All news with #security advisory tag

Microsoft October 2025 Patch Tuesday: 6 Zero-Days Fixed

🔒 Microsoft released its October 2025 Patch Tuesday, addressing 172 vulnerabilities including six zero‑day flaws and eight Critical issues. The updates include five remote code execution and three elevation‑of‑privilege critical bugs, along with numerous information disclosure, denial‑of‑service and security feature bypass fixes. Notable actions include the removal of an Agere modem driver and patches for exploited elevation‑of‑privilege and SMB/SQL Server issues. Windows 10 reaches end of support with this release; Extended Security Updates remain available for organizations and consumers.

Windows 11 KB5066835 and KB5066793 October 2025 Updates

🔒 Microsoft has released cumulative updates KB5066835 and KB5066793 for Windows 11 versions 25H2/24H2 and 23H2 as part of the October 2025 Patch Tuesday. These mandatory updates move systems to Build 26200.6899 (25H2/24H2) and 226x1.6050 (23H2) and address recent security vulnerabilities plus several functional issues. Notable fixes include a Chromium print preview hang, PowerShell Remoting timeouts, Windows Hello USB IR camera setup failures, and a gaming sign-in input bug. The update also removes the ltmdm64.sys modem driver and rolls out new AI, accessibility, and File Explorer features gradually.

Oracle Quietly Fixes E-Business Suite SSRF Zero-Day

🔒 Oracle released an out-of-band security update addressing a pre-authentication SSRF vulnerability (CVE-2025-61884) in E-Business Suite after a proof-of-concept exploit was leaked by the ShinyHunters group. The update validates attacker-supplied return_url values with a strict regex to block injected CRLFs and other malformed inputs. Researchers from watchTowr Labs, and multiple customers, confirmed the patch closes the SSRF component that remained after Oracle's earlier Oct. 4 emergency updates. Customers should apply the update immediately or implement a temporary mod_security rule blocking access to /configurator/UiServlet.

Oracle Quietly Patches E-Business Suite Zero-Day Exploit

⚠️ Oracle has quietly released an out-of-band update addressing CVE-2025-61884 in Oracle E-Business Suite, a pre-authentication SSRF exploited by a publicly leaked proof-of-concept published by the ShinyHunters extortion group. Oracle's advisory warns the flaw can expose sensitive resources but did not disclose active exploitation or the public exploit release, prompting follow-up from researchers. Independent testers confirm the new update now blocks the SSRF component that previously bypassed earlier patches.

Oracle quietly patches E-Business Suite SSRF zero-day

🔒Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) after researchers confirmed the update blocks a pre-authentication SSRF used by a leaked ShinyHunters proof-of-concept. Oracle issued an out-of-band security update over the weekend and warned the flaw could allow access to sensitive resources. The vendor did not disclose that the issue was actively exploited or that a public exploit had been released, drawing criticism from researchers and customers.

Security firms dispute credit for overlapping CVEs

🔍 A public dispute has emerged between FuzzingLabs and Gecko Security after FuzzingLabs accused Gecko of copying vulnerability PoCs, backdating blog posts, and filing duplicate CVEs for flaws FuzzingLabs disclosed in late 2024 and early 2025. Gecko denies wrongdoing, says overlaps arose from coordinating directly with maintainers, and has updated credits and dates. The episode underscores tensions in responsible disclosure and CVE attribution.

Signed UEFI Shell Enables Secure Boot Bypass on Framework

⚠️ Researchers at Eclypsium warn that roughly 200,000 Framework Linux systems shipped with legitimately signed UEFI shells containing a dangerous mm (memory modify) command. The command can read and write physical memory and be used to overwrite the gSecurity2 pointer that enforces UEFI signature checks, effectively disabling verification. That failure allows persistent bootkits to load at boot time and survive OS reinstalls. Framework is issuing firmware and DB/DBX updates; users should apply patches or follow temporary mitigations until fixes are available.

Secure Boot bypass risk in Framework Linux laptops

🔒 Eclypsium discovered that Framework shipped signed UEFI shells containing a dangerous mm (memory modify) command that can directly read and write system RAM and be leveraged to disable Secure Boot. By overwriting the gSecurity2 security handler pointer to NULL or redirecting it to a stub that always returns success, the mm command stops signature verification and can permit bootkits to load. Framework estimates roughly 200,000 affected units; users should apply available firmware and DBX updates, restrict physical access, or temporarily remove Framework's DB key in BIOS until patches are applied.

CISA Adds Five Exploited Vulnerabilities to KEV Catalog

🔒 CISA has added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The additions include CVE-2016-7836 (SKYSEA Client View), CVE-2025-6264 (Rapid7 Velociraptor), CVE-2025-24990 and CVE-2025-59230 (Microsoft Windows), and CVE-2025-47827 (IGEL OS). Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the designated due dates; CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management.

Rockwell 1715 EtherNet/IP Module: CVE-2025-9177/9178

⚠️ Rockwell Automation disclosed two remotely exploitable vulnerabilities in the 1715 EtherNet/IP Comms Module (versions 3.003 and earlier) that have a CVSS v4 base score of 7.7. One issue (CWE-770, CVE-2025-9177) allows resource exhaustion of the device web server causing a crash; the other (CWE-787, CVE-2025-9178) permits crafted CIP payloads to trigger an out-of-bounds write and loss of CIP communication. Rockwell has released firmware version 3.011 to address both flaws; operators who cannot immediately upgrade should implement recommended network segmentation, firewalling, and secure remote-access controls.

CISA Releases ICS Advisory for Rockwell 1715 Module

🔔 CISA published one Industrial Control Systems advisory on October 14, 2025, identifying a vulnerability in the Rockwell Automation 1715 EtherNet/IP Communications Module (ICSA-25-287-01). The advisory summarizes affected firmware and configurations and provides technical details to assess exposure. It recommends prioritized mitigations, including vendor updates, network segmentation, and access restrictions, and urges administrators to review and implement the guidance promptly.

AMD issues patches for RMPocalypse flaw in SEV-SNP

⚠️ AMD released mitigations and firmware/BIOS updates to address a vulnerability dubbed RMPocalypse, which ETH Zürich researchers Benedict Schlüter and Shweta Shinde say can be triggered by a single 8-byte overwrite of the Reverse Map Paging (RMP) table during SEV‑SNP initialization. The flaw, assigned CVE-2025-0033, stems from a race condition in the AMD Secure Processor/Platform Security Processor (PSP/ASP) that could allow an admin-privileged or malicious hypervisor to modify initial RMP content and void SEV‑SNP integrity guarantees. AMD listed impacted EPYC families and provided vendor guidance; Microsoft and Supermicro have acknowledged the issue and are working on remediations.

Pixnapping: Android GPU Side-Channel Steals 2FA Pixels

⚠️ Researchers have disclosed Pixnapping, a pixel-stealing side-channel that can extract 2FA codes, Maps timelines, and other sensitive UI contents from Android apps by abusing GPU compression together with Android's window-blur and intent mechanisms. The proof-of-concept captures codes in under 30 seconds on several Google and Samsung devices running Android 13–16 without requiring special manifest permissions. Google tracked the issue as CVE-2025-48561 (CVSS 5.5) and issued mitigations in the September 2025 Android Security Bulletin, but researchers say a workaround can re-enable the technique and that some app-list bypass behavior will not be fixed.

Oracle issues second emergency patch for E-Business Suite

⚠️ Oracle released an emergency security alert on October 11 for CVE-2025-61884, a 7.5 CVSS information-disclosure flaw in the Runtime UI component of E-Business Suite (versions 12.2.3–12.2.14). The vulnerability allows unauthenticated remote attackers with network access to steal sensitive data. The patch arrives one week after an emergency fix for a Cl0p-exploited RCE, and experts urge administrators to apply updates, hunt for prior compromise, and restrict outbound traffic from EBS servers.

October 2025 Patch Tuesday: 172 CVEs, 3 Zero-Days, 8 Critical

🔒 Microsoft’s October 2025 Patch Tuesday addresses 172 vulnerabilities, including two publicly disclosed issues, three zero‑day flaws and eight Critical CVEs. The bulk of fixes target Windows (134 patches), Microsoft Office (18) and Azure (6), with elevation-of-privilege and remote code execution as the primary risks. Windows 10 reaches end of life on October 14, 2025; hosts must be on 22H2 to receive Extended Security Updates. CrowdStrike recommends prioritizing patches for actively exploited zero‑days and using Falcon Exposure Management dashboards to track and remediate affected systems.

Microsoft restricts IE mode in Edge after zero-day attacks

🔒 Microsoft is restricting access to Internet Explorer mode in Edge after discovering attackers leveraged an unpatched zero-day in the Chakra JavaScript engine combined with social engineering to achieve remote code execution and privilege escalation. The company removed quick UI triggers (toolbar button, context menu, hamburger items) so IE mode now requires explicit configuration under Settings > Default Browser. Commercial, policy-managed deployments remain unaffected.

Amazon RDS Adds Latest CU and GDR Updates for SQL Server

🛡️Amazon Relational Database Service (Amazon RDS) now supports the latest General Distribution Release (GDR) and Cumulative Update packages for Microsoft SQL Server, including SQL Server 2016 SP3+GDR (KB5065226), 2017 CU31+GDR (KB5065225), 2019 CU32+GDR (KB5065222) and 2022 CU21 (KB5065865). These updates address multiple security vulnerabilities tracked as CVE-2025-47997, CVE-2025-55227 and CVE-2024-21907. AWS recommends that customers upgrade their RDS SQL Server instances using the Amazon RDS Management Console, AWS SDKs or the AWS CLI and follow the RDS SQL Server upgrade guidance.

New zero-day in Gladinet re-enables patched RCE flaw

⚠️ Huntress has observed criminals exploiting a new zero-day (CVE-2025-11371) in Gladinet CentreStack and Triofox file-sharing servers that enables unauthenticated local file inclusion. The flaw can expose the application's Web.config machineKey, effectively re-enabling a prior ViewState deserialization RCE (CVE-2025-30406). Gladinet has not yet released a patch; Huntress advises disabling the UploadDownloadProxy temp handler as a mitigation. Huntress detected misuse across multiple customers and notes that SOC telemetry flagged irregular base64 payloads; administrators should assume 'fully patched' may not equal secure and isolate or disable vulnerable handlers until a vendor patch is available.

Oracle issues emergency patch for E-Business Suite

🔒 Oracle released an emergency update to address CVE-2025-61884, an information disclosure flaw in the E-Business Suite Runtime UI that affects versions 12.2.3 through 12.2.14. The vulnerability is remotely exploitable without authentication and has been assigned a CVSS base score of 7.5, meaning a successful exploit could expose sensitive resources. Oracle strongly urges customers to apply the out-of-band patch or recommended mitigations immediately, particularly for internet-facing instances.

Weekly Recap: WhatsApp Worm, Oracle 0-Day and Ransomware

⚡This weekly recap covers high-impact incidents and emerging trends shaping enterprise risk. Significant exploitation of an Oracle E-Business Suite zero-day (CVE-2025-61882) and linked payloads reportedly affected dozens of organizations, while a GoAnywhere MFT flaw (CVE-2025-10035) enabled multi-stage intrusions by Storm-1175. Other highlights include a WhatsApp worm, npm-based phishing chains, an emerging ransomware cartel, AI abuse, and a prioritized list of critical CVEs.