All news with #patch tag

Microsoft: September Windows Updates Break SMBv1 Shares

⚠️Microsoft confirmed that the September 2025 Windows security updates can break connections to SMBv1 shares when NetBIOS over TCP/IP (NetBT) is used. The issue affects client releases (Windows 11 24H2/23H2/22H2, Windows 10 22H2/21H2) and server releases (Windows Server 2025, 2022) and may occur if either the SMB client or server has the update. As a temporary workaround, administrators are advised to allow SMB traffic on TCP port 445 so Windows can switch from NetBT to TCP. Microsoft is investigating and developing a fix.

Weekly Recap: Bootkit Malware, AI Attacks, Supply Chain

⚡ This weekly recap synthesizes critical cyber events and trends, highlighting a new bootkit, AI-enhanced attack tooling, and persistent supply-chain intrusions. HybridPetya samples demonstrate techniques to bypass UEFI Secure Boot, enabling bootkit persistence that can evade AV and survive OS reinstalls. The briefing also covers vendor emergency patches, novel Android RATs, fileless frameworks, and practical patch priorities for defenders.

Samsung image library flaw enables zero-click RCE exploit

📸 Samsung disclosed a critical remote code execution vulnerability in a closed-source image-parsing library, libimagecodec.quram.so, supplied by Quramsoft that affects devices running Android 13–16. The out-of-bounds write (CVE-2025-21043, CVSS 8.8) can be triggered by a specially crafted image and has been exploited in the wild. Messaging apps are a likely vector and the flaw can operate as a zero-click backdoor. Samsung released an SMR Sep-2025 Release 1 patch; enterprises should prioritize deployment.

Samsung fixes libimagecodec zero-day CVE-2025-21043

⚠️ Samsung released its monthly Android security update addressing a critical zero-day, CVE-2025-21043, a high-severity (CVSS 8.8) out-of-bounds write in libimagecodec.quram.so that can enable remote arbitrary code execution. The company says the flaw affects Android 13–16 and was privately disclosed on August 13, 2025. The affected library is a closed-source image parser from Quramsoft and the patch corrects an incorrect implementation. Samsung acknowledged an exploit exists in the wild but did not provide attack specifics.

HybridPetya Bootkit Bypasses Secure Boot on UEFI Systems

🔒 ESET researchers identified HybridPetya, a new ransomware strain that blends Petya-style MFT encryption with a UEFI bootkit that can bypass Secure Boot by abusing a patched flaw (CVE-2024-7344) in the Howyar Reloader EFI component. The malware installs a malicious EFI application, uses a three-state flag to track encryption and ransom status, displays a fake CHKDSK screen, and demands $1,000 in Bitcoin. Select variants load a cloak.dat payload into reloader.efi to evade integrity checks; Microsoft revoked the vulnerable binary via dbx updates. ESET found no evidence of widespread active abuse but warned Secure Boot bypasses are increasingly common and urged prompt patching and boot integrity monitoring.

Akira Ransomware Reuses Critical SonicWall SSLVPN Bug

🔒 The Akira ransomware gang is actively exploiting CVE-2024-40766 to target unpatched SonicWall SSL VPN endpoints and gain unauthorized network access. SonicWall released a patch in August 2024 and warned that exposed credentials could allow attackers to configure MFA or TOTP and bypass protections. Administrators should apply the vendor update, rotate local SSLVPN passwords, enforce MFA, mitigate Default Group risks, and restrict Virtual Office Portal access.

VMScape: Spectre-like VM-to-host data leak on CPUs

🔓 Researchers at ETH Zurich disclosed VMScape, a Spectre-like speculative-execution attack that lets a malicious VM extract secrets from an unmodified QEMU hypervisor running on many modern AMD and some Intel CPUs. The exploit abuses shared branch-prediction structures and a FLUSH+RELOAD side channel to induce speculative disclosure. It works without host compromise and bypasses default mitigations; vendors and Linux developers released advisories and kernel patches to mitigate the issue.

Schneider Electric Modicon M340: Files Accessible Issue

🔒 Schneider Electric disclosed a Files or Directories Accessible to External Parties vulnerability affecting Modicon M340 devices and the BMXNOE0100/BMXNOE0110 Ethernet modules that could allow remote actors to remove files, block firmware updates, and disrupt the device webserver. The issue is tracked as CVE-2024-5056 with a CVSS v4 base score of 6.9. Schneider released firmware fixes for BMXNOE0100 (SV3.60) and BMXNOE0110 (SV6.80) and recommends immediate mitigations including network segmentation, disabling FTP when not required, and configuring Access Control Lists per the device manual. CISA also advises isolating control networks, minimizing internet exposure, and using VPNs for remote access.

Siemens IEM-OS DoS Vulnerability (CVE-2025-48976) Advisory

⚠️ Siemens Industrial Edge Management OS (IEM-OS) contains an allocation-of-resources vulnerability in Apache Commons FileUpload that can be triggered remotely to cause a denial-of-service condition. The issue is tracked as CVE-2025-48976 with a CVSS v4 base score of 8.7 and a CVSS v3.1 vector indicating an availability-only impact. Siemens reports all IEM-OS versions affected and recommends migrating to IEM-V, limiting access to trusted systems, and following Siemens' operational security guidance. CISA reiterates minimizing network exposure, using network segmentation and firewalls, and employing secure remote access methods.

Siemens SINAMICS Drives Privilege Management Vulnerability

🔒 Siemens SINAMICS drive firmware contains an Improper Privilege Management vulnerability (CVE-2025-40594) that can allow local network users to escalate privileges and perform a factory reset without required rights. A CVSS v3.1 base score of 6.3 and a CVSS v4 base score of 6.9 were calculated. Siemens provides updates for S210 and G220 (V6.4 HF2); S200 V6.4 currently has no fix. CISA and Siemens recommend minimizing network exposure, isolating control networks, and using secure remote access methods.

Siemens UMC: Remote Code Execution and Denial-of-Service

🔐 Siemens has disclosed multiple vulnerabilities in the integrated User Management Component (UMC) that could allow unauthenticated remote attackers to execute arbitrary code or cause denial-of-service. A stack-based buffer overflow (CVE-2025-40795) and several out-of-bounds read issues (CVE-2025-40796–40798) are reported, with CVSS v4 scores up to 9.3. Siemens recommends updating UMC to V2.15.1.3 or later and, where feasible, blocking TCP ports 4002 and 4004; Siemens notes no fixes are planned for SIMATIC PCS neo V4.1 and V5.0.

CISA Issues Eleven Industrial Control Systems Advisories

🔔 CISA released eleven Industrial Control Systems (ICS) advisories on September 11, 2025, offering timely technical details about vulnerabilities, exploits, and mitigations. The advisories span multiple vendors and product families, including Siemens (SIMOTION Tools, SIMATIC SIVaaS, SINAMICS, SINEC OS, Industrial Edge, UMC, Apogee PXC/Talon TC), Schneider Electric (EcoStruxure, Modicon M340 variants), and Daikin (Security Gateway). Administrators and asset owners are urged to review the advisories, apply vendor patches or recommended mitigations, and strengthen segmentation and monitoring to reduce operational risk.

Schneider Electric EcoStruxure Vulnerabilities and Fixes

⚠️ CISA published an advisory on two vulnerabilities in Schneider Electric EcoStruxure products that could enable a denial-of-service condition and the exposure of sensitive credentials. The issues are tracked as CVE-2025-8449 (uncontrolled resource consumption) and CVE-2025-8448 (sensitive information exposure). Affected Enterprise Server and Workstation versions should be updated to the fixed releases (for example 7.0.2.348, 6.0.4.10001 (CP8), 5.0.3.17009 (CP16)). If patches cannot be applied immediately, implement strong access controls, network segmentation, MFA where available, and continuous monitoring.

Patch SessionReaper: Critical Adobe Commerce/Magento Flaw

🔒 Adobe issued an emergency out-of-band patch for a critical vulnerability in Magento Open Source and Adobe Commerce, tracked as CVE-2025-54236 and dubbed SessionReaper. The flaw permits unauthenticated attackers to hijack user accounts and, when file-based session storage is used, can enable remote code execution. Adobe notified Commerce customers on Sept. 4 but Magento Open Source users may not have received the same advance warning. Organizations operating Magento sites should apply the patch immediately.

Microsoft fixes NDI streaming issues from August updates

🔧 Microsoft has resolved severe lag and stuttering issues affecting NDI streaming on Windows 10 and Windows 11 that appeared after the August 2025 cumulative security updates. The root cause was tied to KB5063878 and KB5063709 and manifested as dropped NDI traffic and degraded performance specifically over RUDP connections, while UDP and Single-TCP streams were unaffected. On September 9, 2025, Microsoft released fixes (KB5065426 and KB5065429) and recommends applying those updates; NDI also published a temporary workaround to switch Receive Mode to Single TCP or UDP in the NDI Tools Access Manager for systems that cannot immediately update.

Microsoft Fixes UAC Prompts and App Install Issues

🔧 Microsoft has issued a fix for an August 2025 update that caused unexpected User Account Control (UAC) prompts and blocked MSI app installations for non-administrative users across multiple Windows client and server releases. The behavior resulted from a security patch addressing CVE-2025-50173, which introduced broader elevation checks to mitigate privilege escalation. Microsoft’s September 2025 update narrows when UAC is required for MSI repairs and lets IT administrators add specific MSI packages to an allowlist via new SecureRepairPolicy and SecureRepairWhitelist registry keys. The company also resolved a separate bug that caused severe lag and stuttering in NDI streaming software on Windows 10 and Windows 11.

Adobe issues emergency patch for critical Commerce flaw

🔒 Adobe has issued an emergency patch for a critical input-validation vulnerability dubbed SessionReaper in Adobe Commerce and Magento. The flaw, tracked as CVE-2025-542360 with a CVSS score of 9.1, affects multiple 2.4.x releases and earlier. Sansec researchers said the bug can enable session hijacking and, according to the original finder, may allow unauthenticated remote code execution in some circumstances. Administrators are advised to deploy APSB25-88 immediately or enable a WAF as a temporary mitigation.

Microsoft Patches 80 Flaws, Including SMB Elevation

🔒 Microsoft released fixes for 80 security flaws across its products, including one publicly disclosed SMB privilege-escalation issue (CVE-2025-55234). Eight flaws are rated Critical and 72 Important, with a high proportion of elevation-of-privilege bugs. The update also includes a CVSS 10.0 Azure Networking fix and new auditing options to help administrators assess Windows SMB signing and Extended Protection compatibility before hardening.

Two Zero-Days Among Microsoft Patch Tuesday Fixes This Month

⚠️ Microsoft released its monthly Patch Tuesday addressing 81 vulnerabilities, including two disclosed zero-days affecting SQL Server and SMB. The first, CVE-2024-21907, involves improper handling in Newtonsoft.Json used by SQL Server and can cause denial of service via deeply nested JSON. The second, CVE-2025-55234, is a remotely exploitable SMB elevation-of-privilege that can be mitigated by hardening features like SMB Server Signing and Extended Protection for Authentication; Microsoft also offers audit tools to check compatibility before enabling them.

Critical SessionReaper Vulnerability in Adobe Commerce

⚠️ Adobe has disclosed a critical flaw, CVE-2025-54236 (SessionReaper), in Adobe Commerce and Magento Open Source that can enable attackers to take over customer accounts through the Commerce REST API. The issue, rated 9.1 by CVSS, stems from improper input validation and affects multiple product versions and a third-party module. Adobe published a hotfix and deployed WAF rules for cloud-hosted merchants while e-commerce security firm Sansec reproduced an exploitation path involving session manipulation and nested deserialization. Merchants should apply fixes, review session storage settings, and monitor for suspicious activity.