All news with #patch release tag

🔒 Cisco has published 25 joint advisories addressing 48 vulnerabilities across its Secure Firewall ASA, Secure FMC and FTD product lines. The two most critical flaws, CVE-2026-20079 and CVE-2026-20131, are rated CVSS 10 and impact Secure FMC, enabling authentication bypass and remote code execution respectively. The auth bypass can be triggered with crafted HTTP requests against a boot-created system process, while the RCE stems from insecure deserialization of a user-supplied Java byte stream to the web management interface. There are no workarounds; Cisco urges customers to install the fixed software and the bundle also addresses 15 high and 31 medium severity issues.

🔁 With the release of Chrome 153 on September 8, Google will move from a four-week to a two-week release cadence for both beta and stable channels on Desktop, Android, and iOS. Dev and Canary channels remain on their current schedules while an eight-week Extended Stable branch will be preserved for enterprise customers. Google says smaller, more frequent milestones will reduce disruption and simplify post-release debugging. Users can expect more frequent feature rollouts and occasional restart prompts, and weekly security updates will continue under the August 2023 model.

⚠ The Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP and FX5-EIP modules contain multiple denial-of-service vulnerabilities that can be triggered by continuous UDP packet streams. The issues have a CVSS 3.1 base score of 7.5 and include an always-incorrect control flow flaw and improper resource shutdown conditions. Mitsubishi released an update for FX5-ENET/IP (v1.107 or later); fixes for FX5-EIP are planned and mitigations are recommended where no fix is available.

🔒 Google released March 2026 Android updates addressing 129 security flaws, including an actively exploited zero-day, CVE-2026-21385, in a Qualcomm display Graphics subcomponent. Qualcomm says the bug is an integer overflow/wraparound that local attackers can use to trigger memory corruption. Google also fixed 10 critical System/Framework/Kernel vulnerabilities and published two patch levels (2026-03-01 and 2026-03-05); Pixel devices receive fixes immediately while other vendors may take longer to roll them out.

🔔 Amazon RDS for PostgreSQL now supports minor versions 18.3, 17.9, 16.13, 15.17, and 14.22. These updates address a regression introduced by the PostgreSQL community release on February 12, 2026, and include security fixes and community bug repairs. We recommend upgrading to the latest minor versions to remediate known vulnerabilities and benefit from stability improvements. Use automatic minor version upgrades, the AWS Organizations Upgrade Rollout Policy, or RDS Blue/Green deployments with physical replication to stage changes and minimize downtime.

⚠️ Trend Micro has released patches for two critical Apex One management console vulnerabilities (CVE-2025-71210 and CVE-2025-71211) that enable path traversal leading to remote code execution on Windows systems. The fixes are included in SaaS updates and Critical Patch Build 14136, which also addresses high-severity agent issues on Windows and macOS. Exploitation requires access to the management console, so externally exposed consoles should apply source restrictions and other access controls. Customers are urged to install updates promptly to reduce risk.

🔒 Yokogawa has issued patches for multiple Vnet/IP vulnerabilities affecting CENTUM VP R6 and R7 interface packages that could allow denial-of-service or, in one case, arbitrary code execution. Affected packages (VP6C3300 and VP7C3300) at or below R1.07.00 are vulnerable; the flaws are tracked as CVE-2025-1924 and CVE-2025-48019 through CVE-2025-48023. CISA reports CVSS scores up to 6.9 (MEDIUM) and recommends applying vendor patch R1.08.00 and following advisory YSAR-26-0002 for implementation guidance.

🔐 Zyxel has released updates for a critical UPnP command-injection flaw tracked as CVE-2025-13942 that can allow unauthenticated remote attackers to execute operating system commands on affected routers, CPEs, ONTs, and extenders. Successful exploitation requires both UPnP and WAN access to be enabled; WAN access is disabled by default on these devices. Zyxel also patched two high-severity post-authentication command-injection bugs (CVE-2025-13943, CVE-2026-1459) and strongly urges administrators to apply firmware updates promptly.

🔧 Microsoft released the KB5077241 optional cumulative preview for Windows 11, delivering 29 fixes and features including improved BitLocker reliability and a built-in network speed test. The update introduces native Sysmon functionality (disabled by default) and will automatically enable Quick Machine Recovery on some Professional devices that are not domain‑joined or enterprise managed. It also shortens resume-from-sleep times, refines taskbar and File Explorer behavior, and adds RSAT support on Arm64.

🔒 SolarWinds has released updates to address four critical vulnerabilities in its Serv-U file transfer software, each rated 9.1 on the CVSS scale. The flaws include a broken access control that can create a system admin (CVE-2025-40538), two type confusion bugs (CVE-2025-40539 and CVE-2025-40540), and an IDOR (CVE-2025-40541) — all capable of enabling remote code execution when exploited with administrative privileges. The issues affect Serv-U 15.5 and are fixed in Serv-U 15.5.4. SolarWinds warns Windows deployments carry medium risk because services often run under less-privileged accounts by default, and while no active exploitation has been reported, similar past defects were abused by threat actors such as Storm-0322.

🔒 CISA reports multiple high‑severity vulnerabilities in Gardyn Home Kit firmware, cloud API, and mobile application that could permit unauthenticated access, remote command execution, and extraction of administrative credentials. Affected versions include the mobile app prior to 2.11.0, cloud API before 2.12.2026, and firmware older than master.619. Gardyn has released fixes in updated software; users should update apps and firmware and keep devices connected to receive automatic patches.

🔒 Schneider Electric has released patches for multiple vulnerabilities in EcoStruxure Building Operation Workstation and WebStation that could disclose local files, enable execution of unintended code, or cause denial-of-service. Affected 6.x and 7.0.x builds should be updated to the vendor-supplied patch builds immediately to mitigate exposure. The issues are tracked as CVE-2026-1227 (XXE) and CVE-2026-1226 (code generation/control). If immediate patching is not possible, implement recommended mitigations — network segmentation, strict access controls, MFA for EBO 7.0+, monitoring, and adherence to EBO hardening guidance — to reduce operational risk.

🔒 Amazon Relational Database Service (Amazon RDS) Custom for SQL Server now supports the latest General Distribution Release (GDR) updates, including SQL Server 2022 Cumulative Update and KB5072936 (16.00.4230.2.v1). These GDRs address vulnerabilities described in CVE-2026-20803 and are recommended for production environments. You can apply the updates via the RDS Management Console, AWS SDK, or CLI, and consult the Amazon RDS Custom User Guide for upgrade procedures and best practices.

⚠️ CISA has added two Roundcube webmail vulnerabilities — CVE-2025-49113 and CVE-2025-68461 — to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. CVE-2025-49113 (CVSS 9.9) is an authenticated deserialization flaw allowing remote code execution via an unvalidated _from parameter and was fixed in June 2025. CVE-2025-68461 (CVSS 7.2) is an XSS triggered by the SVG animate tag and was patched in December 2025 in Roundcube releases 1.6.12 and 1.5.12. Researchers reported weaponization within 48 hours and an exploit was offered for sale; FCEB agencies must remediate by March 13, 2026.

🔔 Amazon RDS for Oracle now supports the Oracle January 2026 Release Update (RU) for Oracle Database versions 19c and 21c, and the corresponding Spatial Patch Bundle for 19c. The January 2026 RU includes important security updates, while the Spatial Patch Bundle delivers fixes to improve Oracle Spatial and Graph reliability and performance. You can apply these updates via the AWS Management Console, AWS SDK, or CLI, enable Automatic Minor Version Upgrade to apply during maintenance windows, and use AWS Organizations upgrade rollout policy to stagger upgrades across environments.

🔒 Microsoft disclosed and patched a high-severity flaw in Windows Admin Center that could allow an attacker to escalate privileges. Tracked as CVE-2026-26119 with a CVSS score of 8.8, Microsoft credited Semperis researcher Andrea Pierini and included the fix in Windows Admin Center version 2511 (Dec 2025). The vendor described the issue as improper authentication and tagged it as Exploitation More Likely; technical details are currently restricted. Administrators are advised to apply the update promptly and restrict access to the management endpoint.

🔒 AWS Certificate Manager (ACM) now issues public certificates with a 198-day maximum validity, replacing the prior 395-day default to comply with the CA/Browser Forum’s 200-day mandate effective 15 March 2026. No customer action is required: new and renewed public certificates default to 198 days while existing longer-lived certificates remain valid until renewal or expiry. ACM continues to auto-renew certificates (now 45 days before expiry); existing longer-term certificates will renew 60 days before expiry and convert to the 198-day term. AWS also reduced prices for exportable public certificates to reflect the shorter validity.

🔐 The author of Notepad++ says the recently released updates have hardened a previously compromised update mechanism so it is now effectively unexploitable. Releases from 8.8.9 through 8.9.2 add layered checks: the updater now verifies both the signed installer and the signed XML manifest with independent cryptographic signatures and aborts on any anomaly. The auto-updater was reinforced, though users can still opt out during installation. The developer warns no system is absolutely unbreakable, but the changes substantially raise attacker cost.

⚠️ Researchers disclosed an unauthenticated stack-based buffer overflow (CVE-2026-2329) in Grandstream GXP1600-series VoIP phones that can yield remote code execution as root. The flaw lies in the web API endpoint /cgi-bin/api.values.get, where a malformed colon-delimited "request" parameter overruns a 64-byte stack buffer. Affected models include GXP1610/1615/1620/1625/1628/1630; Grandstream released firmware 1.0.7.81 to fix the issue. Rapid7 published a Metasploit module demonstrating exploitation and post-exploitation risks such as credential theft and SIP proxy hijacking.

⚠ A stack-based buffer overflow has been identified in Delta Electronics ASDA-Soft when parsing .par files, allowing an attacker to write data past a stack buffer and corrupt a structured exception handler (SEH). The issue affects versions <= 7.2.0.0 (CVE-2026-1361) and is assigned a CVSS v3.1 base score of 7.8 (High). Delta released fixed ASDA-Soft version 7.2.2.0 and published advisory Delta-PCSA-2026-00003; CISA reports no known public exploitation and notes the vulnerability is not remotely exploitable.