All news with #patch tag

Microsoft issues emergency WSUS patch for critical RCE

⚠️ Microsoft released an out-of-band security update to address a critical WSUS remote code execution vulnerability, CVE-2025-59287 (CVSS 9.8). The flaw stems from unsafe deserialization of AuthorizationCookie objects at the GetCookie() endpoint, where AES-128-CBC-encrypted cookie payloads are decrypted and deserialized via BinaryFormatter without type validation, enabling SYSTEM-level code execution on servers running the WSUS role. Microsoft published updates for supported Windows Server releases and recommends installing the patch and rebooting; short-term mitigations include disabling the WSUS role or blocking TCP ports 8530 and 8531.

Critical WSUS RCE Flaw in Windows Server Exploited Now

⚠️Microsoft confirmed attackers are exploiting a critical Windows Server Update Service vulnerability tracked as CVE-2025-59287, a remote code execution flaw that affects servers running the WSUS Server role when configured as an update source for other WSUS servers. The bug can be abused remotely with low complexity and no user interaction to run code as SYSTEM, raising wormable concerns. Microsoft released out-of-band patches for all affected Windows Server versions and advised immediate installation or temporary disabling of the WSUS Server role; public proof-of-concept code and active scanning have been observed in the wild.

Microsoft Releases Out-of-Band WSUS Patch for CVE-2025-59287

⚠ Microsoft released an out-of-band security update (October 23, 2025) to remediate a critical Windows Server Update Service (WSUS) remote code execution vulnerability, CVE-2025-59287, after a prior fix proved incomplete. The flaw affects WSUS on Windows Server 2012, 2016, 2019, 2022, and 2025 and could allow an unauthenticated actor to execute code with SYSTEM privileges. CISA urges organizations to identify affected WSUS servers, apply the update and reboot, or temporarily disable the WSUS Server Role or block inbound TCP ports 8530/8531 as mitigations until the patch is installed.

Microsoft issues emergency WSUS updates for critical RCE

⚠️ Microsoft has released out-of-band security updates to remediate a critical WSUS vulnerability tracked as CVE-2025-59287. The flaw affects only Windows servers with the WSUS Server Role enabled and allows remote, unauthenticated attackers to execute code as SYSTEM in low-complexity attacks without user interaction. Microsoft published cumulative KB updates for all affected Server builds and requires a reboot; administrators who cannot patch immediately are advised to disable the WSUS role or block TCP ports 8530/8531 as temporary mitigations.

HP Pulls Update That Broke Entra ID Auth on AI PCs

⚠️ HP has pulled an over-the-air update to HP OneAgent for Windows 11 after a cleanup script removed Microsoft certificates required for some organizations to authenticate to Microsoft Entra ID. The silent update deployed on HP AI PCs ran package SP161710 and an install.cmd that deleted any certificate containing the substring "1E", producing false positives. Affected devices disconnected from Entra ID/Intune; HP says the update is no longer available and is assisting impacted customers.

Microsoft Disables Explorer Preview for Internet Files

🔒 Microsoft has updated File Explorer to disable the preview pane by default for files downloaded from the Internet or marked with the Mark of the Web. The change, included in Windows security updates released on and after October 14, 2025, is designed to block exploits that can leak NTLM hashes when previewed documents reference external resources. When preview is blocked, File Explorer shows a warning and users can manually unblock trusted files via Properties > Unblock or add the location to Trusted sites/Local intranet; a sign-out may be required for the change to take effect.

Delta ASDA-Soft Stack Overflow Vulnerabilities (2025)

⚠️ Delta Electronics' ASDA-Soft contains two stack-based buffer overflow vulnerabilities (CVE-2025-62579, CVE-2025-62580) affecting versions 7.0.2.0 and earlier. Both issues were assigned a CVSS v4 base score of 8.4 and can allow writing outside the intended stack buffer when a valid user opens a crafted project file. Exploitation requires local access and user interaction; no public exploitation has been reported to CISA. Delta has released ASDA-Soft v7.1.1.0 and users should update and apply network isolation and standard email/attachment precautions.

Veeder-Root TLS4B: Remote Command Injection and 2038 Bug

🔒 Veeder-Root's TLS4B Automatic Tank Gauge System contains two serious vulnerabilities: a SOAP-based command injection (CVE-2025-58428) that allows remote authenticated attackers to execute system-level commands, and an integer overflow/2038 time wraparound (CVE-2025-55067) that can disrupt authentication and core functions. The command injection carries very high severity (CVSS v3.1 9.9 / CVSS v4 9.4); Veeder-Root recommends upgrading to Version 11.A. For the time-related overflow, Veeder-Root is developing a patch and advises applying network-security best practices, isolating devices, and restricting access until a fix is available.

Critical and High Flaws Found in TP-Link VPN Routers

🔒 Researchers at Forescout’s Vedere Labs have disclosed two vulnerabilities in TP-Link Omada and Festa VPN routers that enable command injection and potential unauthorized root access. The flaws are tracked as CVE-2025-7850 (critical, CVSS v4.0 9.3) and CVE-2025-7851 (high, CVSS v4.0 8.7) and stem from an incomplete 2024 fix that left debug functionality and alternate attack paths. TP-Link has published firmware updates; Vedere Labs urges immediate patching and additional mitigations including WAFs, disabling remote admin, and improved monitoring.

CISA: Critical Lanscope Endpoint Manager Flaw Exploited

⚠️ CISA has added a critical defect in Motex LANSCOPE Endpoint Manager to its Known Exploited Vulnerabilities catalog after observing active exploitation. Tracked as CVE-2025-61932 (CVSS v4: 9.3), the flaw affects on-premises Client program and Detection Agent components and allows arbitrary code execution via specially crafted packets. Motex released patches for multiple 9.3/9.4 builds, and federal agencies are advised to remediate by November 12, 2025.

Critical TAR parsing bug found in popular Rust libraries

🛡️ Researchers at Edera disclosed a critical boundary-parsing flaw called TARmageddon (CVE-2025-62518) in the async-tar family and many forks, including the widely used tokio-tar. The desynchronization bug can smuggle extra archive entries during nested TAR extraction, enabling file overwrites that may lead to Remote Code Execution or supply-chain compromise. Administrators should patch affected forks, consider migrating to the patched astral-tokio-tar ≥0.5.6, and scan Rust-built applications for exposure.

Active Exploitation of SessionReaper Flaw in Adobe Magento

⚠️ Sansec reports active exploitation of the critical SessionReaper vulnerability (CVE-2025-54236) affecting Adobe Commerce. The flaw enables account session takeover through the Commerce REST API; observed attacks delivered PHP webshells and phpinfo probes. Researchers report about 62% of stores remain unpatched six weeks after Adobe's emergency update. Administrators should apply Adobe's patch or recommended mitigations immediately.

TARmageddon: Abandoned Rust tar library enables RCE

🚨 A high-severity logic flaw in the abandoned async-tar Rust library and its forks allows unauthenticated attackers to inject archive entries and achieve remote code execution when nested TARs with mismatched ustar and PAX headers are processed. Edera, which named the issue TARmageddon and tracked it as CVE-2025-62518, explains the parser can jump into file content and mistake it for headers, enabling extraction of attacker-supplied files. The bug also affects the widely used but abandoned tokio-tar fork (7M+ downloads), while several active forks have already been patched. Developers are advised to upgrade to patched forks such as astral-tokio-tar or remove the vulnerable dependency immediately.

TARmageddon: High-Severity Flaw in async-tar Rust ecosystem

⚠️Researchers disclosed a high-severity vulnerability (CVE-2025-62518, CVSS 8.1) in the async-tar Rust library and forks such as tokio-tar that can enable remote code execution via file-overwrite attacks when processing nested TAR archives. Edera, which found the issue in late August 2025, attributes the problem to inconsistent PAX/ustar header handling that allows attackers to 'smuggle' additional entries by exploiting size overrides. Because tokio-tar appears unmaintained, users are advised to migrate to astral-tokio-tar v0.5.6, which patches the boundary-parsing vulnerability affecting projects like testcontainers and wasmCloud.

NTLM/LDAP Authentication Bypass (CVE-2025-54918) Analysis

🔍 This analysis examines CVE-2025-54918, a critical NTLM/LDAP authentication bypass that enables privilege escalation from a standard domain user to SYSTEM on Domain Controllers. The vulnerability chains coercion (PrinterBug-style) with NTLM relay and packet manipulation to evade channel binding and LDAP signing. The post outlines the attack flow, detection indicators such as empty usernames and LOCAL_CALL flags, and mitigations using CrowdStrike Falcon capabilities.

TP-Link fixes four critical Omada Gateway vulnerabilities

🔒 TP-Link has published firmware updates to address four security flaws in its Omada gateway devices, including two critical command injection vulnerabilities that could allow arbitrary command execution on the device OS. The issues are tracked as CVE-2025-6541, CVE-2025-6542, CVE-2025-7850 and CVE-2025-7851, affecting multiple ER, FR and G-series models. Users are urged to install the patched builds promptly and verify device configurations after upgrading.

TP-Link Omada Gateways Vulnerable to Critical RCE Flaw

⚠️ TP-Link has disclosed two command injection vulnerabilities affecting Omada gateway devices that allow execution of arbitrary OS commands. One issue, CVE-2025-6542 (CVSS 9.3), can be exploited remotely without authentication; the other, CVE-2025-6541 (CVSS 8.6), requires access to the web management interface. Thirteen models are listed as impacted and TP-Link has released firmware updates to address the flaws; administrators are urged to apply patches and verify configurations after upgrading.

CISA Confirms Exploitation of Oracle E-Business SSRF Flaw

🔒 CISA has confirmed active exploitation of CVE-2025-61884, an unauthenticated SSRF in the Oracle Configurator runtime, and added it to its Known Exploited Vulnerabilities catalog. Federal agencies are required to patch the issue by November 10, 2025. Oracle released a fix on October 11 rated 7.5 and BleepingComputer says the update blocks a leaked exploit tied to ShinyHunters and related extortion activity.

Updates enforce SID checks, causing Windows login failures

🔒 Microsoft confirmed that Windows updates released on and after August 29, 2025 enforce additional SID checks that can break Kerberos and NTLM authentication on devices with duplicate Security Identifiers (SIDs). Affected systems — including Windows 11 24H2, Windows 11 25H2, and Windows Server 2025 — may experience failed Remote Desktop sessions, SEC_E_NO_CREDENTIALS event errors, and "access denied" messages. The fault commonly arises when images are duplicated without using Sysprep. Microsoft recommends rebuilding impacted machines with supported imaging procedures or obtaining a temporary Group Policy from Support as an interim measure.

Microsoft October 2025 Patch Causes Enterprise Failures

🚨 The October 2025 Windows security update KB5066835, intended to move cryptography from CSP to KSP, is causing widespread enterprise disruption. Affected platforms — including Windows 10 (22H2), Windows 11 (23H2–25H2) and several Windows Server releases — report smartcard and certificate failures, USB mouse/keyboard loss in WinRE, IIS ERR_CONNECTION_RESET and WUSA installation errors. Microsoft published a registry workaround (DisableCapiOverrideForRSA=0) and an out‑of‑band update (KB5070773) for some issues, but urges caution and recommends thorough testing before broad deployment.