All news with #patch release tag

⚠️ A high-severity vulnerability (CVE-2025-10314) affects Mitsubishi Electric FREQSHIP-mini for Windows versions 8.0.0 through 8.0.2 due to incorrect default permissions. A local attacker with write access to the installation directory could replace service executables or DLLs and execute code with SYSTEM privileges, potentially modifying or destroying data or causing denial of service. Mitsubishi released version 8.1.0 to address the issue; administrators should install the update and apply vendor mitigations, limit remote access, and maintain endpoint protections.

🔒 Microsoft has moved the long-planned phase-out of NTLM into a default-disable posture for Windows 11 and Windows Server. Introduced in the 1990s and largely superseded by Kerberos since Windows 2000, NTLM still appears in many legacy enterprise systems and enables attacks such as NTLM relay. Administrators have been preparing for years, but Microsoft now considers NTLM deprecated and has published a timetable for deactivation to help organizations plan.

🔒 Amazon RDS for MySQL now supports the MySQL community minor releases 8.0.45 and 8.4.8. AWS recommends upgrading to these minors to remediate known security vulnerabilities present in earlier releases and to benefit from bug fixes, performance improvements, and incremental features. You can enable automatic minor version upgrades to apply eligible updates during scheduled maintenance windows to reduce manual effort. For lower-risk updates and faster cutover, consider Amazon RDS Managed Blue/Green deployments and follow the Amazon RDS User Guide for upgrade instructions, regional availability, and pricing details.

🔒 Microsoft has resolved a Windows 11 sign-in issue that caused the password icon to disappear from lock screen options after installing August 2025 updates and later. Affected users with multiple sign-in methods could still sign in by hovering over the placeholder to reveal the hidden button. The fix is included in the optional January 2025 KB5074105 preview update released January 29; install via Settings > Windows Update or the Microsoft Update Catalog.

✅ Microsoft has issued a fix for a known issue that prevented Microsoft 365 customers from opening Encrypt Only messages in classic Outlook after a December update. Impacted users saw a message_v2.rpmsg attachment instead of readable content and a 'restricted permission' notice in the Reading Pane. Microsoft says the repair is available in the Beta Channel now and will roll to Current Channel and Current Channel Preview in February. Temporary workarounds are provided for users who cannot upgrade immediately.

🔧 Microsoft released the optional January 2026 preview cumulative update KB5074105 for Windows 11, delivering 32 non-security quality fixes administrators can validate before Patch Tuesday. The preview moves 25H2 devices to build 26200.7705 and 24H2 devices to 26100.7705 and can be installed via Settings > Windows Update or the Microsoft Update Catalog. Key fixes address sign-in and boot failures, activation problems during license migrations, expanded Cross-Device Resume for Android-to-PC activity continuation (examples include resuming Spotify, Office work, or browsing sessions), and broader Windows Hello Enhanced Sign-in Security support for peripheral fingerprint sensors. Additional reliability fixes target UAC elevation hangs, graphics-related system errors (dxgmms2.sys, KERNEL_SECURITY_CHECK_FAILURE), Windows Sandbox startup failures (0x800705b4), startup/login hangs and iSCSI boot issues. Administrators are advised to test the update in lab environments before wide deployment.

⚠️ SmarterTools released builds addressing critical vulnerabilities in SmarterMail, including an unauthenticated remote code execution flaw (CVE-2026-24423) rated CVSS 9.3. The flaw in the ConnectToHub API allowed an attacker to direct SmarterMail to a malicious HTTP server that serves OS commands, which the application could execute; this was fixed in Build 9511 on January 15, 2026. A separate NTLM-related path coercion issue (CVE-2026-25067, CVSS 6.9) that could force outbound SMB authentication and enable NTLM relay was patched in Build 9518 (January 22, 2026). Administrators should update immediately.

⚠️ Ivanti has released security updates addressing two critical zero-day code-injection flaws in Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340 (both CVSS 9.8) — which enable unauthenticated remote code execution and have been observed in limited attacks. One of the defects, CVE-2026-1281, was added to CISA’s KEV catalog, imposing a Federal remediation deadline of February 1, 2026. A temporary RPM patch is available for affected 12.x releases but does not persist through upgrades; Ivanti plans a permanent fix in EPMM 12.8.0.0 due Q1 2026. Customers are urged to check Apache access logs using the provided regex, inspect administrative and configuration changes, and restore or rebuild compromised appliances if indicators of attack are found.

⚠️ Microsoft released three out-of-band updates in January 2026, including a security update addressing CVE-2026-21509 in Microsoft Office, which has been reportedly exploited in the wild. The vulnerability is rated Important with a CVSS 3.1 score of 7.8 and is considered local, requiring a user to open a malicious Office document or for an attacker to have system access. Microsoft notes the issue cannot be triggered via the Preview Pane and has published mitigation guidance. Talos published Snort and ClamAV detections and advises customers to apply the latest rules and SRU updates.

🔒 A coordinated security update addressed 12 previously unknown vulnerabilities in OpenSSL, disclosed by AISLE through a coordinated process with project maintainers. The issues span multiple subsystems — from legacy CMS parsing to QUIC and post-quantum signature handling — and include a high-severity stack buffer overflow in CMS AuthEnvelopedData that could enable remote code execution under specific conditions. Remediation included fixes merged into releases and six additional issues resolved before reaching users.

🔒 SolarWinds released updates for Web Help Desk to address critical authentication bypass and remote code execution vulnerabilities, including CVE-2025-40551, CVE-2025-40552 and CVE-2025-40553. Reported by researchers at watchTowr and Horizon3.ai, the flaws allow unauthenticated attackers to bypass authentication and execute commands via deserialization and other vectors. Administrators should upgrade to Web Help Desk 2026.1 immediately to mitigate risk.

🔧 Microsoft has issued emergency out-of-band updates after users reported that the January 13 Patch Tuesday releases caused some applications, notably Outlook, to hang or behave unexpectedly when accessing files stored on cloud services such as OneDrive and Dropbox. The company released cumulative fixes — including KB5078127 for Windows 11, KB5078129 for Windows 10 and server updates KB5078131/KB5078136/KB5078135 — to address PST-file issues that could cause hangs, missing sent items or repeated redownloads. Administrators should review the KB notes, test in their environments and deploy the patches to restore normal email and cloud-file workflows.

🔧 Microsoft has released out-of-band updates for Windows 10, Windows 11, and Windows Server to address an issue that caused Outlook to freeze when opening PST files stored in cloud-backed storage such as OneDrive or Dropbox. The problem emerged after the January 13, 2026 Patch Tuesday updates and mainly affected classic Outlook configurations used in enterprises. Affected instances could become unresponsive until the process was terminated or the system restarted, and users reported missing Sent Items and duplicate downloads. The fixes are available via Windows Update or the Microsoft Download Catalog and include several KB updates for specific Windows and Server versions.

⚠️ A coordinated campaign is exploiting a critical authentication-bypass flaw in the GNU InetUtils telnetd server, tracked as CVE-2026-24061. The bug, present since 2015, lets attackers set the USER environment variable (for example USER=-f root) to bypass /usr/bin/login and obtain a root shell. Patches are in InetUtils 2.8; mitigations include disabling telnetd or blocking TCP port 23. GreyNoise observed limited, mostly automated exploitation activity and recommends immediate patching and hardening.

⚠️ Cisco has released patches for a critical remote code execution vulnerability, CVE-2026-20045, affecting Unified Communications Manager, Unity Connection, and Webex Calling Dedicated Instance. The flaw allows unauthenticated remote attackers to gain user access via crafted HTTP requests and then escalate privileges to root without user interaction. No workarounds exist; fixes are version-specific and organizations should apply the matching patch or migrate unsupported 12.5 systems.

⚠️ The Cybersecurity and Infrastructure Security Agency (CISA) warns of a stack-based buffer overflow in Johnson Controls' iSTAR Configuration Utility (ICU), tracked as CVE-2025-26386. The vulnerability affects ICU versions <= 6.9.7 and, under certain conditions, could lead to an operating system failure on the host machine. Johnson Controls released a vendor fix; update ICU to version 6.9.8. CISA recommends applying the update promptly and following network-segmentation and remote-access best practices to reduce exposure.

🛡️ Oracle's January quarterly update delivers 337 security fixes across its product portfolio, including 27 rated critical. The vendor reports no known in-the-wild exploitation at release, but urges priority attention to the 13 CVEs mapped to critical severity. A substantial share of patches address third-party and open-source components such as Apache Tika, creating cross-product CVE overlap and assessment complexity.

🔒 Zoom and GitLab released security updates to address multiple vulnerabilities that could enable denial-of-service, remote code execution, and a two-factor authentication bypass. The most severe is a critical command injection in Zoom Node Multimedia Routers (CVE-2026-22844, CVSS 9.9) that may allow remote code execution; Zoom reports no evidence of active exploitation. GitLab patched several high-severity DoS and 2FA-bypass issues across CE and EE releases. Administrators should apply the provided patches, upgrade affected modules, and review exposure to untrusted networks immediately.

🛡️ The CERT/CC has warned of a code-injection vulnerability in the binary-parser npm library (CVE-2026-1245) that can permit execution of arbitrary JavaScript when parser source is dynamically generated at runtime. The flaw arises from unsanitized, attacker-controlled values — such as parser field names and encoding parameters — being embedded into code compiled with the Function constructor. Applications that accept untrusted parser definitions are at risk; static, hard-coded parsers are not affected. Users should upgrade to binary-parser 2.3.0 and avoid passing user-controlled values into parser definitions.

⚠️ A critical vulnerability in ACF Extended (CVE-2025-14533) allows unauthenticated attackers to obtain administrative privileges by abusing the plugin's 'Insert User / Update User' form action in versions up to 0.9.2.1. The flaw fails to enforce role restrictions at the form level, enabling attackers to set arbitrary roles, including administrator, when a role field is present. The vendor released a patch in version 0.9.2.2 on December 14, 2025; administrators should update immediately and audit any forms that create or update users because roughly 50,000 sites may still be exposed.