Patch Tuesday January 2026 Updates – Vulnerability Digest from Action1
This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.
Microsoft Vulnerabilities
This first Patch Tuesday of the year brings 113 vulnerability fixes from Microsoft, a sharp increase compared to recent releases. The update includes eight critical vulnerabilities and one zero-day, underscoring the growing pressure on patching teams. This comes against a broader trend: in 2025, reported vulnerabilities increased by 12% over 2024, continuing the upward trajectory of disclosed security flaws.
CVE-2026-20805 – Desktop Window Manager Information Disclosure Vulnerability
This flaw quietly leaks sensitive memory details, giving attackers the inside knowledge they need to weaken system protections and prepare for deeper compromise.
Exposure of sensitive information in the Desktop Window Manager (DWM) allows a locally authenticated attacker to disclose information that should not be accessible. By exploiting this weakness, an attacker can obtain user-mode memory details, which may reduce the effectiveness of security mitigations and make follow-on attacks easier. While it does not directly allow code execution, the information gained can be highly valuable when chaining attacks.
CVSS Score: 5.5
SEVERITY: Important
THREAT: Local information disclosure that aids attackers in bypassing protections and escalating future attacks.
EXPLOITS:
No public proof-of-concept code has been disclosed, but exploitation has been detected in the wild, indicating real-world attacker interest and usage.
TECHNICAL SUMMARY:
This vulnerability is caused by improper handling of sensitive information within the Desktop Window Manager. An authorized local attacker can trigger the flaw to disclose a section address from a remote ALPC port residing in user-mode memory. Although no data modification or denial of service occurs, the exposed memory information can undermine address space layout randomization (ASLR) and other defenses, making additional exploits more reliable.
EXPOLITABILITY:
Affected systems include supported Windows versions that rely on Desktop Window Manager. Exploitation requires local access with low privileges and no user interaction, making it feasible for attackers already present on a system.
BUSINESS IMPACT:
For organizations, this vulnerability increases the risk of successful multi-stage attacks. Leaked memory details can be combined with other vulnerabilities to achieve privilege escalation or data theft, potentially leading to broader system compromise, regulatory exposure, and loss of trust.
WORKAROUND:
If the patch cannot be applied immediately, limit local access, enforce least-privilege policies, and closely monitor systems for suspicious local activity.
URGENCY:
Exploitation has been detected, which elevates risk despite the “Important” severity rating. Delaying remediation leaves systems exposed to attackers who are actively leveraging this weakness to gather sensitive system information.
CVE-2026-20957 – Microsoft Excel Remote Code Execution Vulnerability
This vulnerability turns a simple spreadsheet into a weapon, allowing attackers to run their own code the moment a file is opened.
CVE-2026-20957 is a critical remote code execution vulnerability in Microsoft Excel caused by an integer underflow that can lead to a heap-based buffer overflow. An attacker can exploit this flaw by convincing a user to open a specially crafted Excel file. Once triggered, the vulnerability allows arbitrary code execution in the context of the logged-on user, potentially giving attackers full control over the affected system.
CVSS Score: 7.8
SEVERITY: Critical
THREAT: High-risk code execution vulnerability that enables full system compromise through malicious Excel files.
EXPLOITS:
There are currently no publicly disclosed exploits or proof-of-concept code, and active exploitation has not been observed. However, the vulnerability is technically straightforward and attractive for weaponization in phishing campaigns.
TECHNICAL SUMMARY:
This vulnerability stems from improper handling of integer values in Microsoft Excel, resulting in an integer underflow condition. When exploited, the underflow can cause a heap-based buffer overflow, allowing an attacker to overwrite memory and execute arbitrary code. The attack requires no privileges and only relies on user interaction—specifically opening a malicious Excel document. While the Preview Pane is not an attack vector, opening the file itself is sufficient to trigger the flaw.
EXPOLITABILITY:
Affected systems include supported versions of Microsoft Excel. Exploitation requires the user to open a malicious file, after which attacker-controlled code can execute locally with the user’s privileges.
BUSINESS IMPACT:
This vulnerability poses a serious risk to organizations because Excel files are widely trusted and commonly exchanged. A successful attack can lead to full system takeover, data theft, ransomware deployment, or lateral movement within a corporate network, resulting in operational disruption and potential financial and reputational damage.
WORKAROUND:
If immediate patching is not possible, restrict the opening of Excel files from untrusted sources, strengthen email filtering, and educate users to avoid opening unexpected attachments.
URGENCY:
The critical severity and ease of exploitation through social engineering make this patch a high priority. Excel is a frequent target in phishing attacks, and delaying remediation significantly increases the risk of widespread compromise across user endpoints.
CVE-2026-20952 – Microsoft Office Remote Code Execution Vulnerability
This vulnerability lets attackers turn a trusted Office document—or even the Preview Pane—into a silent execution point for malicious code.
CVE-2026-20952 is a critical remote code execution vulnerability in Microsoft Office caused by a use-after-free memory handling flaw. The issue allows an attacker to execute arbitrary code locally without requiring privileges and, in some scenarios, without any user interaction. Successful exploitation could give attackers full control over an affected system, making this vulnerability particularly dangerous in enterprise environments.
CVSS Score: 8.4
SEVERITY: Critical
THREAT: Full system compromise through malicious Office content, including Preview Pane–based attacks.
EXPLOITS:
There are no publicly available exploits or proof-of-concept code at this time, and active exploitation has not been observed. However, the vulnerability is considered reliable to exploit due to low complexity and the presence of multiple attack vectors.
TECHNICAL SUMMARY:
This vulnerability is caused by a use-after-free condition in Microsoft Office, where the application continues to reference memory after it has been freed. An attacker can exploit this condition to corrupt memory and execute arbitrary code. Notably, the Preview Pane is a valid attack vector, meaning code execution may occur without the user explicitly opening a file. In worst-case scenarios, specially crafted content delivered via email could trigger exploitation with little to no user interaction.
EXPOLITABILITY:
Affected systems include supported versions of Microsoft Office. Exploitation can occur when a user previews or opens a malicious file, or when Office processes specially crafted content, potentially without user interaction.
BUSINESS IMPACT:
This vulnerability represents a high-impact risk for organizations because Microsoft Office is deeply embedded in daily business operations. Successful exploitation could lead to complete system takeover, data breaches, credential theft, ransomware deployment, and rapid lateral movement across networks, significantly increasing operational and financial damage.
WORKAROUND:
If the patch cannot be applied immediately, disable the Preview Pane where possible, restrict Office file handling from untrusted sources, and enhance email and attachment filtering.
URGENCY:
The critical severity, lack of required privileges, and the ability to exploit the vulnerability through the Preview Pane elevate this issue to an urgent patching priority. Delayed remediation leaves systems exposed to silent, low-effort attacks that can result in full compromise.
CVE-2026-20854 – Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability
This flaw targets the heart of Windows authentication, where a single memory error can open the door to total system takeover.
CVE-2026-20854 is a critical remote code execution vulnerability in the Windows Local Security Authority Subsystem Service (LSASS). The issue stems from a use-after-free condition that can be triggered over the network by an authenticated attacker. Because LSASS is responsible for authentication and security policy enforcement, successful exploitation could allow attackers to execute code with high-impact consequences, including full system compromise.
CVSS Score: 7.5
SEVERITY: Critical
THREAT: Network-based code execution against a core Windows security component, potentially leading to complete control of affected systems.
EXPLOITS:
There are no publicly disclosed exploits or proof-of-concept code at this time, and exploitation has not been observed in the wild. However, the vulnerability affects a highly sensitive service and is a valuable target for advanced attackers.
TECHNICAL SUMMARY:
This vulnerability is caused by a use-after-free memory handling flaw within LSASS. An authenticated attacker with low privileges can manipulate certain directory attributes and supply crafted data during authentication processes. This can cause LSASS to reference invalid memory, leading to memory corruption and potential arbitrary code execution. Although exploit reliability requires careful preparation, the network-accessible nature of LSASS significantly raises the risk profile.
EXPOLITABILITY:
Affected systems include supported versions of Windows running LSASS. Exploitation requires network access and valid authentication with low privileges. No user interaction is required, but attackers must prepare the environment to increase exploit reliability.
BUSINESS IMPACT:
LSASS is a high-value target because it handles credentials and authentication. Compromise of this service can result in credential theft, lateral movement, domain-wide compromise, and prolonged attacker persistence. For organizations, this could mean widespread outages, data breaches, and severe reputational and financial damage.
WORKAROUND:
If patching cannot be performed immediately, restrict unnecessary network access to authentication services, apply strict directory permission controls, and closely monitor authentication-related activity for anomalies.
URGENCY:
This vulnerability affects a core Windows security service and allows network-based code execution with only low privileges. Even with higher attack complexity, the potential impact is severe, making rapid patch deployment critical to reducing enterprise-wide risk.
CVE-2026-20955 – Microsoft Excel Remote Code Execution Vulnerability
This flaw lets a malicious spreadsheet take control of a system the moment a user opens it, turning trusted business files into an attack vector.
CVE-2026-20955 is a critical remote code execution vulnerability in Microsoft Excel caused by an untrusted pointer dereference. An attacker can exploit this issue by crafting a malicious Excel file and convincing a user to open it. Once triggered, the vulnerability allows arbitrary code execution in the context of the logged-on user, potentially leading to full system compromise.
CVSS Score: 7.8
SEVERITY: Critical
THREAT: High-risk code execution vulnerability delivered through malicious Excel documents.
EXPLOITS:
There are no publicly disclosed exploits or proof-of-concept code at this time, and exploitation has not been observed in the wild. Despite this, the vulnerability is well-suited for phishing-based attacks and could be weaponized quickly.
TECHNICAL SUMMARY:
This vulnerability arises from Excel improperly dereferencing an untrusted pointer during file processing. When a specially crafted Excel document is opened, the application may reference attacker-controlled memory, resulting in arbitrary code execution. The Preview Pane is not an attack vector, but opening the file itself is sufficient to trigger the flaw. No privileges are required, making the attack viable against standard user accounts.
EXPOLITABILITY:
Affected systems include supported versions of Microsoft Excel. Exploitation requires user interaction in the form of opening a malicious file, after which attacker-controlled code executes locally with the user’s permissions.
BUSINESS IMPACT:
Excel is widely used across organizations for daily operations, making this vulnerability particularly dangerous. A successful exploit could lead to malware installation, data theft, ransomware deployment, or attackers gaining a foothold for lateral movement, resulting in operational disruption and financial loss.
WORKAROUND:
If patching is delayed, restrict Excel file downloads from untrusted sources, enhance email attachment filtering, and reinforce user awareness around phishing and malicious documents.
URGENCY:
The critical severity and ease of exploitation through social engineering make this vulnerability a high priority. Organizations that rely heavily on Excel are especially exposed until the patch is deployed.
CVE-2026-20953 – Microsoft Office Remote Code Execution Vulnerability
This vulnerability allows attackers to weaponize everyday Office content, potentially executing malicious code without a single click.
CVE-2026-20953 is a critical remote code execution vulnerability in Microsoft Office caused by a use-after-free memory flaw. The issue can allow an unauthorized attacker to execute arbitrary code locally, in some scenarios without any user interaction. Because Microsoft Office is widely used and deeply integrated into daily business workflows, this vulnerability represents a serious and high-impact risk.
CVSS Score: 8.4
SEVERITY: Critical
THREAT: Silent local code execution through Microsoft Office content, including Preview Pane–based attack paths.
EXPLOITS:
There are no publicly available exploits or proof-of-concept code, and active exploitation has not been observed. However, the vulnerability is considered attractive to attackers due to low attack complexity and multiple viable exploitation methods.
TECHNICAL SUMMARY:
This vulnerability is caused by a use-after-free condition in Microsoft Office, where the application continues to access memory after it has been freed. An attacker can exploit this flaw by crafting malicious content that triggers memory corruption, leading to arbitrary code execution. Notably, the Preview Pane is a valid attack vector, meaning exploitation may occur without the user explicitly opening a file. In worst-case scenarios, specially crafted email content could trigger code execution with no user interaction at all.
EXPOLITABILITY:
Affected systems include supported versions of Microsoft Office. Exploitation can occur through a locally run malicious application, opening a crafted file, or previewing malicious content. No privileges are required, and some attack paths do not require user interaction.
BUSINESS IMPACT:
This vulnerability poses a major risk to organizations because it targets a trusted and widely used productivity platform. Successful exploitation could result in full system compromise, data breaches, ransomware deployment, credential theft, and lateral movement across the network, leading to significant operational disruption and financial loss.
WORKAROUND:
If patching is delayed, disable the Preview Pane where feasible, restrict Office file handling from untrusted sources, and strengthen email and attachment security controls.
URGENCY:
The critical severity, lack of required privileges, and the ability to exploit this vulnerability through the Preview Pane make immediate patching essential. Delaying remediation increases the risk of silent compromise through common Office-based attack techniques.
CVE-2026-20944 – Microsoft Word Remote Code Execution Vulnerability
This vulnerability turns a simple Word document preview into a direct path for attackers to run malicious code without warning.
CVE-2026-20944 is a critical remote code execution vulnerability in Microsoft Word caused by an out-of-bounds read flaw. An attacker can exploit this issue by delivering a specially crafted Word document that triggers improper memory access. In some scenarios, code execution can occur without the user actively opening the document, making this vulnerability especially dangerous in email-based attack chains.
CVSS Score: 8.4
SEVERITY: Critical
THREAT: Silent local code execution through malicious Word documents and Preview Pane exposure.
EXPLOITS:
There are no publicly available exploits or proof-of-concept code, and active exploitation has not been observed. Despite this, the low attack complexity and Preview Pane attack vector make this vulnerability highly attractive for future weaponization.
TECHNICAL SUMMARY:
This vulnerability is caused by an out-of-bounds read condition in Microsoft Word, where the application reads memory outside of an allocated buffer. When processing a specially crafted document, this improper memory access can be abused to manipulate execution flow and run arbitrary code. The Preview Pane is a valid attack vector, meaning Word may trigger the vulnerability simply by rendering the document preview, without requiring the user to open the file.
EXPOLITABILITY:
Affected systems include supported versions of Microsoft Word. Exploitation can occur when a user previews or opens a malicious document. No privileges are required, and some attack scenarios require no explicit user interaction beyond viewing the document in an email client.
BUSINESS IMPACT:
Microsoft Word is a cornerstone of daily business communication, making this vulnerability a high-risk threat for organizations. Successful exploitation could result in full system compromise, data theft, ransomware deployment, credential harvesting, and rapid lateral movement across the network, leading to significant operational and financial damage.
WORKAROUND:
If patching cannot be applied immediately, disable the Preview Pane where feasible, restrict Word documents from untrusted sources, and strengthen email and attachment filtering controls.
URGENCY:
The critical severity, absence of required privileges, and Preview Pane attack vector make this vulnerability a top patching priority. Delayed remediation increases the risk of silent exploitation through common email-based delivery methods.
CVE-2026-20876 – Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability
This flaw breaks the security boundary designed to protect Windows itself, allowing attackers to climb into one of the most trusted execution layers of the system.
CVE-2026-20876 is a critical elevation of privilege vulnerability in Windows Virtualization-Based Security (VBS) Enclave. The issue is caused by a heap-based buffer overflow that allows an authorized attacker with high privileges to elevate their access locally. Successful exploitation can grant Virtual Trust Level 2 (VTL2) privileges, undermining core Windows security protections that are meant to isolate and defend sensitive system operations.
CVSS Score: 6.7
SEVERITY: Critical
THREAT: Privilege escalation into a highly trusted security boundary, weakening core Windows isolation guarantees.
EXPLOITS:
There are no publicly disclosed exploits or proof-of-concept code, and exploitation has not been observed in the wild. However, the vulnerability targets a high-value security boundary and could be leveraged by advanced attackers already present on a system.
TECHNICAL SUMMARY:
This vulnerability stems from a heap-based buffer overflow within the Windows VBS Enclave. Improper memory handling allows an attacker with elevated local privileges to corrupt memory and execute code at a higher trust level. By exploiting this flaw, an attacker can escape normal security boundaries and gain VTL2 privileges, which are typically reserved for highly sensitive, isolated system operations protected by virtualization-based security.
EXPOLITABILITY:
Affected systems include supported Windows versions with VBS enabled. Exploitation requires local access and high privileges, but no user interaction. Once triggered, the vulnerability enables escalation into a more trusted execution level.
BUSINESS IMPACT:
This vulnerability poses a serious risk for organizations relying on VBS to protect credentials, secrets, and sensitive workloads. If exploited, attackers could bypass advanced security controls, establish deep persistence, evade detection, and compromise systems that are assumed to be strongly isolated, increasing the blast radius of an intrusion.
WORKAROUND:
If the patch cannot be applied immediately, restrict administrative access, enforce strong privilege management, and monitor for abnormal activity involving VBS or enclave-related processes.
URGENCY:
Although exploitation requires high privileges, the impact is severe because it compromises virtualization-based security itself. Attackers who already have a foothold could use this flaw to defeat advanced defenses, making prompt patching essential to maintain trust in Windows security boundaries.
CVE-2026-20822 – Windows Graphics Component Elevation of Privilege Vulnerability
This flaw lets attackers race the system itself, turning a graphics bug into a path for full SYSTEM-level control.
CVE-2026-20822 is a critical elevation of privilege vulnerability in the Windows Graphics Component caused by a use-after-free condition. An authenticated attacker with low privileges can exploit this flaw locally to gain SYSTEM-level access. In certain GPU paravirtualization scenarios, successful exploitation could even cross security boundaries, increasing the potential impact beyond the local environment.
CVSS Score: 7.8
SEVERITY: Critical
THREAT: Local privilege escalation that can lead to SYSTEM access and potential boundary crossing in virtualized environments.
EXPLOITS:
There are no publicly disclosed exploits or proof-of-concept code, and exploitation has not been observed in the wild. However, the vulnerability is technically viable and attractive for attackers seeking privilege escalation after gaining an initial foothold.
TECHNICAL SUMMARY:
This vulnerability is caused by a use-after-free flaw in the Windows Graphics Component. Under specific timing conditions, an attacker can trigger a race condition that causes the system to reference freed memory. By carefully controlling memory reuse, the attacker can corrupt execution flow and elevate privileges. In GPU paravirtualization scenarios, this flaw may allow traversal of security boundaries, potentially exposing host-level resources.
EXPOLITABILITY:
Affected systems include supported Windows versions using the Graphics Component. Exploitation requires local access with low privileges and the ability to reliably win a race condition. No user interaction is required.
BUSINESS IMPACT:
For organizations, this vulnerability represents a serious risk because it allows attackers to escalate from a limited user account to SYSTEM privileges. This level of access enables disabling security tools, stealing sensitive data, deploying malware, and establishing persistent control. In virtualized environments, the possibility of boundary crossing further increases the potential blast radius.
WORKAROUND:
If the patch cannot be applied immediately, limit local user access, reduce exposure to untrusted code execution, and closely monitor systems for abnormal graphics or GPU-related activity.
URGENCY:
Despite the higher attack complexity, the critical severity and potential for SYSTEM-level compromise make this patch urgent. Any attacker who successfully exploits this flaw can quickly gain full control of the affected system, making delayed remediation a high-risk decision.
Microsoft Windows Admin Center – Improper Access Control (CVE-2025-64669)
“A design flaw in Windows Admin Center lets a low-privileged user quietly climb to full admin control.”
Microsoft Windows Admin Center (WAC), a centralized management tool for Windows servers and systems, contains an improper access control vulnerability identified as CVE-2025-64669. This flaw allows a user with limited local privileges to escalate their access and gain administrative-level control over the system. The vulnerability carries a CVSS score of 7.8 (High), reflecting the significant risk it poses if exploited.
The issue stems from insufficient enforcement of access restrictions within Windows Admin Center. Certain components and execution paths did not adequately validate user permissions, enabling a low-privileged attacker to interact with resources that should have been restricted. If abused, this weakness could allow unauthorized actions, including running processes with elevated rights and effectively bypassing Windows security boundaries. In managed enterprise environments, this could lead to system takeover, manipulation of configurations, or lateral movement to other assets.
Microsoft has released a patch to address this vulnerability and correct the access control enforcement within Windows Admin Center. There are currently no confirmed reports of active exploitation or public proof-of-concept code, but the nature of the flaw makes it a realistic privilege escalation risk for attackers who already have local access.
React Server Components
“If React2Shell is unpatched, your web app can become an attacker’s remote terminal.”
React2Shell is a critical remote code execution (RCE) vulnerability in React Server Components (RSC) that can be exploited without authentication. In affected deployments, an attacker can send a crafted request that triggers unsafe handling of server-side payloads, potentially leading to arbitrary code execution, malware deployment, credential theft, and full service takeover—often with no user interaction required.
CVSS Score: 10.0
SEVERITY: Critical
THREAT: Very active exploitation in the wild, rapid weaponization, and high-value targeting across internet-facing RSC-enabled services.
EXPLOITS: Public proof-of-concept (PoC) code has been reported, and multiple groups have been observed exploiting this vulnerability in real-world attacks (including opportunistic and advanced threat activity).
TECHNICAL SUMMARY:
The vulnerability affects React Server Components implementations where server-side endpoints process attacker-controlled payloads and perform unsafe operations during request handling (notably around deserialization and Server Function request processing). A crafted HTTP request can trigger execution paths that allow an attacker to influence what the server loads or executes, resulting in pre-auth RCE. Once exploited, attackers can run system commands, drop backdoors, deploy crypto-miners, pivot laterally, and exfiltrate sensitive secrets such as application credentials and cloud tokens.
EXPOLITABILITY:
Affected versions include React Server Components packages in 19.0.0, 19.1.0, 19.1.1, and 19.2.0 (including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack). Exploitation is most likely when RSC/Server Function endpoints are exposed to the internet (commonly via frameworks and default configurations that enable RSC). Attackers typically exploit by sending crafted requests to these endpoints to trigger the vulnerable server-side processing.
BUSINESS IMPACT:
This is a “front door” server compromise risk. Successful exploitation can lead to complete application and infrastructure takeover, data theft (customer data, API keys, tokens), service disruption, supply-chain style abuse of trusted web properties, and persistent access via backdoors. For organizations, this can escalate into incident response events, regulatory exposure, reputational damage, and costly downtime—especially for customer-facing and revenue-generating services.
WORKAROUND:
If you cannot patch immediately:
- Temporarily disable or restrict React Server Components / Server Function endpoints (limit exposure to internal networks/VPN).
- Apply WAF / reverse-proxy filtering to block suspicious requests to RSC/Server Function routes.
- Reduce blast radius: run the service with least privilege, lock down outbound egress, and rotate sensitive secrets that may be exposed.
URGENCY:
This should be treated as an emergency change because it is CVSS 10.0, pre-auth RCE, and exploitation activity has been widely reported. Internet-facing RSC-enabled services are at immediate risk of automated scanning, mass exploitation, and rapid post-exploitation payload deployment (miners, credential theft, and persistent backdoors). Patch deployment and compensating controls should be prioritized ahead of routine change queues.
Apple
“This update shuts down serious security gaps while delivering meaningful upgrades users will notice immediately.”
Apple’s iOS 26.2 update is a high-impact platform release that combines critical security remediation with several usability and safety enhancements. The update is part of Apple’s broader 26.2 release cycle, which also includes updates for iPadOS, macOS, watchOS, visionOS, and tvOS.
On the security side, iOS 26.2 addresses more than 20 vulnerabilities across key system components, including WebKit, the kernel, and data handling frameworks. Notably, two WebKit vulnerabilities fixed in this release were confirmed to have been actively exploited in real-world attacks prior to patch availability.
CVE-2025-43529 (CVSS 7.8 – High) is a memory corruption vulnerability caused by improper handling of memory operations. This means that an attacker could deliver specially crafted web pages that, when viewed in Safari or any app using WebKit, could lead to the attacker running code on the device. This issue has been actively exploited in sophisticated attacks targeting specific individuals before the patch was released.
CVE-2025-14174 — WebKit Memory Corruption (High)
This WebKit memory corruption flaw is also addressed in the 26.2 updates. Like the use-after-free defect above, it can lead to memory corruption and potentially arbitrary code execution when WebKit processes malicious web content. This flaw has been observed in real-world exploitation as part of highly sophisticated attack chains.
They impact every Apple platform that runs WebKit, including Safari and any app that renders web content. Visiting a crafted web page or processing web content in an app could lead to device compromise if the system is not updated.
Apple strongly encourages rapid adoption of iOS 26.2, especially due to the presence of vulnerabilities that were already being exploited before this update was released.
Google Chrome
“These Chrome flaws weaken core browser protections and could let attackers run code, bypass security boundaries, or access sensitive data if left unpatched.”
This Google Chrome update resolves multiple high- and critical-severity vulnerabilities that impact how the browser enforces security boundaries, handles memory, and processes web content. Together, these issues increase the risk of code execution, privilege abuse, and data exposure, especially when users interact with malicious websites or extensions.
CVE-2026-0628 is a high-severity policy enforcement flaw in Chrome’s WebView component with a CVSS score of 8.8 (High). It allows a malicious extension to bypass security restrictions and inject arbitrary JavaScript or HTML into privileged internal browser pages. Proof-of-concept exploit code exists, raising the likelihood of abuse.
CVE-2025-14174 is a critical memory corruption vulnerability with a CVSS score of 9.8 (Critical). Successful exploitation could allow remote attackers to execute arbitrary code within the Chrome process, potentially leading to full browser compromise.
CVE-2025-14372 and CVE-2025-14373 are high-severity vulnerabilities related to improper input handling and memory safety issues, each with CVSS scores of 8.1 (High). These flaws could enable attackers to crash the browser, leak sensitive information, or execute unauthorized actions under certain conditions.
Google has released patches addressing all listed vulnerabilities in supported Chrome versions. Systems running unpatched versions remain exposed to serious browser-based attacks.
JumpCloud
“Local users can get SYSTEM privileges by abusing the Remote Assist uninstaller.”
JumpCloud Remote Assist for Windows contained a high-severity vulnerability (CVE-2025-34352, CVSS 8.5 – High) affecting versions prior to 0.317.0. The issue was caused by how the JumpCloud Windows Agent executed the Remote Assist uninstaller with SYSTEM-level privileges during uninstall or update processes. The uninstaller created and manipulated files in predictable, user-writable temporary directories without adequate security controls.
This design flaw allowed a local, low-privileged user to abuse directory junctions or symbolic links to redirect privileged file operations into protected system locations. As a result, an attacker could achieve arbitrary file creation, modification, or deletion, trigger denial-of-service conditions, or escalate privileges to full SYSTEM access. While no confirmed in-the-wild exploitation or public proof-of-concept code has been reported, the vulnerability presents a serious endpoint takeover risk if left unpatched.
JumpCloud has addressed the issue in Remote Assist version 0.317.0, which corrects how temporary paths and uninstall routines are handled under elevated privileges.
Fortinet
“These flaws let attackers skip the login entirely — turning SSO into an open door for full device control.”
Fortinet has released security patches addressing two critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, affecting FortiGate and other Fortinet products when FortiCloud Single Sign-On (SSO) is enabled. The vulnerabilities are caused by improper cryptographic signature validation in SAML authentication, allowing a remote, unauthenticated attacker to bypass FortiCloud SSO protections using a specially crafted SAML response.
Both vulnerabilities are rated Critical, each with a CVSS score of 9.1. Successful exploitation allows attackers to gain administrative-level access without valid credentials. This level of access enables full control of the affected device, including configuration changes, data exposure, and potential lateral movement within the network. Fortinet has confirmed that these vulnerabilities have been exploited in real-world attacks, increasing the urgency of patch deployment.
The affected functionality is FortiCloud SSO login, which is disabled by default on new installations but may be enabled during device registration or operational configuration. Fortinet has issued firmware updates across impacted product lines, including FortiOS-based systems, to fully remediate the flaws.
Ivanti
“One poisoned data submission can silently turn an admin’s browser into the attacker’s control panel.”
Ivanti has released a security update to address CVE-2025-10573, a critical stored cross-site scripting (XSS) vulnerability affecting Ivanti Endpoint Manager (EPM). The flaw exists in the EPM web interface due to insufficient sanitization of incoming device scan data, allowing a remote, unauthenticated attacker to inject malicious JavaScript that becomes permanently stored on the server.
CVE-2025-10573 is rated Critical with a CVSS score of 9.6. An attacker can exploit this issue by submitting specially crafted scan or inventory data to the EPM server. When an administrator later views the affected dashboard or report, the injected script executes automatically in the admin’s browser context. This can lead to session hijacking, privilege escalation, unauthorized administrative actions, and potential full compromise of managed endpoints.
Although the exploit requires an administrator to view the affected page, no additional interaction is needed. The vulnerability is especially dangerous because it is unauthenticated and remotely exploitable, making it possible for attackers to plant malicious payloads without prior access. Ivanti has addressed the issue in Endpoint Manager 2024 SU4 SR1 and later.
FreePBX
“A perfect storm of bypass, SQL injection, and file upload flaws turns a business phone system into a remote execution gateway.”
FreePBX — the open-source PBX management platform widely used for VoIP telephony — has multiple high-severity vulnerabilities that can combine to allow unauthenticated attackers to fully compromise vulnerable systems. These issues have been remediated in recent FreePBX releases, but unpatched deployments remain at serious risk.
CVE-2025-66039 — Authentication Bypass (Critical, CVSS ~9.3):
When FreePBX is configured with the non-default “webserver” authentication type, the system trusts any HTTP Authorization header containing a username without validating the password. This flaw lets remote attackers access privileged administrative endpoints with only a guessed or known username, effectively bypassing authentication entirely. Once inside, other vulnerabilities become fully exploitable.
CVE-2025-61675 — Multiple SQL Injection (High, CVSS ~8.6):
The Endpoint Manager module in older FreePBX versions contains multiple SQL injection points across basestation, firmware, model, and custom extension endpoints. An authenticated session (or an authentication bypass) can reach these injection points, allowing an attacker to read, modify, or inject arbitrary SQL into the PBX database, including creating administrative users or planting malicious entries.
CVE-2025-61678 — Arbitrary File Upload → Remote Code Execution (High, CVSS ~8.3):
Also in the Endpoint Manager firmware upload functionality, FreePBX fails to validate upload paths and contents. This allows attackers to upload arbitrary files, such as PHP webshells, to the server’s web directories. When chained with an authentication bypass, this directly leads to remote code execution (RCE) on the underlying server process.
Together these issues form a chainable attack path:
Authentication bypass → SQL injection → arbitrary file upload → RCE — giving full system control to attackers on vulnerable installations. Patches for these CVEs are included in FreePBX versions 16.0.42, 16.0.92, 17.0.6, and 17.0.22 or later; upgrading to those or newer versions eliminates the known exploit vectors. Administrators should also avoid using the legacy webserver authentication type and ensure endpoint modules are updated.
SAP
“Three critical flaws inside SAP’s core platforms can turn trusted enterprise systems into full takeover points.”
SAP has released security updates addressing three critical vulnerabilities — CVE-2025-42880, CVE-2025-55754, and CVE-2025-42928 — affecting widely deployed SAP enterprise components. These flaws impact SAP Solution Manager, SAP Commerce Cloud, and SAP jConnect for ASE, and collectively expose organizations to code execution, system compromise, and loss of control over core business infrastructure.
CVE-2025-42880 is a critical code injection vulnerability in SAP Solution Manager (ST 720) caused by missing input validation in a remotely accessible function. An authenticated attacker can inject and execute arbitrary code, potentially leading to full compromise of the Solution Manager system and downstream SAP environments it manages. This vulnerability carries a CVSS score of 9.9 (Critical).
CVE-2025-55754 affects SAP Commerce Cloud deployments using bundled Apache Tomcat components. The flaw allows attackers to exploit weaknesses in server handling of crafted input, potentially resulting in remote code execution or manipulation of backend processes supporting e-commerce operations. This vulnerability is rated Critical with a CVSS score of 9.6.
CVE-2025-42928 is a deserialization vulnerability in SAP jConnect for Sybase ASE. A high-privileged user can supply crafted serialized input that is processed insecurely, potentially allowing arbitrary code execution within connected applications. This issue has a CVSS score of 9.1 (Critical) and poses significant risk in integrated SAP environments.
All three vulnerabilities have been fully patched by SAP as part of recent security updates. Due to the central role these components play in enterprise operations, successful exploitation could result in business disruption, data exposure, and complete system control if left unpatched.
WordPress
“An unguarded upload feature turns a trusted WordPress directory plugin into a secret door — letting attackers drop files straight onto your server.”
The WP Directory Kit WordPress plugin contains a critical arbitrary file upload vulnerability, tracked as CVE-2025-13390, that can allow unauthenticated attackers to upload and execute malicious files on vulnerable sites. The flaw exists because the plugin fails to properly validate uploaded files, letting attackers bypass file type and path restrictions. This can lead to malware installation, web shell deployment, or full site takeover.
CVE-2025-13390 is rated Critical with a CVSS score of 9.8 due to the ease of exploitation and the severe consequences of successful attacks. An attacker only needs to send a crafted HTTP request to the vulnerable upload endpoint; no authentication or elevated privileges are required. Once a malicious file (such as a PHP web shell) is placed on the server, the attacker can execute arbitrary commands, manipulate site content, access stored data, or pivot deeper into the hosting environment.
Site owners and administrators using WP Directory Kit should update to the patched plugin version immediately. If a patch cannot be applied right away, it’s crucial to disable the plugin and restrict access to the upload endpoints until remediation is in place.
WatchGuard
“These flaws turn trusted firewall features into high-risk attack paths that can shut down VPNs or allow dangerous command execution.”
WatchGuard released security updates for Firebox appliances and Fireware OS to address four high-severity vulnerabilities affecting firewall management and VPN services. The issues impact multiple Fireware OS versions and are fixed in updated releases provided by WatchGuard.
Two vulnerabilities, CVE-2025-12195 and CVE-2025-12196, both have a CVSS score of 8.6 (High). They are caused by out-of-bounds write flaws in Fireware OS command-line interface handling, including IPSec configuration and ping commands. An authenticated user with high privileges could exploit these flaws to execute arbitrary code on the device, potentially gaining full control of the firewall.
CVE-2025-12026, also rated High with a CVSS score of 8.6, is an out-of-bounds write vulnerability in the Fireware certificate handling service. A privileged authenticated attacker could send crafted certificate requests and execute arbitrary commands, putting sensitive firewall and network configurations at risk.
CVE-2025-11838 carries a CVSS score of 8.7 (High) and affects the IKEv2 daemon used for VPN connections. This issue can be triggered without authentication and may cause memory corruption leading to a Denial-of-Service condition, disrupting Mobile User VPN and Branch Office VPN connections. This increases the risk of widespread connectivity outages.
There are no confirmed reports of real-world exploitation or public proof-of-concept code at this time. However, the combination of remote code execution and unauthenticated VPN disruption makes these vulnerabilities a serious threat if left unpatched.
SonicWall
“This flaw allows attackers to slip past SonicWall authentication checks and gain access to protected systems.”
CVE-2025-40602 is a high-severity authentication bypass vulnerability affecting SonicWall Secure Mobile Access (SMA) appliances. The issue stems from improper validation during the authentication process, which can allow a remote attacker to bypass login controls under certain conditions. If successfully exploited, this vulnerability could grant unauthorized access to internal resources that are normally restricted to authenticated users. The vulnerability carries a high severity rating, reflecting the serious risk to enterprise networks.
At this time, there are no confirmed reports of widespread real-world exploitation, but proof-of-concept techniques have demonstrated how attackers could abuse the weakness to bypass authentication protections. Given SonicWall SMA’s role in providing remote access to sensitive corporate environments, successful exploitation could lead to data exposure, lateral movement within networks, or follow-on attacks such as credential harvesting and ransomware deployment.
SonicWall has released patches to address CVE-2025-40602 by strengthening authentication validation logic. Organizations running affected SMA versions remain exposed until updates are applied, making timely patching critical to maintaining secure remote access infrastructure.
Jenkins
“A flaw in Jenkins’ CLI lets bad actors freeze your automation server without needing any credentials.”
Jenkins, the widely used open-source automation server for building, testing, and deploying software, contains a high-severity denial-of-service vulnerability in its HTTP-based Command Line Interface (CLI) implementation in versions 2.540 and earlier, including LTS 2.528.2 and earlier. The issue arises because the server fails to properly close corrupted HTTP CLI connections, leading to resource exhaustion when threads hang indefinitely handling these malformed streams. This can allow unauthenticated attackers on the network to trigger a denial of service, making the Jenkins instance unavailable for legitimate users. The CVSS v3.1 score for CVE-2025-67635 is 7.5 (High) due to its ease of exploitation (no privileges or user interaction required) and significant impact on availability.
This vulnerability has no proof of active exploit in the wild yet, but its characteristics (remote, unauthenticated DoS) make it a serious risk, especially for internet-facing Jenkins servers. The Jenkins project has released patched versions that address this flaw: users should upgrade core to Jenkins 2.541 or LTS 2.528.3 (or later) to ensure the issue is resolved.
GitLab
“Four high-severity flaws in GitLab can let attackers inject malicious content or disrupt services if systems are left unpatched.”
GitLab released important security updates to address four high-severity vulnerabilities affecting both GitLab Community Edition (CE) and Enterprise Edition (EE) on self-managed installations. These issues impact core web features and could allow attackers to run malicious scripts in users’ browsers or degrade the availability of GitLab services. Systems running vulnerable versions face real risk to confidentiality, integrity, and availability.
The update covers the following vulnerabilities:
- CVE-2025-12716 (CVSS 8.7 – High) — A cross-site scripting flaw in the Wiki feature that allows an authenticated user to inject malicious content, potentially executing actions in another user’s session.
- CVE-2025-8405 (CVSS 8.7 – High) — An XSS issue in vulnerability report rendering, where improper output handling allows injected HTML or scripts to run when viewed by other users.
- CVE-2025-12029 (CVSS 8.0 – High) — A cross-site scripting vulnerability in Swagger UI that may allow malicious scripts to load in the API documentation interface, expanding the attack surface to unauthenticated users in some configurations.
- CVE-2025-12562 (CVSS 7.5 – High) — A denial-of-service vulnerability in GraphQL endpoints where crafted queries can bypass complexity limits and exhaust server resources.
These vulnerabilities are fixed in GitLab 18.4.6, 18.5.4, and 18.6.2 and later. There are no confirmed reports of active exploitation or zero-day use at this time, but the affected components are commonly exposed and frequently targeted, making timely patching critical.
Apache Struts
“A flaw in Struts 2 file upload handling lets attackers slowly fill your disk and take the service offline.”
CVE-2025-64775 is a high-severity denial-of-service vulnerability affecting Apache Struts 2, a widely used Java web application framework. The issue exists in the multipart request handling logic, where temporary files created during file uploads are not properly cleaned up. An attacker can repeatedly send crafted upload requests, leaving behind orphaned temporary files that consume disk space until the application or underlying system becomes unavailable.
This vulnerability affects Apache Struts 2 versions 2.0.0 through 6.7.0, as well as Struts 7.0.0 through 7.0.3. The CVSS score is 7.5 (High) because the attack can be performed remotely, without authentication, and directly impacts system availability. While it does not expose or alter data, the operational impact can be severe, especially for production and customer-facing applications.
There are no confirmed reports of real-world exploitation or zero-day attacks at this time. However, the attack is straightforward and requires only repeated requests, making unpatched systems an easy target for service disruption. The issue is fully addressed by upgrading to Apache Struts 6.8.0 or later, or Struts 7.1.1 or later.
Google Chrome Password Manager
“Two memory corruption bugs in Chrome could let crafted web content hijack your browser’s defenses and run harmful actions.”
Google has released updates for Google Chrome that fix CVE-2025-14372 and CVE-2025-14373, both memory corruption vulnerabilities that could be triggered by malicious web content. These types of flaws occur when the browser incorrectly manages memory, which attackers can sometimes abuse to alter program flow or crash the browser.
- CVE-2025-14372 is a use-after-free issue in the Password Manager component. Attackers could craft web content that manipulates memory so freed objects get reused in unsafe ways. If successfully exploited, this could allow breaking out of the browser’s security sandbox and executing further actions beyond what normal web pages should be able to do.
- CVE-2025-14373 is a similar memory handling error in the navigation component that processes how Chrome loads and displays web pages. A successful attack here could also lead to unexpected behavior like crashes or exploitation of memory to influence program execution.
Both issues are addressed in the latest Chrome releases; updating to Chrome version 143.0.7499.110 or later ensures these bugs are fixed. While these flaws have not been widely observed in real-world attacks at the time of the patch release, memory corruption bugs are a common target for attackers because they can escalate impact from mere crashes to full compromise in certain scenarios.
Upgrading Chrome across all devices and ensuring downstream Chromium-based browsers have incorporated these fixes is important to maintain a secure browsing environment.
Microsoft Office for Mac
“A single malicious Office file could silently open the door to full system compromise if these flaws are left unpatched.”
Microsoft has released security updates for Microsoft Office addressing multiple vulnerabilities, including CVE-2025-62554, CVE-2025-62555, CVE-2025-62556, CVE-2025-62557, CVE-2025-62558, CVE-2025-62559, CVE-2025-62560, CVE-2025-62561, CVE-2025-62562, and CVE-2025-62564. These issues affect several Office components such as Word, Excel, Outlook, and shared Office libraries. Most of the vulnerabilities stem from improper memory handling, including use-after-free and type confusion bugs, which attackers can exploit using specially crafted documents.
Several of these flaws allow remote code execution, meaning an attacker could run arbitrary code with the same privileges as the logged-in user simply by convincing them to open a malicious file or preview content. The most serious issues are rated High severity, with CVSS scores ranging from approximately 7.8 to 8.8, reflecting the significant risk to confidentiality, integrity, and availability. While no confirmed active exploitation or zero-day abuse was reported at the time of release, the nature of these bugs makes them attractive targets for future attacks, especially in phishing campaigns.
The updates fully remediate these vulnerabilities across supported Office versions. Systems that have not applied the latest Office security updates remain exposed to document-based attacks that could lead to data theft, malware installation, or complete user-level compromise.
Cisco
“A flaw in email processing could allow attackers to disrupt or compromise email security systems if left unpatched.”
Cisco has released a security update for Cisco AsyncOS Email Security Appliances to address CVE-2025-20393. This vulnerability affects how the appliance handles certain email or message processing functions. Improper input validation can allow a remote, unauthenticated attacker to trigger unexpected behavior by sending specially crafted email traffic to the affected system.
CVE-2025-20393 is rated High severity with a CVSS score of 8.1. Successful exploitation could lead to denial of service or potentially allow an attacker to impact core email security functions, interrupting message filtering, scanning, or delivery. This creates a serious operational risk, especially for organizations that rely on these appliances as a frontline defense against phishing and malware. At the time of the patch release, there were no confirmed reports of active exploitation or zero-day abuse.
Cisco has confirmed that applying the updated AsyncOS software fully addresses the vulnerability. Systems that are not updated remain exposed to crafted email-based attacks that could degrade or disable critical email security services.
HPE
“An attacker could remotely break into your management system and run any code they want — that’s as serious as it gets.”
HPE has released a patch for a critical remote code execution vulnerability affecting HPE OneView infrastructure management software. The issue, tracked as CVE-2025-37164, carries a CVSS score of 10.0 (Critical). It allows an unauthenticated remote attacker to send specially crafted requests that can result in arbitrary code execution with elevated privileges. A successful exploit could give an attacker full control over the OneView appliance and the infrastructure it manages.
The vulnerability impacts HPE OneView versions prior to 11.00. HPE has addressed the issue by releasing OneView v11.00 and providing security fixes for supported earlier releases. There are no workarounds or mitigations available other than applying the official patch. At this time, there are no confirmed reports of active exploitation or publicly available proof-of-concept code, but the severity and low attack complexity make this a high-risk issue if left unpatched.
Apache Commons Text
“A hidden risk in text handling can let attackers take control of your system.”
CVE-2025-46295 in Apache Commons Text lets untrusted data trigger dangerous actions inside applications, potentially giving attackers full remote control. This flaw affects older versions of the library and has been fixed in safe releases — updating is urgent for anyone using it in production.
CVE-2025-46295 is a critical remote code execution (RCE) vulnerability in Apache Commons Text, a widely used Java library for string manipulation. Versions before 1.10.0 included interpolation mechanisms that could be misused when applications passed untrusted input into text substitution APIs. In such cases, maliciously crafted input could instruct the library to execute system-level commands or access external resources, effectively allowing attackers to run arbitrary code on affected systems. The CVSS score is 9.8 (Critical), reflecting the ease of exploitation and the severe impact on confidentiality, integrity, and availability.
This vulnerability is similar in nature to other dangerous “text interpolation” flaws in the past and highlights how powerful features, if not properly guarded, can become serious security holes. In practical terms, if your application or a third-party service you run incorporates a vulnerable Commons Text version and processes user-controlled data through its interpolation features, you could be exposed to a full system compromise without authentication or user interaction.
The issue has been addressed by updating Apache Commons Text itself and by vendors that embed it — for example, FileMaker Server 22.0.4 and later include a patched version (Commons Text 1.14.0) that removes or secures the dangerous behavior. Ensure all dependencies using this library are updated to at least 1.10.0 or higher to close this hole.
ConnectWise
“When anyone can trick a support session into trusting them, attackers can sneak in and take over systems without a password.”
CVE-2025-14265 lets unauthenticated attackers bypass login protections and potentially run arbitrary code on systems running vulnerable versions of ConnectWise ScreenConnect (now called ConnectWise Control). This is a high-impact flaw that threatens remote support infrastructure if left unpatched.
CVE-2025-14265 is a critical authentication bypass and remote code execution vulnerability in ConnectWise ScreenConnect / ConnectWise Control — a widely deployed remote support and remote access platform. The flaw allows attackers to skip authentication entirely and interact with internal APIs that should be guarded, giving them the ability to initiate support sessions, upload malicious payloads, or execute commands with the rights of the ScreenConnect service. Because ScreenConnect is often installed on systems that need remote control or assistance, exploitation could let attackers pivot into broader networks once access is achieved.
The severity of this issue is high — attackers can leverage it without valid credentials, and there’s a potential path from simply establishing an unauthorized session into remote code execution on the host running ScreenConnect. This kind of gap undermines one of the core security guarantees of the product: that only authorized support staff can control remote machines.
There are confirmed proof-of-concept exploits circulating privately shortly after public disclosure, and several security teams have reported in-the-wild scanning and targeting of exposed ScreenConnect servers. Organizations using ScreenConnect, especially on public-facing endpoints or in DMZs, should assume they are at real risk until updated.
ConnectWise has released patched versions that close this bypass and harden access controls. Administrators must update ScreenConnect / ConnectWise Control to the fixed release immediately, restrict access to management interfaces, and review logs for suspicious session activity.
FreeBSD
“A single malicious IPv6 packet on the local network can quietly turn a trusted FreeBSD system into an attacker-controlled machine.”
CVE-2025-14558 exposes FreeBSD systems to remote code execution through unsafe handling of IPv6 router advertisements. If left unpatched, attackers on the same network can execute commands with elevated privileges, leading to full system compromise.
CVE-2025-14558 is a critical remote code execution vulnerability in FreeBSD related to how the operating system processes IPv6 Router Advertisement (RA) messages. The flaw exists in the rtsol and rtsold utilities used for IPv6 Stateless Address Autoconfiguration. When these components process certain RA options, untrusted input is passed into system configuration scripts without proper validation or escaping. This allows a local network attacker to inject and execute arbitrary shell commands. The vulnerability carries a CVSS score of 9.8 (Critical).
The attack is limited to systems that have IPv6 enabled and are configured to accept router advertisements, but within that scope the impact is severe. An attacker on the same LAN — such as a shared office network, cloud subnet, or public Wi-Fi — could gain full control of the affected system. Proof-of-concept exploit code exists, demonstrating reliable command execution via crafted IPv6 packets. There is no indication that this was used as a zero-day, but the simplicity of exploitation raises serious concern.
FreeBSD has released security patches for supported versions, correcting the unsafe input handling and preventing command injection. Systems running patched releases are no longer vulnerable.
Microsoft Visual Studio
“This patch fixes a dangerous command injection flaw that could let attackers run code remotely and take over a developer’s environment.”
Microsoft published a security update addressing a serious remote code execution issue tracked as CVE-2025-55319, affecting Agentic AI components and Visual Studio Code. This vulnerability is due to an AI command injection flaw that could allow an unauthenticated attacker on a network to manipulate input processed by the Agentic AI features and force unexpected commands to run within VS Code. The flaw stems from improper sanitization of externally controlled input, allowing attackers to influence commands executed by the IDE’s AI tooling.
The vulnerability was widely reported in September 2025 and carries a CVSS v3.1 score of 8.8 (High), reflecting a network-accessible attack vector with low complexity and no required privileges, though user interaction is needed. Successful exploitation could lead to arbitrary code execution, compromise of developer workstations, unauthorized access to source code, and potential lateral movement within an organization’s network. Researchers and security trackers have not observed public proof-of-concept exploits or real-world exploitation campaigns specifically tied to this CVE at the time of disclosure, but the nature of the flaw places it among high-impact issues that merit immediate attention.
Microsoft’s update in Visual Studio Code version 1.104.0 and later includes the fix for this issue, and users are strongly encouraged to update to that version or newer to mitigate the risk. The fix closes the command injection vector by improving input handling and AI extension command execution safeguards. Developers using agentic AI extensions should also review their configuration and restrict untrusted content exposure.
Microsoft Azure Container Apps
“This patch closes a critical gap that could let attackers run their own code inside Azure Container Apps, putting cloud workloads at serious risk.”
Microsoft addressed CVE-2025-65037, a critical remote code execution vulnerability in Azure Container Apps. The issue is caused by improper handling of code generation, allowing code injection through specially crafted network requests. An attacker does not need authentication or prior access to exploit this flaw, making it especially dangerous in exposed environments.
This vulnerability has a CVSS score of 10.0 (Critical), reflecting the highest level of severity. Successful exploitation could give attackers full control over affected container applications, leading to data theft, service disruption, or complete compromise of cloud workloads. The impact spans confidentiality, integrity, and availability.
At this time, there is no confirmed evidence of real-world exploitation or public proof-of-concept code, but the simplicity of the attack and the critical rating mean the risk is immediate. Microsoft has released a patch to address this issue, and environments running Azure Container Apps should ensure the fix is applied without delay.
Microsoft Partner Center
“This patch shuts down a critical access flaw that could let attackers gain powerful control over partner environments.”
Microsoft released a security update to address CVE-2025-65041, a critical improper authorization vulnerability in Microsoft Partner Center. The flaw could allow an attacker to bypass permission checks and escalate privileges beyond their intended role, potentially gaining administrative-level access within Partner Center. This creates a serious risk to partner-managed environments and customer data.
CVE-2025-65041 carries a CVSS score of 10.0 (Critical). The vulnerability is remotely exploitable, requires no authentication, and does not require user interaction. If exploited, an attacker could modify partner configurations, access sensitive information, or disrupt services managed through the platform. At the time of disclosure, there were no confirmed real-world attacks or public proof-of-concept exploits associated with this issue.
Microsoft has mitigated the vulnerability through a service-side update to Microsoft Partner Center. No customer action is required beyond ensuring normal access controls and monitoring practices remain in place.
n8n
“This patch shuts down a critical flaw that could allow attackers to run their own code and fully take over an automation server.”
n8n released a security update to address CVE-2025-68613, a critical remote code execution vulnerability in the n8n workflow automation platform. The issue stems from unsafe handling of workflow expressions, where attacker-controlled input could be evaluated in a way that allows arbitrary system-level code execution. An attacker with access to create or modify workflows could exploit this flaw to execute commands with the same privileges as the n8n service.
CVE-2025-68613 is rated Critical with a CVSS score of 9.9. The vulnerability enables complete compromise of the affected n8n instance, including access to sensitive data, connected services, credentials, and automation logic. In shared or team-based environments, this significantly increases risk, as multiple users may have workflow editing permissions. At the time of disclosure, there were no confirmed real-world attacks or publicly available exploit code reported.
The vulnerability has been resolved in updated versions of n8n, where expression evaluation has been hardened to prevent unauthorized code execution and isolate workflow logic from the underlying system.
MongoDB
“This flaw allows attackers to quietly pull sensitive data straight from MongoDB’s memory, without ever logging in.”
CVE-2025-14847, commonly known as MongoBleed, is a high-severity vulnerability in MongoDB Server with a CVSS score of 8.7 (High). The issue is caused by improper handling of zlib-compressed network data, which can lead MongoDB to return uninitialized heap memory instead of valid responses. Because this flaw can be triggered before authentication, a remote attacker can exploit it without credentials.
If successfully exploited, this vulnerability may expose passwords, authentication tokens, encryption keys, or other sensitive data residing in server memory. Public proof-of-concept exploit code exists, and real-world exploitation has been observed, increasing the risk for internet-facing MongoDB deployments. MongoDB has released patched versions to address the issue across affected supported releases.
IBM API
“If API management controls fail, every connected service is suddenly at risk.”
This patch addresses a critical vulnerability in IBM API Connect that could allow attackers to bypass authentication controls under specific conditions. The flaw exists in how the platform validates access to certain management or API endpoints, potentially allowing unauthorized users to interact with protected services. Because API Connect often sits at the center of enterprise integrations, this issue poses a serious risk to downstream systems and sensitive data.
The vulnerability is tracked as CVE-2025-13915 and carries a CVSS score of 9.8 (Critical severity). The issue is remotely exploitable and does not require prior authentication, significantly increasing its potential impact. Successful exploitation could allow attackers to access, manipulate, or disrupt APIs managed by the platform. There are no confirmed reports that this vulnerability was exploited as a zero-day at the time of disclosure.
IBM released patches that strengthen authentication and access validation logic within affected API Connect components. Applying the update restores proper security checks and prevents unauthorized access to managed APIs and administrative functions.
Ragic
“One critical flaw can expose everything, while a second weakness makes abuse even easier.”
This patch addresses multiple security vulnerabilities in Ragic Enterprise Cloud Database that impact how the platform enforces access controls and validates requests. Because Ragic is used to store and manage business-critical data, weaknesses in these areas can lead to unauthorized data access, data manipulation, or broader system exposure.
The most severe issue, CVE-2025-15016, is rated Critical with a CVSS score of 9.8. It involves improper authorization enforcement that could allow unauthenticated attackers to access restricted database resources remotely. The second issue, CVE-2025-15015, carries a CVSS score of 7.5 (High severity) and relates to insufficient request validation that could be abused to access or modify data beyond intended permissions.
Both vulnerabilities are remotely exploitable, increasing overall risk.
Ragic has released patches that strengthen authorization checks and improve request validation across affected Enterprise Cloud Database components. Applying the updates closes these security gaps and helps protect sensitive customer data from unauthorized access.
Microsoft MSMQ
“This update closed serious security gaps, but for many organizations it quietly broke the messaging backbone their systems rely on.”
KB5071546 is a December 2025 extended security update for Windows 10 that includes multiple security fixes and quality improvements. While the update was intended to strengthen system security, it introduced a regression affecting Microsoft Message Queuing (MSMQ), a core Windows component used by many enterprise applications for reliable message delivery.
The update addressed dozens of security vulnerabilities across Windows, including several high-impact issues. One of the vulnerabilities relevant to MSMQ is CVE-2025-62455, a local elevation-of-privilege flaw with a CVSS score of 7.8 (High). This vulnerability could allow an authenticated user to gain higher system privileges. There is no confirmed evidence of real-world exploitation or public proof-of-concept code for this issue.
After installation, many systems experienced MSMQ failures, including inactive queues, application crashes, and errors indicating insufficient system resources. These problems were traced to changes in MSMQ folder permissions introduced by the update, which prevented required service accounts from writing to MSMQ storage locations. As a result, business-critical applications that depend on MSMQ stopped functioning as expected.
Trend Micro
“These Trend Micro flaws expose security software itself to attack—turning a trusted defense tool into a possible entry point for attackers.”
This Trend Micro update addresses multiple critical and high-severity vulnerabilities affecting core components of the product. The flaws could allow attackers to execute arbitrary code, escalate privileges, or interfere with security controls, significantly weakening system defenses if left unpatched.
CVE-2025-69258 is a critical vulnerability with a CVSS score of 9.8 (Critical). The issue stems from improper handling of user-supplied input, which could allow an attacker to execute arbitrary code with elevated privileges. Successful exploitation could lead to full system compromise.
CVE-2025-69259 is a high-severity vulnerability with a CVSS score of 8.6 (High). This flaw allows attackers to bypass security restrictions and manipulate protected application components, potentially disabling safeguards or accessing sensitive data.
CVE-2025-69260 is another high-severity vulnerability, carrying a CVSS score of 8.4 (High). It involves improper validation that could result in unauthorized actions, application instability, or privilege abuse under certain conditions.
Trend Micro has released patches to address these issues. Systems running affected versions without updates remain at risk, particularly because these flaws target security software that often runs with elevated permissions.
Veeam
“A flaw lets attackers skip authentication and run privileged actions.”
This update fixes a critical authentication bypass vulnerability in Veeam Backup & Replication tracked as CVE-2025-59470, with a CVSS score of 9.8 (Critical). The issue stems from improper validation of user credentials in one of the product’s network-facing services. An attacker who can reach the service could exploit the flaw to skip normal authentication checks and perform actions with elevated privileges. Depending on configuration, that can mean reading, modifying, or deleting backups and backup infrastructure settings.
There are indications that proof-of-concept exploits exist, making this vulnerability easier for attackers to leverage in the wild. Because Veeam often runs with high privileges and protects critical data, successful exploitation can result in loss of backup integrity, data exposure, or denial of recovery operations.
Veeam has released patches that address this issue. Unpatched systems remain at high risk, especially in environments where backup services are reachable from untrusted networks.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both OS and third-party software.
