All news with #security advisory tag

November 2025 Patch Tuesday: One Zero-Day, Five Criticals

🔒 Microsoft’s November 2025 Patch Tuesday addresses 63 CVEs, including one actively exploited zero‑day and five Critical vulnerabilities that span Windows, Office, Developer Tools and third‑party products. This release is the first Extended Security Update (ESU) roll‑out for Windows 10 after its October 14 end‑of‑life; ESU enrollment and upgrade to 22H2 are required to receive fixes. CrowdStrike notes elevation of privilege, remote code execution and information disclosure are the leading exploitation techniques this month. Administrators should prioritize the zero‑day and Critical fixes (notably GDI+ and Nuance PowerScribe) and adopt mitigations where patching is delayed.

November Patch Tuesday: Critical Windows Kernel Zero-Day

⚠️ Microsoft’s November Patch Tuesday addresses 63 vulnerabilities, including an actively exploited Windows kernel zero-day CVE-2025-62215 that can allow local attackers to escalate to SYSTEM via a complex race-condition double-free. Administrators should prioritize this fix across servers, domain controllers, and desktops, including Windows 10 systems enrolled in the ESU program. Other notable fixes include a Copilot Chat extension RCE (CVE-2025-62222) and a critical Microsoft Graphics Component overflow that could be triggered by specially crafted document uploads.

Synology Patches Critical BeeStation RCE Shown at Pwn2Own

🔒 Synology has released a patch for a critical remote code execution flaw (CVE-2025-12686) in BeeStation OS, following a proof-of-concept exploit shown at Pwn2Own Ireland. The vulnerability, described as a buffer copy without checking input size, can enable arbitrary code execution on impacted NAS devices and has no practical mitigations. Synology advises users to upgrade to BeeStation OS 1.3.2-65648 or later to remediate the issue. The flaw was demonstrated by Synacktiv researchers Tek and anyfun, who earned a $40,000 reward.

Hackers Exploit Triofox AV Feature to Deploy Remote Tools

⚠️ Hackers exploited a critical Triofox vulnerability (CVE-2025-12480) and abused the product's built-in antivirus configuration to achieve remote code execution as SYSTEM. Google Threat Intelligence Group traced the activity to UNC6485 targeting a Triofox server in August; attackers bypassed authentication via Host header/Referer spoofing and configured a malicious scanner to run a PowerShell downloader. Vendor patches are available; administrators should update and audit admin and scanner settings.

Windows 11 23H2 Home and Pro Reach End of Support Now

⚠️ Microsoft confirmed that Windows 11, version 23H2 Home and Pro editions reached end of servicing on November 11, 2025; the November 2025 monthly security update is the last patch for those SKUs. Devices running those editions will no longer receive monthly security or preview updates protecting against the latest threats. Users are advised to upgrade to Windows 11, version 25H2, available to eligible devices via Settings > Windows Update.

Microsoft releases KB5068781 — first Windows 10 ESU update

🔔 Microsoft released KB5068781, the first Extended Security Update (ESU) for Windows 10 following the platform's end of support. The update fixes a bug that incorrectly reported LTSC devices as out of support and bundles October Patch Tuesday fixes. It addresses 63 vulnerabilities — including one actively exploited elevation-of-privilege flaw — and is mandatory for enrolled devices, installing via Settings → Windows Update and updating ESU and LTSC builds to 19045.6575/19044.6575.

Microsoft November 2025 Patch Tuesday: 63 Flaws, 1 Zero-Day

🛡️ Microsoft’s November 2025 Patch Tuesday addresses 63 vulnerabilities, including one actively exploited zero-day in the Windows Kernel (CVE-2025-62215). The update bundle includes four Critical issues and a broad set of fixes across kernel, RDP, Hyper-V, drivers, Office components and other Windows subsystems. Organizations still on unsupported Windows 10 should upgrade to Windows 11 or enroll in Microsoft’s ESU program; Microsoft also released an out-of-band patch to fix an ESU enrollment bug.

Windows 11 KB5068861 & KB5068865 November 2025 Updates

🔔 Microsoft released cumulative updates KB5068861 and KB5068865 for Windows 11 25H2/24H2 and 23H2, delivering the November 2025 Patch Tuesday security fixes, bug repairs, and several feature changes. The updates are mandatory security releases and update system build numbers to 26200.7019 (25H2/24H2 variants) and 226x1.6050 (23H2). Notable additions include a redesigned Start menu with Categories mode, updated battery icons with percentage, a new Copilot page in Get Started, Administrator Protection Preview, and post-quantum cryptography API support. Microsoft said the rollout is gradual and reported no new known issues at announcement time.

Microsoft emergency Windows 10 update fixes ESU enrollment

🔧Microsoft released an out‑of‑band update (KB5071959) to address a Windows 10 Consumer ESU enrollment failure that could cause the ESU wizard to abort. Once the update is installed and the device is rebooted, affected systems should be able to complete ESU enrollment and resume receiving Extended Security Updates via Windows Update. Microsoft flagged the patch as a security update for non‑enrolled devices to restore access to essential fixes.

Microsoft November 2025 Patch Tuesday: 63 Vulnerabilities

🔒 Microsoft released its November 2025 Patch Tuesday addressing 63 vulnerabilities across Windows, Office, Visual Studio and other components, including five labeled Critical. One important kernel elevation flaw, CVE-2025-62215, has been observed exploited in the wild. Critical issues include RCE in GDI+, Office, and Visual Studio, plus a DirectX elevation-of-privilege; Microsoft rates several as less likely to be exploited. Cisco Talos published Snort and Snort 3 rules and advises customers to apply updates and rule packs promptly.

Pixnapping vulnerability: Android screen-snooping risk

🔒 A newly disclosed exploit named Pixnapping (CVE-2025-48561) allows a malicious Android app with no special permissions to read screen pixels from other apps and reconstruct sensitive content. The attack chains intent-based off-screen rendering, translucent overlays, and a GPU compression timing side channel to infer pixel values. Google issued a September patch but researchers bypassed it, and a more robust fix is planned.

SAP patches critical hardcoded credentials in SQL Anywhere

🔒 SAP released November security updates addressing a maximum-severity (10.0) hardcoded credentials flaw in the non-GUI component of SQL Anywhere Monitor (CVE-2025-42890) and a critical code-injection issue in SAP Solution Manager (CVE-2025-42887). The embedded credentials could allow attackers to access administrative functions and potentially execute arbitrary code. Administrators should apply updates and follow SAP mitigation guidance promptly.

Attackers Exploit Critical Triofox Flaw for Code Execution

⚠️ Mandiant and Google GTIG observed UNC6485 exploiting a critical improper access control flaw, CVE-2025-12480, in Gladinet Triofox versions prior to 16.7.10368.56560. Attackers spoofed a localhost Host header to reach setup pages, create a native 'Cluster Admin' account and upload payloads. They abused the product's anti‑virus configuration to execute arbitrary scripts as SYSTEM, then deployed remote access tools, escalated privileges and exfiltrated credentials. Users are urged to update, audit admin accounts and hunt for indicators of compromise.

Triofox Authentication Bypass Leads to Remote Access

🔒 Google's Mandiant reported active n‑day exploitation of a critical authentication bypass in Gladinet's Triofox (CVE-2025-12480, CVSS 9.1) that lets attackers access configuration pages and execute arbitrary payloads. Adversaries abused the product's antivirus executable path to run a malicious batch, installing Zoho UEMS and remote‑access tools such as Zoho Assist and AnyDesk. Operators created admin accounts, escalated privileges, and established SSH tunnels for inbound RDP. Triofox customers should apply the vendor patch, remove unauthorized admins, and verify antivirus executable paths cannot run untrusted scripts.

Critical RCE in expr-eval JavaScript Library, affects NPM

⚠️ A critical remote code execution vulnerability (CVE-2025-12735) has been disclosed in the popular expr-eval JavaScript expression parser, which sees over 800,000 weekly downloads on NPM. Reported by Jangwoo Choe and rated 9.8 by CISA, the flaw stems from insufficient validation of the variables/context object passed to Parser.evaluate(), allowing attacker-supplied function objects to be invoked during evaluation. Both the original project and its maintained fork are affected; the fork provides a fix in v3.0.0. Developers should migrate to the patched fork and republish dependent packages immediately.

Triofox CVE-2025-12480: Unauthenticated Access Leads to RCE

⚠️ Mandiant Threat Defense observed active exploitation of an unauthenticated access control vulnerability in Gladinet's Triofox (CVE-2025-12480) that allowed attackers to bypass authentication and reach administrative setup pages. By manipulating the HTTP Host header to impersonate localhost, attackers accessed protected admin workflows, created a native admin account, and configured the built-in anti‑virus engine to execute a malicious script as SYSTEM. The chain led to a PowerShell downloader, installation of a legitimate Zoho UEMS agent, and deployment of remote access tools; the vulnerability affected Triofox 16.4.10317.56372 and was mitigated in 16.7.10368.56560. Operators should upgrade immediately, audit admin accounts, and restrict anti‑virus engine paths.

New hardware attack (TEE.fail) breaks modern secure enclaves

🔒 A new low-cost hardware-assisted attack called TEE.fail undermines current trusted execution environments from major chipmakers. The method inserts a tiny device between a memory module and the motherboard and requires a compromised OS kernel to extract secrets, defeating protections in Confidential Compute, SEV-SNP, and TDX/SDX. The attack completes in roughly three minutes and works against DDR5 memory, meaning the physical-access threats TEEs are designed to defend against are no longer reliably mitigated.

High-severity runc bugs allow container breakouts via procfs

⚠ Three high-severity vulnerabilities in the runc container runtime allow attackers to escape containers and gain host-level privileges by abusing masked paths, console bind-mounts, and redirected writes to procfs. Aleksa Sarai of SUSE and the OCI described logic flaws that let runc mount or write to sensitive /proc targets, including /proc/sys/kernel/core_pattern and /proc/sysrq-trigger. Patches are available in runc 1.2.8, 1.3.3 and 1.4.0-rc.3; administrators should update promptly, favor rootless containers where feasible, and monitor for suspicious symlink behaviour.

Critical runC Vulnerabilities Allow Docker Container Escape

⚠️ Three newly disclosed vulnerabilities in runC (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) could allow attackers to bypass container isolation and obtain root write access on the host. The issues involve manipulated bind mounts and redirected writes to /proc, and one flaw affects runC releases back to 1.0.0-rc3. Patches are available in recent runC releases; administrators should update, monitor for suspicious symlink/mount activity, and consider enabling user namespaces or running rootless containers as mitigations.

QNAP Fixes Seven NAS Zero-Day Flaws From Pwn2Own Competition

🔒 QNAP has released patches for seven zero-day vulnerabilities that were exploited to hack NAS devices during the Pwn2Own Ireland 2025 contest. The flaws affect QTS/QuTS hero and several bundled apps, including Hyper Data Protector, Malware Remover, and HBS 3, and are tracked under multiple CVEs. Fixed firmware and app builds are available and administrators are advised to update via Control Panel > System > Firmware Update and the App Center, then change all passwords. Regularly checking product support status and applying updates promptly are recommended to maintain security.