< ciso
brief />
Tag Banner

All news with #patch release tag

439 articles · page 6 of 22

Fortinet: RCE in FortiSandbox and FortiAuthenticator

🔒 Fortinet issued security updates to address two critical remote code execution flaws affecting FortiAuthenticator (CVE-2026-44277) and FortiSandbox (CVE-2026-26083). The FortiAuthenticator issue was fixed in versions 6.5.7, 6.6.9 and 8.0.3, while FortiSandbox and its cloud/PaaS WEB UI received patches for a missing authorization weakness. Fortinet noted the cloud IDaaS service is not impacted and there are no reports of active exploitation.
read more →

Windows 11 May 2026 Cumulative Updates KB5089549/KB5087420

🔒 Microsoft released Windows 11 cumulative updates KB5089549 (25H2/24H2) and KB5087420 (23H2) as the May 2026 Patch Tuesday rollout. The mandatory updates address 120 security vulnerabilities, deliver bug fixes, and introduce features such as desktop Xbox mode, expanded File Explorer archive support, haptic input signals, and Drop Tray. They also improve Windows Hello, taskbar reliability, printing, and add an optional registry control to harden batch-file processing. Install via Settings > Windows Update or the Microsoft Update Catalog.
read more →

Exim BDAT Use-After-Free 'Dead.Letter' Patch Released

🔒 Exim has issued emergency updates to fix CVE-2026-45185, dubbed Dead.Letter, a critical use-after-free in BDAT message body parsing that manifests when TLS is handled via GnuTLS. The flaw is triggered when a client sends a TLS close_notify during an active BDAT transfer and then follows up with a final cleartext byte on the same TCP connection, which can corrupt heap metadata and enable code execution. It affects Exim 4.97 through 4.99.2 built with USE_GNUTLS=yes and is fixed in 4.99.3; there are no mitigations, so administrators should apply the update immediately.
read more →

Dirty Frag: Chained Linux Kernel Flaws Prompt Patch Rush

🛡️ Major Linux distributions are rushing to apply fixes after the embargo on a two‑bug kernel exploit, dubbed Dirty Frag, was broken. The flaw chains CVE-2026-43284 (xfrm‑ESP write‑what‑where, CVSS 8.8) and CVE-2026-43500 (RxRPC out‑of‑bounds write, CVSS 7.8) to enable local privilege escalation to root. Researcher Hyunwoo Kim published a proof‑of‑concept after coordinating with maintainers. Vendors recommend temporarily blacklisting esp4/esp6/rxrpc modules and prioritising immediate patching.
read more →

cPanel/WHM Fixes Three Vulnerabilities in May 2026

🔒 cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could enable privilege escalation, arbitrary code execution, and denial-of-service. The flaws are tracked as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, with CVSS scores up to 8.8. Multiple release lines and the WP Squared build are patched, and a direct 110.0.114 update is available for CentOS 6/CloudLinux 6 users. Administrators are advised to apply updates promptly.
read more →

Ivanti warns of EPMM zero-day RCE; patches released

🔒 Ivanti is urging customers to patch a high-severity remote code execution flaw (CVE-2026-6973) in Endpoint Manager Mobile (EPMM) after limited zero-day exploitation. The weakness stems from improper input validation and affects on-prem EPMM 12.8.0.0 and earlier; Ivanti released fixes in 12.6.1.1, 12.7.0.1, and 12.8.0.1 and recommends reviewing and rotating admin credentials. The vendor also patched four additional high-severity EPMM issues and noted that Shadowserver currently sees over 850 exposed EPMM hosts online.
read more →

Critical Apache HTTP/2 Double-Free May Enable RCE Now

⚠ Apache Software Foundation released updates to address CVE-2026-23918, a high-severity (CVSS 8.8) double-free bug in mod_http2 that can cause denial-of-service and potentially remote code execution. The flaw impacts Apache HTTP Server 2.4.66 and is fixed in 2.4.67. Researchers provided an x86_64 proof-of-concept and warned the RCE path is practical on systems using APR with the mmap allocator. Administrators should upgrade or mitigate by disabling mod_http2 or using the prefork MPM until patched.
read more →

ABB B&R Runtime ANSL Server DoS: Patch Released Now

⚠ ABB reported a vulnerability in B&R Automation Runtime (ANSL-Server) that can be triggered remotely to cause a denial-of-service on affected nodes. The issue (CVE-2025-11044) is fixed in Automation Runtime 6.5 and R4.93. Apply the vendor patch promptly; interim mitigations include longer cycle times, limiting ANSL connections at the control-network firewall, and load testing before commissioning.
read more →

Critical RCE in Weaver E-cology Actively Exploited

⚠️ A critical unauthenticated remote code execution flaw (CVE-2026-22679, CVSS 9.8) in Weaver (Fanwei) E-cology 10.0 (prior to 20260312) is being actively exploited in the wild. The vulnerability exists in the /papi/esearch/data/devops/dubboApi/debug/method endpoint, where attacker-controlled parameters can invoke command-execution helpers. Weaver released patches on 2026-03-12; administrators should apply those updates, restrict access to debug/management endpoints, and use published detection scripts to hunt for exposed or compromised instances.
read more →

Critical RCE in Weaver E-cology Exploited Since March

🔒 Researchers observed exploitation of a critical unauthenticated RCE (CVE-2026-22679) in Weaver E-cology 10.0 beginning in mid-March, days after the vendor released a patch and before public disclosure. Attackers abused an exposed debug API that allowed user-supplied parameters to reach backend RPC handlers and be executed as system commands, performing discovery and attempting PowerShell-based payloads and an MSI deployment. The vendor's update (build 20260312) removes the debug endpoint entirely, and administrators are urged to apply the update immediately.
read more →

Progress patches critical MOVEit Automation flaws urgently

⚠️ Progress Software issued updates for MOVEit Automation to address two vulnerabilities: a critical authentication bypass (CVE-2026-4670, CVSS 9.8) and an improper input validation flaw that could enable privilege escalation (CVE-2026-5174, CVSS 7.7). Affected branches include releases <=2025.1.4, <=2025.0.8, and <=2024.1.7; fixes are available in 2025.1.5, 2025.0.9, and 2024.1.8. Airbus SecLab researchers reported the issues, and Progress states there are no workarounds and no confirmed in-the-wild exploitation; administrators should apply updates promptly and review access to service backend command ports.
read more →

FreeRTOS 202604 LTS: security, MPU, and protocol updates

🛡️ FreeRTOS 202604 LTS is now available, providing a two-year Long Term Support window with security updates, critical bug fixes, and feature stability for embedded and IoT device manufacturers. The FreeRTOS kernel advances to v11.3.0 with new hardware ports, security hardening, and expanded MPU support that reduces claimed MPU regions and allows reservation of hardware regions for application-specific protection. Core libraries include coreMQTT v5.0.2 (MQTT v5.0 features) and coreSNTP v2.0.0 (year-2038 readiness); the release emphasizes memory safety and MISRA-C compliance, with migration guides and an Extended Maintenance Plan to support upgrades.
read more →

Microsoft fixes Remote Desktop warning display bug

🔧 Microsoft has issued a fix for a known issue that caused newly introduced Windows security warnings to render incorrectly when opening Remote Desktop (.rdp) files on multi-monitor systems with differing display scaling. The bug affected all supported Windows versions after the April 2026 cumulative updates and was addressed in the optional Windows 11 preview update KB5083631. The misrendering could hide or misalign dialog buttons and text, preventing users from interacting with the RDP security prompt designed to block risky resource redirections.
read more →

Windows 11 KB5083631 Preview: 34 Fixes, Security and Perf

🔔 Microsoft released the optional cumulative preview update KB5083631 for Windows 11, delivering 34 quality improvements and fixes. Highlights include a new Xbox mode that provides a full‑screen gaming interface, improved startup app launch performance, and enhanced batch file/CMD security that prevents scripts from changing during execution. The update is optional and can be installed via Settings → Windows Update or manually from the Microsoft Update Catalog.
read more →

Trivial Linux kernel bug allows local users to gain root

⚠️ A newly disclosed Linux kernel logic flaw dubbed Copy Fail (CVE-2026-31431) enables an unprivileged local user to write four deterministic bytes into the page cache of any readable file and gain root. Theori researchers published a 732-byte Python proof-of-concept and reported the bug to the kernel team in March; patches were committed in April. Until distributions publish updates — Arch has released a patch so far — CSOs should inventory multi-tenant and container hosts, monitor for privilege escalation, and apply fixes or temporary kernel parameters where feasible.
read more →

April KB5083769 breaks third-party backup on Windows 11

⚠️ The April 2026 KB5083769 security update is causing third‑party backup applications to fail on Windows 11 (24H2 and 25H2) by triggering a VSS snapshot timeout. Vendors including Acronis, Macrium, NinjaOne and UrBackup have reported backup operations aborting with VSS timeout errors. Acronis has published guidance confirming failures on Pro and Home editions and recommends uninstalling KB5083769 and pausing updates as a temporary workaround.
read more →

Critical cPanel Authentication Flaw — Update Immediately

⚠️ cPanel has released urgent security updates to remediate an authentication vulnerability affecting all currently supported versions of its control panel. The vendor issued patched builds (11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.136.0.5, 11.134.0.20) and advises immediate updating. If you run an unsupported version, cPanel warns you to upgrade as it may also be affected. Hosting provider Namecheap temporarily blocked TCP ports 2083 and 2087 while applying the fixes and is actively deploying the official patches across its servers.
read more →

Apple fixes iOS bug retaining deleted notifications

🔒 Apple released out-of-band updates for iPhone and iPad to address a Notification Services flaw that could leave deleted notifications stored on the device. The bug, tracked as CVE-2026-28950, was patched on April 22, 2026 in iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8 and iPadOS 18.7.8. Apple says the issue was resolved through improved data redaction but provided no further technical details or confirmation of exploitation. Users are advised to install the updates promptly.
read more →

Microsoft issues out-of-band patch for ASP.NET Core flaw

🔒 Microsoft released an out-of-band fix after an April 14 .NET update (10.0.6) introduced a critical regression in the ASP.NET Core Data Protection NuGet package (CVE-2026-40372, CVSS 9.1). A bug in the ManagedAuthenticatedEncryptor caused HMAC validation tags to be computed with an incorrect offset, allowing forged cookies and tokens to be treated as valid. Developers should upgrade to 10.0.7, rebuild embedded apps (including Docker images), expire affected cookies and tokens, and rotate protection keys to remove potential forgeries.
read more →

Amazon Corretto April 2026 Quarterly Security Updates

🔒 Amazon announced its April 2026 quarterly security and critical updates for Amazon Corretto, delivering new builds for LTS and Feature Release OpenJDK distributions. Releases available: Corretto 26.0.1, 25.0.3, 21.0.11, 17.0.19, 11.0.31, and 8u492. This is the final Corretto 8 release that includes JavaFX binaries; JavaFX will be removed starting July 2026. Downloads and repo configuration instructions are provided on the Corretto home page to help administrators apply the updates.
read more →