All articles tagged with #patching
Microsoft's November 2025 Patch Tuesday addresses 63 vulnerabilities across its ecosystem, including one zero-day actively exploited in the wild, emphasizing the urgent need for immediate patch deployment to mitigate risks from critical flaws in Windows, Office, Azure, and other products.
Over 29,000 Microsoft Exchange servers remain unpatched against a high-severity vulnerability (CVE-2025-53786) that could allow attackers to escalate privileges and compromise entire domains, prompting urgent mitigation efforts by U.S. federal agencies and warnings for organizations worldwide.
A high-severity directory traversal vulnerability in SolarWinds Serv-U file transfer software (CVE-2024-28995) is being actively exploited, allowing attackers to read sensitive files. The flaw affects all versions up to Serv-U 15.4.2 HF 1 and has been patched in version 15.4.2 HF 2. Users are urged to update immediately to mitigate potential threats, as public proof-of-concept exploits make it easy for attackers to leverage this vulnerability.
A three-year-old improper access control bug in Apache Flink, CVE-2020-17519, is being actively exploited, prompting the US government to add it to the Known Exploited Vulnerabilities Catalog. Federal agencies must patch or stop using the software by June 13, and all users should ensure they are updated and check for potential compromises. The flaw allows attackers to read any file on the JobManager's local filesystem via the REST interface, and its exploitation underscores the critical need for timely software updates.
Cisco, Fortinet, and VMware have released critical security patches to address multiple vulnerabilities in their products, including CSRF attacks on Cisco Expressway Series, bypasses for a critical flaw in FortiSIEM supervisor, and moderate-to-important severity flaws in VMware Aria Operations for Networks. Organizations are urged to apply the patches promptly to mitigate the risks associated with these vulnerabilities.
CISA has directed U.S. federal agencies to address recently patched Citrix NetScaler and Google Chrome zero-day vulnerabilities, with a focus on fixing a Citrix remote code execution (RCE) bug within a week. Citrix has advised immediate patching of affected appliances, and CISA has mandated specific timelines for patching vulnerable devices within federal agencies. The cybersecurity agency has also urged all organizations, including private companies, to prioritize patching these security flaws.
Microsoft has identified and disclosed four vulnerabilities in Perforce Helix Core Server, including a critical remote code execution bug. The flaws have been patched by Perforce in version 2023.1/2513900, and users are urged to update immediately. Exploitation of the critical vulnerability could give unauthenticated attackers complete control over unpatched systems and connected infrastructure. Microsoft recommends basic security hygiene measures and specific steps for securing Perforce Server, such as using a VPN, issuing TLS certificates, logging all access, and configuring alerts.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to federal agencies to secure their Juniper devices against four vulnerabilities that are being actively exploited in remote code execution (RCE) attacks. Juniper has confirmed that the flaws in its J-Web interface have been successfully exploited in the wild. The ShadowServer threat monitoring service has already detected exploitation attempts, and over 10,000 Juniper devices with vulnerable J-Web interfaces are exposed online. Administrators are urged to upgrade JunOS or restrict Internet access to the J-Web interface. CISA has added the vulnerabilities to its Known Exploited Vulnerabilities Catalog, and federal agencies must secure their Juniper devices within the next four days.
The Cybersecurity and Infrastructure Security Agency (CISA) and other international cybersecurity agencies have released a joint advisory detailing the top routinely exploited vulnerabilities in 2022. Malicious cyber actors have been targeting older software vulnerabilities and unpatched, internet-facing systems. The advisory provides recommendations for vendors, designers, developers, and end-user organizations to mitigate the risk of compromise. The top 12 vulnerabilities include Fortinet SSL VPNs, Microsoft Exchange email servers (ProxyShell), Zoho ManageEngine ADSelfService Plus, Atlassian Confluence Server, Apache's Log4j library (Log4Shell), and VMware Workspace ONE Access. Additional vulnerabilities were also identified, emphasizing the importance of timely patching and implementing security measures.
Progress Software has patched a critical SQL injection vulnerability, CVE-2023-36934, in its MOVEit Transfer software, which could allow unauthenticated attackers to gain unauthorized access to the database. This vulnerability is particularly dangerous as it can be exploited without valid credentials. Two other high-severity vulnerabilities, CVE-2023-36932 and CVE-2023-36933, have also been addressed in the update. Users are advised to update to the latest version of MOVEit Transfer to mitigate the risks associated with these vulnerabilities.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch their systems by June 23 to fix an actively exploited SQL injection vulnerability in Progress MOVEit Transfer, a managed file transfer solution. The flaw allows remote attackers to access the database and execute arbitrary code. Threat actors have been exploiting the vulnerability since at least May 27, with mass exploitation and data theft occurring. Private companies are also advised to prioritize securing their systems against the flaw. Progress advises all customers to patch their MOVEit Transfer instances or disable HTTP and HTTPS traffic to remote the attack surface.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has ordered federal agencies to patch three recently discovered zero-day flaws affecting iPhones, Macs, and iPads that have been exploited in attacks. The bugs allow attackers to access sensitive information and execute arbitrary code. Apple has acknowledged that the flaws may have been actively exploited. The affected devices include iPhones 6s and later, iPads, Macs, Apple Watches, and Apple TVs. The bugs were addressed in recent updates, and federal agencies must apply the patches by June 12th, 2023. The flaws were likely exploited in state-sponsored spyware attacks.
CISA has ordered federal agencies to patch five security vulnerabilities exploited in recent attacks to install commercial spyware on mobile devices. The vulnerabilities were abused in two separate highly-targeted campaigns targeting Android and iOS users. CISA has added the five vulnerabilities to its Known Exploited Vulnerabilities catalog and given Federal Civilian Executive Branch Agencies three weeks to patch vulnerable mobile devices. CISA strongly urged all organizations to prioritize patching these bugs to thwart exploitation attempts.
Microsoft is introducing a new Exchange Online security feature that will automatically start throttling and eventually block all emails sent from "persistently vulnerable Exchange servers" 90 days after the admins are pinged to secure them. The new system's primary goal is to help Exchange admins identify unpatched or unsupported on-prem Exchange servers, allowing them to upgrade or patch them before they become security risks. This new enforcement system will only affect servers running Exchange Server 2007 using OnPremises connectors to send mail to allow fine-tuning before expanding to all Exchange versions, regardless of how they connect to Exchange Online, after tuning.
Criminals, including potentially an APT group, exploited a three-year-old Telerik bug to break into a US federal government agency's Microsoft Internet Information Services web server between November 2022 and early January. The Feds became aware of the intrusion after spotting warning signs at a federal civilian executive branch agency. The Telerik bug, which received a 9.8 out of 10 CVSS severity score, was first discovered in 2019 and is especially popular with Beijing-backed criminals. The cybersecurity agency suggests organizations stay on top of patching to ensure their software is up to date and limit permissions to the minimum necessary to run services.