< ciso
brief />
Tag Banner

All news with #patch release tag

439 articles · page 7 of 22

Microsoft Issues Patch for Critical ASP.NET Core Flaw

🔒 Microsoft released an out-of-band update to address a high-severity privilege-escalation flaw in ASP.NET Core tracked as CVE-2026-40372 (CVSS 9.1). A regression in Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 allowed the managed encryptor to compute HMAC validation over incorrect payload bytes, enabling forged payloads to pass authenticity checks and potentially grant SYSTEM-level access on non-Windows hosts. Microsoft fixed the issue in ASP.NET Core 10.0.7 and warned tokens issued during the vulnerable window remain valid until the DataProtection key ring is rotated.
read more →

Microsoft issues emergency patches for ASP.NET flaw

🔒 Microsoft has released out-of-band updates to fix a critical ASP.NET Core privilege escalation vulnerability (CVE-2026-40372) in the ASP.NET Core Data Protection APIs. A regression in the Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 packages caused HMAC validation to be computed over the wrong bytes, allowing forged auth cookies and decryption of protected payloads. Developers should update to 10.0.7, redeploy, and rotate DataProtection key rings to invalidate tokens issued during the vulnerable window.
read more →

Amazon RDS Custom for SQL Server: GDR Updates Supported

🛡️ Amazon RDS Custom for SQL Server now supports the latest General Distribution Release (GDR) updates from Microsoft for SQL Server 2019 (CU32+GDR KB5077469, RDS version 15.00.4460.4.v1) and SQL Server 2022 (CU23+GDR KB5077464, RDS version 16.00.4240.4.v1). These GDRs remediate vulnerabilities tracked as CVE-2026-21262 and CVE-2026-26115. You can apply the recommended updates using the Amazon RDS Management Console or programmatically via the AWS SDK or CLI; see the Amazon RDS Custom User Guide for upgrade guidance.
read more →

Siemens SCALANCE W-700 Series Multiple Firmware Flaws

⚠️ Siemens SCALANCE W-700 series devices with firmware earlier than V6.6.0 are affected by multiple security vulnerabilities. Siemens released firmware V6.6.0 to address these issues and urges operators to update affected units promptly. Temporary mitigations include reducing Wi‑Fi power, restricting physical access, disabling A‑MSDU if available, and minimizing network exposure of control devices. Several flaws could allow remote attackers to execute actions or cause denial of service; some carry high or critical CVSS scores.
read more →

Microsoft issues emergency Windows Server OOB updates

⚠️Microsoft has released out-of-band updates to address multiple issues affecting Windows Server systems after the April 2026 cumulative patches. An installation failure impacting KB5082063 on Windows Server 2025 and LSASS crashes that can force domain controllers into restart loops are the primary problems. Microsoft published OOB fixes for Server 2025 (KB5091157) — which resolves both issues — and separate updates for 23H2, 2022, 2019, 2016 and Azure hotpatch editions; some Server 2025 devices may also enter BitLocker recovery after KB5082063.
read more →

Critical Thymeleaf Sandbox Bypass Patched in Java Template

⚠️ Maintainers of Thymeleaf released a patch addressing a critical Server-Side Template Injection (SSTI) vulnerability, tracked as CVE-2026-40478, that allows unauthenticated attackers to execute expressions and run code. The flaw bypasses Thymeleaf’s sandbox protections by exploiting control characters in expressions and improper class restrictions. All versions prior to 3.1.4.RELEASE are affected, there is no workaround, and organizations should upgrade immediately.
read more →

CISA: Active Exploitation of Apache ActiveMQ CVE-2026-34197

🔴 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that a high-severity Apache ActiveMQ flaw, CVE-2026-34197, is being actively exploited in attacks. The bug, present for 13 years, allows authenticated attackers to execute arbitrary code via improper input validation and injection. Apache released patches on March 30 for ActiveMQ Classic 6.2.3 and 5.19.4, and CISA added the CVE to its KEV catalog, ordering federal agencies to patch by April 30.
read more →

Cisco issues critical Webex and ISE vulnerability fixes

⚠️ Administrators using Cisco Webex Services with SSO integrated via Control Hub must upload a new identity provider (IdP) SAML certificate to remediate a critical impersonation vulnerability (CVE-2026-20184). Cisco has patched the cloud-side service, but affected customers must perform the configuration change in Control Hub; there are no workarounds. Cisco also released critical fixes for ISE and ISE-PIC addressing remote code execution and path traversal flaws that require patching and credential hygiene.
read more →

Cisco patches critical Webex SSO flaw; action required

🔒 Cisco released updates addressing four critical vulnerabilities, including a fixed improper certificate validation bug in Webex Services SSO integration (CVE-2026-20184) that could enable user impersonation via crafted tokens. While Cisco patched the service-side defect, customers using SSO must upload a new SAML certificate for their IdP into Control Hub to avoid service interruptions. The company also fixed three critical ISE flaws that require administrative credentials to exploit.
read more →

Cisco Patches Critical Webex and Identity Services Flaws

🛡️ Cisco has released updates to address four critical vulnerabilities across Webex Services and Identity Services Engine (ISE) that could permit arbitrary code execution and user impersonation. A cloud-side SSO certificate validation flaw (CVE-2026-20184, CVSS 9.8) can allow unauthenticated impersonation, while three ISE input validation issues (CVE-2026-20147, CVE-2026-20180, CVE-2026-20186; CVSS 9.9) enable remote command or code execution when an attacker has appropriate credentials. Cisco provides specific patch levels and migration guidance and advises customers to apply updates or upload a new IdP SAML certificate to Control Hub where applicable.
read more →

Some Windows Servers Require BitLocker Key After Apr Update

🔐 Microsoft confirmed that some Windows Server 2025 devices may boot into BitLocker recovery after installing the April 2026 security update KB5082063. The issue affects very specific enterprise configurations where a Group Policy or registry setting includes PCR7 in the TPM platform validation profile while System Information reports Secure Boot State PCR7 Binding as 'Not Possible' and the Windows UEFI CA 2023 certificate is present but the 2023-signed Boot Manager is not yet running. Microsoft says the recovery key entry is required only once and has published workarounds: remove the Group Policy before deployment or apply a Known Issue Rollback (KIR) to prevent triggering BitLocker recovery.
read more →

Microsoft fixes bug causing Windows Server 2025 upgrades

🛠️ Microsoft has fixed a known issue that caused systems running Windows Server 2019 and 2022 to unexpectedly upgrade to Windows Server 2025. The problem was first acknowledged in September 2024 after widespread reports from administrators, and Microsoft says it has re-enabled the in-place upgrade offer via the Settings app. Microsoft previously cited third-party update management configuration, while some vendors said the root cause was a procedural error on Microsoft's side.
read more →

Microsoft Adds Protections for Malicious RDP Files Now

🔒 Microsoft has added new protections in the April 2026 cumulative updates to help block malicious Remote Desktop (.rdp) files commonly used in phishing campaigns. After the update users see a one-time educational prompt and, on subsequent opens, a security dialog that lists local resource redirections with every option disabled by default. Unsigned files receive a 'Caution: Unknown remote connection' warning and unknown publisher label. Administrators can temporarily disable the dialog via a registry policy but Microsoft advises keeping the protections enabled.
read more →

Microsoft Issues Windows 10 KB5082200 Extended ESU

🔒 Microsoft has released the Windows 10 KB5082200 extended security update to address the April 2026 Patch Tuesday fixes, including two zero-day vulnerabilities. After installation, Windows 10 is updated to build 19045.7184 and Windows 10 Enterprise LTSC 2021 to build 19044.7184. The update adds Remote Desktop (.rdp) phishing protections, introduces dynamic Secure Boot status indicators in Windows Security, and fixes BitLocker recovery issues on certain Intel Connected Standby devices. Devices enrolled in ESU or running Enterprise LTSC can install via Windows Update.
read more →

Windows 11 April 2026 Cumulative Updates Released KBs

🛡️ Microsoft has released cumulative updates KB5083769 (25H2/24H2) and KB5082052 (23H2) for Windows 11 as part of the April 2026 Patch Tuesday. These mandatory updates deliver security fixes, bug repairs, and several feature refinements, including the ability to toggle Smart App Control without a clean install and richer Narrator image descriptions on Copilot-enabled systems. After installation, affected builds update to 26200.8246 / 26100.8246 (25H2/24H2) and 22631.6936 (23H2). Install through Settings > Windows Update or the Microsoft Update Catalog.
read more →

Adobe issues emergency patch for Acrobat/Reader zero-day

🔒 Adobe released an emergency security update to fix a zero-day tracked as CVE-2026-34621, which has been exploited since at least December to bypass Acrobat/Reader sandbox protections. The flaw lets malicious PDFs invoke privileged JavaScript APIs (for example util.readFileIntoStream() and RSS.addFeed()) to read local files and exfiltrate data with no user interaction beyond opening the file. Affected versions of Acrobat DC, Acrobat Reader DC and Acrobat 2024 have fixes available; Adobe urges users to update via Help > Check for Updates or by downloading the installer.
read more →

Old Docker AuthZ Bypass Reappears, Patch Released Now

⚠️Researchers from Cyera disclosed a high-severity authorization bypass in Docker Engine (CVE-2026-34040) that allows attackers with Docker API access to evade third-party AuthZ plug-ins and execute privileged commands on hosts. The flaw, rated 8.8 on the CVSS scale, was fixed in Docker Engine 29.3.1 and Docker Desktop 4.66.1. As an interim mitigation, administrators can filter malicious requests by limiting API request size (for example, blocking requests over 512KB) until patches are deployed.
read more →

Amazon RDS Adds Latest Microsoft SQL Server CU/GDR Patches

🔔 Amazon RDS for SQL Server now supports the latest Microsoft cumulative updates (CU) and General Distribution Release (GDR) packages for SQL Server 2016 SP3, 2017, 2019, and 2022. The GDRs remediate security issues tracked as CVE-2026-21262 and CVE-2026-26115. AWS recommends upgrading RDS instances via the Management Console, AWS SDK, or CLI to apply these fixes. See the Microsoft KBs and the Amazon RDS SQL Server User Guide for upgrade guidance.
read more →

Microsoft rolls out fix for broken Windows Start search

🔧 Microsoft has deployed a server-side fix after a Bing update disrupted Windows 11 23H2 Start Menu search on a small number of devices. The issue, first noted around April 6 and reportedly seen by some users for months, produced blank but clickable search results. Microsoft rolled back the problematic server-side Bing update and says reports of failures are decreasing; the company advises ensuring the device is online and that Web Search has not been disabled by Group Policy.
read more →

Amazon Aurora PostgreSQL: Minor Releases 14–17 Update

🛡️ Amazon Aurora PostgreSQL-Compatible Edition now supports PostgreSQL 17.9, 16.13, 15.17, and 14.22, which include community bug fixes and Aurora-specific enhancements. We recommend upgrading to the latest minor versions to address known security vulnerabilities and improve stability. Use automatic minor version upgrades, scheduled maintenance windows, the AWS Organizations Upgrade Rollout Policy, and Aurora's zero-downtime patching to perform phased, low-impact upgrades at scale.
read more →