All news with #patch tag

Broadcom Patches VMware NSX and vCenter Vulnerabilities

🔒 Broadcom has released security updates for VMware vCenter and NSX addressing multiple high-severity vulnerabilities, including CVE-2025-41250, CVE-2025-41251 and CVE-2025-41252. The most serious, an SMTP header injection in vCenter (CVSSv3 8.5), allows non-administrative users to tamper with scheduled email notifications and has no available workaround. Two NSX flaws permit unauthenticated username enumeration, which can facilitate brute-force or credential-stuffing attacks. Administrators are urged to apply the fixed versions immediately.

Phishing and Patching: Cyber Basics Still Critical

🔐 Fortinet’s 2025 Global Threat Landscape Report underscores that two fundamentals — protecting against phishing and keeping software up to date — remain the most effective defenses. Attackers are scaling campaigns with automation and generative AI to produce more convincing messages, and they combine email, SMS, and voice techniques to raise success rates. Organizations should strengthen employee training, deploy MFA, and adopt centralized or automated patch management to reduce exposure and limit lateral movement.

OneLogin API Bug Exposed OIDC Client Secrets in 2025

🔒Clutch Security disclosed a high-severity flaw in the One Identity OneLogin IAM platform that could leak OpenID Connect (OIDC) application client_secret values when queried with valid API credentials. The issue, tracked as CVE-2025-59363 with a CVSS score of 7.7, stemmed from the /api/2/apps endpoint returning secrets alongside app metadata. OneLogin remedied the behavior in OneLogin 2025.3.0 after responsible disclosure; administrators should apply the update, rotate exposed API and OIDC credentials, tighten RBAC scopes, and enable network-level protections such as IP allowlisting where available.

TOTOLINK X6000R Router: Multiple Firmware Vulnerabilities

⚠️ TOTOLINK X6000R routers running firmware V9.4.0cu.1360_B20241207 contain three vulnerabilities that enable argument injection, unauthenticated command execution, and sanitization bypasses leading to file corruption or persistent denial-of-service. The most severe, CVE-2025-52906, is an unauthenticated command injection rated Critical (CVSS 9.3). TOTOLINK has released updated firmware and users should apply the patch immediately while defenders use device visibility and threat prevention to detect exploitation.

CISOs Urged to Rethink Vulnerability Management amid Surge

⚠️ Enterprises face an unprecedented surge in disclosed vulnerabilities — over 20,000 in H1 2025 — with roughly 35% (6,992) accompanied by public exploit code, according to Flashpoint. Security leaders are urged to adopt risk-based patching and intelligence-led remediation that prioritizes remotely exploitable and actively exploited flaws while factoring in business context. Relying solely on CVE and the NVD is increasingly impractical due to enrichment delays; experts recommend integrating threat context, exposure management, and CTEM-style operations to concentrate limited resources on what truly matters.

VMware flaws allow username enumeration, patches released

🛡️ Three important vulnerabilities were disclosed in VMware products, including two in NSX that allow unauthenticated username enumeration and one in vCenter that permits SMTP header manipulation by authenticated non‑admin users with scheduled task privileges. The U.S. National Security Agency discovered two of the issues and all three are rated Important. VMware has released patches to address the flaws. Organizations are urged to apply updates immediately, avoid exposing vCenter to the internet, enforce multi‑factor authentication, change default credentials, and deploy layered protections such as web application firewalls and brute‑force detection controls.

Critical WD My Cloud Bug Allows Remote Command Injection

🔒 Western Digital issued firmware 5.31.108 to fix a critical OS command injection (CVE-2025-30247) in the My Cloud web UI that allows remote execution via crafted HTTP POST requests. The update addresses multiple consumer and small-business NAS models, though My Cloud DL2100 and DL4100 have reached end of support and may not receive fixes. WD urges immediate patching; affected owners should apply the firmware or disconnect devices from the internet until updated.

Microsoft Partially Resolves DRM Video Playback Issue

🔧 Microsoft says it has partially resolved an issue that caused DRM-protected video playback failures on Windows 11 24H2 systems after the August preview update (KB5064081) or later. Affected applications using Enhanced Video Renderer with HDCP enforcement or DRM for digital audio experienced freezes, black screens, and copyright protection errors. The September preview update KB5065789 contains fixes, though Microsoft warns some audio DRM problems may continue for certain applications.

Windows 11 KB5065789: 41 fixes and new AI actions now

🛠 Microsoft released the optional preview cumulative update KB5065789 for Windows 11 24H2 (build 26100.6725), delivering 41 non-security changes and fixes. Highlights include new AI actions in File Explorer, an updated Click to Do menu, an Administrator Protection Preview, and passkey plugin integration. The update addresses high CPU usage in Windows Sandbox (VmmemCMFirstBoot), WSUS-related update failures, Windows Hello 0x80090010 errors on Entra ID–joined devices, HDR and Hyper-V TPM issues, and gaming performance with overlays. Microsoft lists a known DRM-related playback issue; install via Settings > Windows Update or the Microsoft Update Catalog.

NI Circuit Design Suite Vulnerabilities — Patches Available

⚠️ CISA reports high-severity vulnerabilities in National Instruments' Circuit Design Suite that could cause memory corruption, information disclosure, or enable arbitrary code execution. Two flaws—a type confusion (CVE-2025-6033) and an out-of-bounds read (CVE-2025-6034)—affect versions 14.3.1 and earlier and carry CVSS v4 base scores of 8.4. Both issues require local access but have low attack complexity. National Instruments has released version 14.3.2 and CISA advises updating and reducing network exposure for control-system devices.

CISA Publishes Ten New ICS Advisories — Sept 30, 2025

🔔 On September 30, 2025, CISA released ten Industrial Control Systems advisories summarizing current security issues, vulnerabilities, and known exploits affecting a range of ICS products. The advisories cover MegaSys Enterprises, multiple Festo devices, OpenPLC_V3, National Instruments Circuit Design Suite, LG Innotek cameras, and updates for Keysight Ixia, HEIDENHAIN, and Rockwell Automation. Administrators are urged to review the technical details and apply recommended mitigations promptly to reduce operational risk.

Festo CECC Controller Firmware Vulnerabilities and Fixes

⚠️ Festo firmware for Controller CECC-S, -LK, and -D families contains multiple vulnerabilities (aggregate CVSS up to 9.8) in the integrated CODESYS V3 runtime and related components. Affected releases include R05 (2.3.8.0) and R06 (2.3.8.1); Festo advises updating affected units to firmware 2.4.2.0 where fixes are provided. Exploitable issues may enable remote code execution, denial-of-service, privilege escalation, or unauthorized access. CISA recommends isolating control networks, restricting remote exposure, and applying vendor guidance and mitigations while performing appropriate risk analysis.

OpenPLC_V3 Denial-of-Service Vulnerability (CVE-2025-54811)

⚠️ CISA published an advisory for OpenPLC_V3 describing a denial-of-service vulnerability (CVE-2025-54811) caused by a missing return in the enipThread function that can trigger an illegal instruction and crash the PLC runtime. The flaw affects versions prior to pull request #292 and can stop PLCs under certain conditions. A patch is available in PR #292; administrators should update and isolate affected devices.

MegaSys Telenium Online: Critical OS Command Injection

⚠ The MegaSys Enterprises Telenium Online Web Application contains a critical OS command injection vulnerability (CVE-2025-10659) that allows unauthenticated remote attackers to inject arbitrary operating system commands via crafted HTTP requests. CISA reports a CVSS v3.1 score of 9.8 and a CVSS v4 score of 9.3, indicating high potential for remote code execution. MegaSys has published a fix; administrators should apply updates promptly and follow CISA mitigation guidance to reduce internet exposure and isolate control systems.

China-linked UNC5174 exploiting VMware Tools zero-day

⚠️ NVISO Labs says China-linked UNC5174 has been exploiting a newly patched local privilege escalation bug, CVE-2025-41244, in Broadcom VMware Tools and VMware Aria Operations since mid-October 2024. The vulnerability (CVSS 7.8) stems from a vulnerable get_version() regex that can match non-system binaries in writable directories (for example, /tmp/httpd) and cause metrics collection to execute them with elevated privileges. VMware and Broadcom have released fixes and mitigations; affected organizations should apply vendor patches and follow VMware's guidance, and Linux distributions will receive patched open-vm-tools packages from vendors.

Security Hardening Essentials for Resource-Constrained SMBs

🔒 Security hardening boosts protection for organizations, especially SMBs, by reducing their attack surface without large additional investments. Key measures include strong authentication and authorization—enforcing strict passwords, multifactor authentication, least-privilege access and network access controls—alongside timely patching, data encryption and segmented, tested backups. Regular staff training, account audits and permission reviews complete a practical, low-cost defense posture.

Amazon RDS for PostgreSQL Extended Support Updates

🔒 Amazon RDS for PostgreSQL now provides Extended Support minor versions 12.22-rds.20250814 and 11.22-rds.20250814, delivering critical security patches and bug fixes for affected instances. We recommend upgrading RDS instances to these releases to maintain security and performance. Extended Support offers up to three years of additional fixes after community support ends. Use automatic minor upgrades or RDS Blue/Green deployments to apply updates during maintenance windows.

Six Ways to Curb Security Tool Proliferation in Organizations

🛡️ Organizations facing security-tool sprawl should begin by inventorying controls and eliminating those that no longer map to business risk. Use automated analytics and dashboards to surface ineffective or redundant products, and prioritize tools that enable automation to consolidate alerts and workflows. Remove duplicate solutions—often introduced through acquisitions or silos—and move toward unified platforms while fostering continuous training so teams actually use and benefit from deployed tools.

September 2025 Zero-Day Exploits Impact Cisco ASA/FTD

⚠️ Cisco reported active exploitation of multiple zero-day vulnerabilities in ASA and FTD software by a state-sponsored actor tracked as ArcaneDoor. Two CVEs (CVE-2025-20333 and CVE-2025-20362) are being exploited in the wild and a third (CVE-2025-20363) is at high risk for imminent exploitation. Cisco released updates on Sep. 25, 2025, and CISA issued Emergency Directive 25-03; organizations should prioritize immediate patching or apply vendor mitigations when updates are not yet possible.

Microsoft issues final Windows 10 22H2 preview update

🔧 Microsoft released the final non-security preview update for Windows 10 22H2 (KB5066198), delivering fixes for the out-of-box experience and SMBv1 connectivity over NetBIOS over TCP/IP (NetBT). This optional cumulative update lets administrators test improvements before they roll into the next month’s Patch Tuesday and raises systems to build 19045.6396. KB5066198 also resolves an Autopilot Enrollment Status Page (ESP) OOBE loading issue and includes prior fixes for unexpected UAC prompts and NDI streaming performance regressions. Install via Windows Update by choosing 'Download and install' for optional updates or obtain the package from the Microsoft Update Catalog.