All news with #patch release tag

🔒 Veeam has released a patch addressing four vulnerabilities in Backup & Replication v13 that let users with Backup Admin, Backup Operator, or Tape Operator roles exceed intended privileges. The most severe, CVE-2025-59470 (CVSS 9.0), can enable remote code execution as the Postgres user; others permit file writes as root or RCE via malicious configuration files. Veeam recommends immediate installation of version 13.0.1.1071; the vendor says core backup data remains immutable and intact.

⚠ The jsPDF library contains a critical local file inclusion and path traversal vulnerability (CVE-2025-68428) that can embed sensitive files from the local filesystem into generated PDFs when user-controlled input is passed to file-loading APIs. The issue affects Node.js builds (dist/jspdf.node.js and dist/jspdf.node.min.js) and functions such as loadFile, addImage, html, and addFont. The bug was addressed in jsPDF 4.0.0 by restricting filesystem access by default; maintainers recommend upgrading, sanitizing input paths, and using modern Node.js permission modes.

⚠️ Researchers at Cyera disclosed a critical vulnerability in n8n (CVE-2026-21858) that allows unauthenticated attackers to read arbitrary local files via content-type parsing confusion and then recreate session cookies to assume any user’s identity. Exploitation can yield administrator privileges and remote code execution through the Execute Command node. The bug was patched in version 1.121.0 on Nov. 18; administrators should update immediately.

⚠️ Veeam released security updates for Backup & Replication to fix multiple vulnerabilities, including a remote code execution bug tracked as CVE-2025-59470. The flaw affects version 13.0.1.180 and earlier 13 builds and can allow users with Backup or Tape Operator roles to execute code as the postgres user. On January 6 Veeam published 13.0.1.1071 to patch CVE-2025-59470 plus a high (CVE-2025-55125) and a medium (CVE-2025-59468) issue. Administrators are advised to apply updates and follow Veeam's security guidelines to limit privileged-role exposure.

🔒 n8n has warned of a maximum-severity remote code execution flaw, CVE-2026-21877, rated 10.0 under CVSS. Under certain conditions an authenticated user may cause untrusted code to be executed by the service, potentially allowing full compromise of affected instances. Both self-hosted and n8n Cloud deployments running versions >= 0.123.0 and < 1.121.3 are impacted; the issue is fixed in 1.121.3 (released November 2025). Administrators should upgrade immediately or, if that is not possible, disable the Git node and restrict access for untrusted users.

🔒 Veeam has released security updates for Veeam Backup & Replication to address a critical remote code execution flaw tracked as CVE-2025-59470 (CVSS 9.0) that could allow a Backup or Tape Operator to run code as the postgres user via a crafted interval or order parameter. The vendor also fixed three additional vulnerabilities that permit escalation to root or file writes by privileged backup roles. All 13.x builds up to 13.0.1.180 are affected and the fixes are included in 13.0.1.1071; customers are advised to apply updates and follow role-hardening guidance promptly.

⚠️ Trust Wallet is urging Chrome extension users to update to version 2.69 after a security incident tied to extension v2.68 that resulted in roughly $7 million in stolen cryptocurrency. Security researchers at SlowMist say malicious code in the extension exfiltrated decrypted mnemonic phrases to an attacker-controlled domain by abusing the posthog-js analytics integration. The company has confirmed the impact, pledged refunds, and warned users to avoid unofficial communications; mobile and other browser versions are not affected.

🚨 Trust Wallet confirmed a compromised Chrome extension update released on December 24 led to about $7 million in stolen cryptocurrency after users reported wallets drained. Binance founder Changpeng 'CZ' Zhao said Trust Wallet will cover losses and described affected funds as 'SAFU' while an investigation proceeds. Researchers found malicious code (4482.js) in version 2.68.0 that appeared to exfiltrate seed phrases to an external endpoint; users were urged to disable the extension and upgrade to version 2.69.

⚠️ A critical serialization injection flaw in LangChain Core (CVE-2025-68664, CVSS 9.3) can let attackers inject object structures via unescaped 'lc' keys and steal secrets or influence LLM outputs through prompt injection. Reported by Yarden Porat on December 4, 2025 and dubbed LangGrinch, the bug affects dumps()/dumpd() and improper deserialization paths. LangChain released patches that add an allowed_objects allowlist, disable Jinja2 templates by default, and set secrets_from_env to false; users should upgrade immediately.

🔔 MongoDB warned IT administrators to immediately apply fixes for a high-severity remote code execution vulnerability tracked as CVE-2025-14847. The flaw is caused by improper handling of a zlib compressed protocol header length, enabling unauthenticated attackers to execute arbitrary code in low-complexity attacks. MongoDB lists numerous affected releases and recommends upgrading to fixed versions such as 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. If an immediate upgrade is not possible, administrators should disable zlib compression by starting mongod or mongos with networkMessageCompressors or net.compression.compressors options that omit zlib.

⚠️ MongoDB warns administrators to immediately patch a high-severity memory-read vulnerability (CVE-2025-14847) in the Server's zlib implementation that may return uninitialized heap memory to unauthenticated remote actors. The issue can be exploited in low-complexity, no-interaction attacks. MongoDB strongly recommends upgrading to a fixed release right away; if you cannot, disable zlib compression by omitting it from networkMessageCompressors or net.compression.compressors when starting mongod or mongos.

🔒 Microsoft is deprecating the legacy RC4 cipher in Windows, ending a 26-year presence that left servers accepting RC4-based authentication responses by default. The company cited RC4’s vulnerability to Kerberoasting, an attack class linked to last year’s breach at Ascension that disrupted hospital operations and exposed millions of medical records. Security and regulatory scrutiny, including calls from Senator Ron Wyden, helped force the change.

🛡️ WatchGuard has released emergency patches for a critical zero-day (CVE-2025-14733) in its Firebox appliances that allows remote, unauthenticated attackers to execute arbitrary code via the iked process handling IKEv2. The flaw, rated 9.3 CVSS, was exploited in the wild before a December 18 patch, making it a confirmed zero-day. Administrators should urgently check appliances for indicators of compromise, apply the fixed Fireware OS versions, and rotate any locally stored secrets if compromise is confirmed.

🔒 Researchers disclosed a UEFI firmware flaw affecting some ASUS, Gigabyte, MSI, and ASRock motherboards that can falsely report DMA protections as active even when the IOMMU has not initialized, enabling pre-boot DMA attacks. The issue, tracked under multiple CVEs, allows a malicious PCIe device with physical access to read or modify system memory before the operating system loads and before security tooling can detect anything. Vendors have published advisories and firmware updates; users should verify affected models, back up important data, and apply vendor patches promptly.

🔒 WatchGuard has released updates to remediate a critical vulnerability (CVE-2025-14733, CVSS 9.3) in Fireware OS that enables remote unauthenticated code execution via an out-of-bounds write in the iked process. The flaw impacts IKEv2 mobile user VPNs and branch office VPNs configured with dynamic gateway peers, and the vendor reports observed exploitation attempts in the wild. WatchGuard published fixed releases, IoCs, and temporary mitigations; administrators should apply updates immediately.

🔧Microsoft released an out-of-band update (KB5074976) via the Update Catalog to address issues introduced by the December 9, 2025 Windows 10 security update that broke Message Queuing (MSMQ). Affected systems may see inactive queues, resource errors, and failures writing to queues, particularly in clustered or high-load enterprise environments. The OOB is not distributed via Windows Update or WSUS; only devices enrolled for Windows 10 ESU should install it if impacted.

🚀 Amazon Aurora PostgreSQL-Compatible Edition now supports PostgreSQL community releases 17.7, 16.11, 15.15, 14.20, and 13.23. The update combines upstream community bug fixes and product improvements with Aurora-specific optimizations, including faster Blue/Green deployment switchovers and enhancements to Query Plan Management (QPM). These engine versions are available in all commercial AWS Regions and AWS GovCloud (US), and can be deployed or used to upgrade existing clusters via the Amazon RDS console.

🚨 HPE has released patches for a critical remote code execution vulnerability in OneView Software, tracked as CVE-2025-37164 with a CVSS score of 10.0. The flaw affects all versions prior to 11.00; HPE published version 11.00 and hotfixes for 5.20–10.20 to mitigate it. Administrators should apply the update or hotfix promptly; certain hotfixes must be reapplied after specific upgrades or Synergy Composer reimaging.

⚠️ CISA warns of critical vulnerabilities in AXIS Camera Station products, including AXIS Camera Station Pro and AXIS Device Manager. Successful exploitation could allow remote code execution, authentication bypass, man-in-the-middle attacks, or local privilege escalation; CVEs include CVE-2025-30023, -30024, -30025, and -30026 (maximum CVSS v3 base score 9.0). Vendor-identified affected releases are older than Pro 6.9, Camera Station 5.58, and Device Manager 5.32; upgrades to these versions or later are the recommended fixes and administrators should minimize network exposure.

⚠️ CISA reports CVE-2025-11774, a high-severity vulnerability in the software 'keypad' function of ICONICS Suite, GENESIS64, MobileHMI, and MC Works64. An attacker who tampers with the keypad configuration file can trigger execution of arbitrary EXE files when a legitimate user uses the keypad, enabling information disclosure, tampering, deletion, or a denial-of-service. The issue is rated CVSS 3.1 8.2 (CWE-78). Upgrade affected ICONICS products to GENESIS64 v10.97.3 or V11; MC Works64 users should migrate per vendor guidance.