All news with #patch tag

Amazon RDS Adds Latest CU and GDR Updates for SQL Server

🛡️Amazon Relational Database Service (Amazon RDS) now supports the latest General Distribution Release (GDR) and Cumulative Update packages for Microsoft SQL Server, including SQL Server 2016 SP3+GDR (KB5065226), 2017 CU31+GDR (KB5065225), 2019 CU32+GDR (KB5065222) and 2022 CU21 (KB5065865). These updates address multiple security vulnerabilities tracked as CVE-2025-47997, CVE-2025-55227 and CVE-2024-21907. AWS recommends that customers upgrade their RDS SQL Server instances using the Amazon RDS Management Console, AWS SDKs or the AWS CLI and follow the RDS SQL Server upgrade guidance.

Oracle issues emergency patch for E-Business Suite

🔒 Oracle released an emergency update to address CVE-2025-61884, an information disclosure flaw in the E-Business Suite Runtime UI that affects versions 12.2.3 through 12.2.14. The vulnerability is remotely exploitable without authentication and has been assigned a CVSS base score of 7.5, meaning a successful exploit could expose sensitive resources. Oracle strongly urges customers to apply the out-of-band patch or recommended mitigations immediately, particularly for internet-facing instances.

High-Severity Oracle E-Business Suite Vulnerability Alert

🔒 Oracle issued an alert for CVE-2025-61884, a high-severity (CVSS 7.5) flaw in Oracle E-Business Suite versions 12.2.3 through 12.2.14 that can be exploited remotely over HTTP without authentication. The NIST description warns the defect permits an unauthenticated attacker to compromise Oracle Configurator, potentially exposing or allowing complete access to critical configurable data. Oracle urges administrators to apply the update immediately; it has not reported observed in-the-wild exploitation.

Windows 11 23H2 Home and Pro reach end of support soon

⚠ Microsoft warned that devices running Windows 11 23H2 Home and Pro editions will stop receiving security updates after November 11, 2025. The November 2025 monthly security update will be the final update for those editions. Users should upgrade to Windows 11 24H2 or later to remain protected; note that some PCs may be prevented from upgrading by a safeguard for SenseShield code-obfuscation drivers.

Fortra Confirms Active Exploitation of GoAnywhere Flaw

🔒 Fortra disclosed its investigation into CVE-2025-10035, a deserialization vulnerability in the GoAnywhere License Servlet that has been exploited since September 11, 2025. The vendor issued a hotfix within 24 hours and published patched builds (7.6.3 and 7.8.4) on September 15, saying the risk is limited to admin consoles exposed to the public internet. Microsoft attributes observed exploitation to threat actor Storm-1175, which deployed Medusa ransomware; Fortra recommends restricting internet access to admin consoles, enabling monitoring, and keeping software up to date.

Google: Clop Exfiltrated Data via Oracle E-Business Flaw

🔍 Google Threat Intelligence and Mandiant report the Clop (FIN11) actor likely exfiltrated a significant amount of data from Oracle E-Business Suite environments beginning as early as August 9, 2025. The group sent extortion emails to executives from September 29 and supplied legitimate file listings to substantiate claims. Attackers exploited the zero-day CVE-2025-61882 prior to an emergency patch released on October 4, 2025. Investigators advise urgent patching, hunting for malicious templates, restricting outbound EBS traffic, and performing Java memory forensics.

Oracle EBS Zero-Day Exploitation and Extortion Campaign

⚠️ GTIG and Mandiant tracked a large-scale extortion campaign beginning Sept. 29, 2025, in which actors claiming affiliation with the CL0P brand alleged theft from Oracle E‑Business Suite (EBS) environments. Analysis indicates exploitation of a zero-day (CVE-2025-61882) as early as Aug. 9, 2025, with suspicious activity dating back to July 10. Attackers abused UiServlet and SyncServlet flows, embedding Java payloads via XSL templates to achieve unauthenticated RCE and deploy in-memory implants. Organizations are urged to apply Oracle emergency patches, hunt for malicious templates in XDO_TEMPLATES_B/XDO_LOBS, and restrict outbound traffic to disrupt C2.

Reassignment of CISA Staff Raises National Cyber Risks

🔔 The US Department of Homeland Security has reassigned hundreds of cybersecurity personnel from the Cybersecurity and Infrastructure Security Agency to non-cyber roles supporting immigration and border enforcement, reports say. This shift has most impacted CISA’s Capacity Building team, which writes emergency directives and oversees protections for the government’s highest-value assets; refusal to accept new roles reportedly risks termination. Analysts warn that reductions in specialized threat hunting, vulnerability scanning, and coordinated advisories will slow response times and create exploitable gaps. Enterprises are urged to tighten patch cycles, adopt phishing-resistant MFA, review privileges, and rely on sector ISACs and private intel sharing while federal capacity is strained.

Rockwell Automation Lifecycle Services SNMP Overflow

⚠️ Rockwell Automation reports a stack-based buffer overflow in its Lifecycle Services with Cisco offerings related to the Cisco IOS XE SNMP subsystem (CVE-2025-20352). An authenticated remote actor with low privileges can trigger a denial-of-service, and an actor with higher privileges and administrative access may achieve arbitrary code execution as root. A CVSS v4 score of 6.3 and a CVSS v3 score of 7.7 are provided. Rockwell and Cisco publish updates and mitigations; CISA advises minimizing network exposure and applying vendor fixes or recommended workarounds.

Hitachi Energy Asset Suite Log Injection Vulnerability

⚠️A vulnerability in Hitachi Energy Asset Suite (versions 9.7 and prior) permits an authenticated user to manipulate or inject performance log entries (CWE-117). Tracked as CVE-2025-10217, it has a CVSS v3.1 base score of 6.5 and CVSS v4 base score of 6.0; exploitation could enable further malicious actions by corrupting logs. Hitachi Energy recommends disabling performance logging and applying updates when available, while CISA advises network segmentation, firewall protections, and secure remote access to minimize exposure.

Many Users Still on Windows 10 Ahead of End‑of‑Life

⚠️ A significant proportion of users and organisations remain on Windows 10 just days before Microsoft ends support on October 14, meaning no more security or feature updates. Remote-access vendor TeamViewer reports over 40% of endpoints it recently supported still run the OS, while a Which? survey found 26% of UK users do not plan to upgrade and 11% are undecided. Experts warn this creates a cybersecurity and compliance 'cliff edge' that could expose systems to unpatched vulnerabilities and increased attacker activity.

Critical Service Finder Bug Lets Attackers Hijack Sites

🔒 A critical authentication bypass in the Service Finder Bookings plugin (CVE-2025-5947, CVSS 9.8) allows unauthenticated attackers to sign in as any user, including administrators. The root cause is improper cookie validation in the account-switching function service_finder_switch_back(), which enables privilege escalation. Maintainers released Service Finder version 6.1 on July 17, 2025 to address the issue, and exploitation attempts have been observed since August 1, 2025. Administrators should upgrade immediately and audit sites for unauthorized accounts or unexpected changes.

How Cloudflare Found and Fixed a Bug in Go's ARM64 Compiler

🔍 Cloudflare engineers describe discovering a rare race condition in the Go arm64 compiler that caused goroutine stack-unwinding crashes in production. They traced sporadic fatal panics and segfaults to async preemption interrupting a split stack-pointer adjustment, leaving an invalid stack frame. A minimal reproducer showed the assembler could split a large ADD into multiple instructions, creating a one-instruction window where preemption caused unwinder corruption. The issue was fixed upstream in go1.23.12, go1.24.6, and go1.25.0.

Severe Figma MCP Command Injection Enables RCE Remotely

🔒 Cybersecurity researchers disclosed a now-patched command injection vulnerability in the figma-developer-mcp Model Context Protocol server that could allow remote code execution. Tracked as CVE-2025-53967 (CVSS 7.5), the flaw stems from unsanitized user input interpolated into shell commands when a fetch fallback uses child_process.exec to run curl. Imperva reported the issue and maintainers released a fix in figma-developer-mcp v0.6.3; users should update immediately.

Critical 10.0 RCE Flaw in Redis Exposes 60,000 Instances

⚠ The popular Redis in-memory data store received an urgent patch for a critical use-after-free vulnerability tracked as CVE-2025-49844 (RediShell), which can escape the Lua script sandbox and achieve remote code execution on the host. Exploitation requires authentication, but many deployments disable it; researchers estimate roughly 60,000 internet-exposed instances lack authentication. Redis released fixes on Oct. 3 across multiple branches and administrators are urged to patch exposed servers immediately and enable hardening controls.

Critical Redis Flaw 'RediShell' Exposes 60,000 Servers

🚨 Redis has a critical, decade‑old vulnerability identified as CVE-2025-49844 (RediShell) in its embedded Lua scripting engine that can let authenticated users escape the sandbox and execute arbitrary code on the host. Researchers at Wiz report roughly 330,000 Redis instances are exposed online, with about 60,000 lacking authentication. Redis and Wiz disclosed the issue on October 3 and published patches; administrators should apply updates, restrict access, and disable Lua scripting if not required.

DeepMind's CodeMender: AI Agent to Fix Code Vulnerabilities

🔧 Google DeepMind has unveiled CodeMender, an autonomous agent built on Gemini Deep Think models that detects, debugs and patches complex software vulnerabilities. In the last six months it produced and submitted 72 security patches to open-source projects, including codebases up to 4.5 million lines. CodeMender pairs large-model reasoning with advanced program-analysis tooling — static and dynamic analysis, differential testing, fuzzing and SMT solvers — and a multi-agent critique process to validate fixes and avoid regressions. DeepMind says all patches are currently human-reviewed and it plans to expand maintainer outreach, release the tool to developers, and publish technical findings.

Delta DIAScreen Multiple Out-of-Bounds Write Flaws

⚠️ Delta Electronics issued an advisory for DIAScreen addressing four out-of-bounds write vulnerabilities (CWE-787) that can be triggered when a valid user opens a maliciously crafted project file. The issues are tracked as CVE-2025-59297 through CVE-2025-59300 and have CVSS v3.1 base scores of 6.6 and CVSS v4 base scores of 6.8. Delta released v1.6.1 to remediate the flaws; administrators should apply the update and follow CISA guidance on social-engineering protections and ICS defensive best practices.

NCSC Urges Patch for Critical Oracle E-Business Bug

🔔 The UK's National Cyber Security Centre has urged Oracle E-Business Suite customers to apply an emergency update for CVE-2025-61882, a critical unauthenticated remote code execution vulnerability in the BI Publisher Integration component affecting EBS 12.2.3–12.2.14. Security firm Mandiant reports the Clop ransomware group exploited the bug as a zero-day in August, and the exploit has since been leaked, raising the risk of wider attacks. The NCSC and Rapid7 recommend immediate compromise assessments using Oracle's IoCs, contacting Oracle PSIRT and the NCSC if compromise is suspected, installing the latest EBS update (with the October 2023 CPU applied first), and reducing internet exposure of EBS instances.

Unity runtime vulnerability forces game updates worldwide

⚠ A critical vulnerability in the Unity Runtime, introduced in engine version 2017.01, can allow attackers to pass crafted startup parameters that cause games to load arbitrary native libraries on Windows, macOS, Linux and Android. Exploitation may execute malicious code or expose device data, and the risk depends on game and OS settings. Vendors Valve and Microsoft advise blocking or removing affected titles while Unity urges developers to update, recompile and republish builds; Unity also provides an application patcher for unmaintained games.