2 and 23H2 on Patch Tuesday, delivering security fixes, bug patches, and new features. The updates change build numbers and add capabilities like Shared Audio and expanded Xbox mode, plus Task Manager NPU visibility and Multi‑App Camera. Install via Settings > Windows Update or the Microsoft Update Catalog for the June 2026 security rollup.
read more →

Veeam issues patch for critical Backup & Replication RCE

🛡️ Veeam released patches for a critical remote code execution flaw in Backup & Replication, tracked as CVE-2026-44963 with a CVSS score of 9.4. The issue allowed an authenticated domain user to execute code on the Backup Server and affects 12.3.2.4465 and earlier 12.x builds; version 13.x is not vulnerable. The flaw was reported by watchTowr researcher Sina Kheirkhah and fixed in build 12.3.2.4854; users are urged to update promptly.
read more →

Chrome V8 zero-day patched; urgent user update

🛡️ Google released fixes for 74 vulnerabilities in Chrome, including an actively exploited high-severity V8 issue, CVE-2026-11645 (CVSS 8.8). The flaw is an out-of-bounds memory access in the V8 JavaScript and WebAssembly engine that could allow code execution inside a sandbox via a crafted HTML page. Researcher "303f06e3" reported the bug on April 27, 2026, and received a $55,000 bounty. Users should update Chrome to the latest 149.0.7827.102/.103 versions and apply corresponding updates for other Chromium-based browsers.
read more →

Google issues emergency Chrome update addressing zero-day

🔒 Google has released an emergency update for Chrome addressing 74 vulnerabilities, including a high-severity zero-day that has been exploited in the wild. The bulletin, published on June 8, fixes 17 critical, 55 high-severity and two medium-severity flaws, with updates rolling out to Windows, Mac and Linux users over the coming days and weeks. The exploited V8 bug, CVE-2026-11645, was reported April 27 and earned the researcher $55,000.
read more →

CISA orders patch for Check Point VPN zero-day

🔒 CISA has directed U.S. federal agencies to patch a critical Check Point Remote Access VPN and Mobile Access vulnerability (CVE-2026-50751) that has been exploited in active attacks since May 7. The flaw allows unauthenticated remote attackers to bypass authentication on systems using the deprecated IKEv1 key exchange and legacy remote access clients. Check Point released updates and provided mitigations for organizations that cannot immediately patch, while CISA added the issue to its KEV Catalog and set a June 11 compliance deadline for federal agencies.
read more →

Google issues emergency Chrome zero-day patch

🔒 Google has released an emergency update to address CVE-2026-11645, the fifth Chrome zero-day fixed this year. The flaw, an out-of-bounds read/write in the V8 JavaScript engine, can be exploited by crafted HTML to achieve arbitrary code execution from within the browser sandbox. Patched Stable channel versions for Windows, macOS, and Linux are rolling out, and Google warns details may stay restricted until most users are updated.
read more →

Critical Zcash Orchard Vulnerability Disclosed and Patched

🔒 On May 29, researcher Taylor Hornby discovered a critical flaw in Zcash's Orchard shielded pool; the Zcash team had contracted him specifically for this audit. The vulnerability involved a missing enforcement in a validation check that could have allowed creation of ZEC out of thin air despite valid-looking zero-knowledge proofs. The issue has been patched, but there is no reliable way to determine whether the bug was exploited prior to the fix.
read more →

Gogs patches critical zero-day enabling RCE

🛡️ Gogs has released version 0.14.3 to patch a critical argument-injection zero-day that allows authenticated non-admin users to execute remote code and access any repository, including private ones. The flaw affects all releases up to 0.14.2 and 0.15.0+dev and was reported by Rapid7 researcher Jonah Burgess. Rapid7 urges immediate upgrades and provided mitigations such as disabling open registration and restricting repo creation for instances that cannot be patched immediately.
read more →

Cisco fixes UC Manager file-write to root escalation

🔒 Cisco patched a server-side request forgery in Unified Communications Manager tracked as CVE-2026-20230 that allows unauthenticated network attackers to write files to the underlying OS and then escalate to root. Proof-of-concept exploit code is public and Cisco's PSIRT has not observed in-the-wild use yet. The flaw requires the WebDialer service to be running; WebDialer is off by default but exposes systems where it is enabled. Patching is recommended (14SU6 for the 14 train; interim COP or disable WebDialer until 15SU5 for the 15 train).
read more →

Critical RCE in Everest Forms Pro Actively Exploited

🛡️ A critical remote code execution flaw in Everest Forms Pro for WordPress has been actively exploited to hijack sites. Wordfence analysis shows the vulnerability (CVE-2026-3300, CVSS 9.8) allows unauthenticated attackers to run PHP via the plugin's Calculation add-on when "Complex Calculation" is enabled. The bug affects all versions through 1.9.12 and was patched in 1.9.13; administrators are urged to update immediately. Wordfence telemetry recorded tens of thousands of blocked exploit attempts and identified indicators such as a rogue admin named "diksimarina" and a recurring source IP.
read more →

Cisco warns of critical Unified CM flaw

🔒 Cisco released updates for a critical Unified Communications Manager (Unified CM) vulnerability (CVE-2026-20230) that can be exploited via SSRF to gain root privileges. The issue affects systems with the WebDialer service enabled, which is disabled by default, and Cisco notes public proof-of-concept exploit code is available. Administrators should apply patched versions 14SU6 or 15SU5 or temporarily disable the WebDialer service as a mitigation.
read more →