Ivanti Blog: Patch Management

April 2026 Patch Tuesday

Tue, 14 Apr 2026 22:51:36 Z

The lead up to Patch Tuesday has been interesting. We had a Google Chrome zero-day (CVE-2026-5281) that was patched on April 1, an Adobe Acrobat Reader zero-day (CVE-2026-34621) late in the day on Friday April 10, and several older CVEs that were added to the CISA KEV list yesterday (April 13). All of this amidst a lot of industry buzz about Anthropic Mythos and Project Glasswing.

What is the correlation between these events and Project Glasswing you ask? Most of the discussions around Mythos have been focused on where it will be used and the ramifications.

Finding exploitable flaws in code can be a powerful tool for good when used by the vendor writing the code before it is released. However, it will also be used by researchers and threat actors to find flaws in code that is already released and that is where my speculation is directed.

Consider the knock-on effects of a massive model like Mythos and what it will mean near term and longer term for the software that companies consume. Near term you will have the big players using a solution like this to release more secure code. As researchers and threat actors adopt more robust AI models to identify exploitable flaws this will result in more coordinated disclosures (good), zero-day exploits (bad) and n-day exploits (bad). All of this will result in more frequent, and more importantly, urgent software updates.

Many organizations currently struggle to keep up with priority updates resolving exploited vulnerabilities when they occur outside of their normal monthly maintenance. I suspect most organizations were not aware of the Adobe Acrobat zero-day exploit until the CISA KEV update yesterday. This means that threat actors had another 2-3 days of free reign to exploit CVE-2026-34621 before most organizations became aware and many of those organizations will likely handle the update as part of their regular maintenance that is starting today on Patch Tuesday.

Browser security updates are a weekly occurrence. Many other applications that users are utilizing regularly release updates on a continuous cadence, not a set monthly release date. This means many of the user targeted exploits are going to occur in software that is releasing outside of the average organizations maintenance schedules and that frequency is about to increase. It is hard to say if that increase is going to be 1.5x or 5x, but rest assured that the increase will be noticeable and will exacerbate a challenge that most organizations already struggle with – timely patch management.

Enter Exposure Management. This is really a mindset and maturity change as much as a technology evolution. The mindset change requires us to consider a world where we need to make the decisions up front and monitor those decisions. This is called defining your Risk Appetite and monitoring your Risk Posture. Doing this effectively matures an organizations’ response to risks and makes remediation activities much more clear cut.

The technology evolution requires the traditional vulnerability assessment technologies to integrate into a broader ecosystem where asset visibility or system of record comes together with vulnerability assessment and vulnerability intelligence solutions to refine when risks require more immediate action vs waiting for your regular maintenance activities to occur. Most important is the need for this tech stack to be integrated with your AEM (Autonomous Endpoint Management) platform as this is where remediation predominantly (and automatically) occurs.

Now, back to our regularly scheduled Patch Tuesday update. Microsoft has resolved 169 CVEs this month which is a massive patch Tuesday lineup. April Patch Tuesday is the second-largest Patch Tuesday on record behind the October 2025 Patch Tuesday which resolved 175 CVEs. The lineup includes one zero-day exploit (CVE-2026-3220) and one public disclosure (CVE-2026-33825) and breaks down into 8 Critical, 156 Important, 3 Moderate and 1 Low severity.

The zero-day CVE is in Microsoft SharePoint and the public disclosure is in Microsoft Defender making those two updates the most urgent for this month in addition to the Adobe Acrobat and Google Chrome updates leading up to Patch Tuesday.

Microsoft’s known exploited vulnerabilities

Microsoft resolved a Server Spoofing Vulnerability in Microsoft SharePoint (CVE-2026-32201). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 6.5, but it has been confirmed to be exploited in the wild. An attacker who successfully exploits this vulnerability can view sensitive information and make changes to the disclosed information. The vulnerability affects SharePoint server Subscription Edition, SharePoint Server 2019 and SharePoint Server 2016. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft’s publicly disclosed vulnerabilities

Microsoft resolved an Elevation of Privilege Vulnerability in Microsoft Defender (CVE-2026-33825). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but has been publicly disclosed. The CVE lists exploit code maturity as Proof-of-Concept which puts this at a higher risk of exploitation. An attacker could use this vulnerability to allow an authorized attacker to elevate their privileges to SYSTEM on the local machine.

Ivanti security advisories

Ivanti has released one security update for April. The update affects Ivanti Neurons for ITSM and resolves two CVEs. More details and information about mitigations can be found in the April Security Advisory.

Third-party vulnerabilities

Adobe has released twelve updates this month, eleven of which released on Patch Tuesday and the zero-day update for Acrobat that released on Friday, April 10. 54 CVEs were resolved with a breakdown of 39 Critical, 13 Important and 2 Moderate. APSB26-43 resolved the zero-day exploit (CVE-2026-34621).

April update to-do list

Adobe Acrobat (CVE-2026-34621) and Google Chrome (CVE-2026-5281) each had zero-day exploits leading up to Patch Tuesday. Ensure that you are prioritizing remediation of these two products to the latest version.
Microsoft SharePoint includes a zero-day exploit (CVE-2026-32201) and should be investigated as a priority especially if you have known update challenges with your SharePoint environments.
The Microsoft Windows OS update this month resolves 133 CVEs (depending on edition) and includes 4 Critical CVEs. This update will resolve a significant number of findings across your environment.

How AI-Driven Automation Solves Patch Management Silos

Thu, 02 Apr 2026 15:37:11 Z

"We see 10,000 critical vulnerabilities!"

"We patched everything last week!"

This conversation happens in enterprise IT departments every single day. Security teams present dashboards filled with red alerts. IT teams show deployment reports at 98% success. Both teams are looking at real data. Both are absolutely correct. And both are totally blind to what's actually happening across the endpoint environment.

This isn't a people problem — your teams aren't incompetent. It's not a process problem — your workflows aren't broken. It's a technology problem: you're asking two teams to manage the same risk using systems that show them different realities.

Security teams are given one version of reality through vulnerability scanners and threat intelligence. Meanwhile, IT teams see things differently when looking at their device management and patch deployment reports.

The tricky part is that both views can be correct in isolation and still be misleading in practice. That's how you end up in the familiar stalemate: security reports thousands of critical vulnerabilities; IT reports that patches are successfully deployed. The disconnect lives in the gap between those systems.

Why IT and security are misaligned on patching

Most organizations approach patching misalignment between IT and security by improving communication between IT and security. They schedule more meetings. They create escalation paths. They implement SLAs. And six months later, they're having the exact same argument with better PowerPoint slides.

Here's what nobody wants to admit: you can't collaborate your way out of a data fragmentation problem. When IT and security are working from fundamentally different inventories of what exists, what's vulnerable and what's been fixed, adding more coordination overhead just slows down an already broken process.

This is why the same conversation plays out again and again inside many organizations. Both teams are confident in their data, and both are “right” within the narrow context of the tools they rely on.

And that’s the problem. While both views are “right,” neither reflects the full lifecycle of risk. Vulnerability data doesn’t always reflect whether affected devices are managed or reachable. Patch reports don’t always account for unmanaged, misclassified or newly discovered endpoints that still have access to corporate resources. What’s missing is a reliable answer to the only question that actually matters: which endpoints are exposed right now?

Technology silos create conflicting realities

Most enterprises manage endpoints through a hodgepodge of systems that have evolved independently over time, each capturing only a fragment of reality.

One system may surface critical exposure without knowing whether the device is being managed. Another may confirm successful remediation without accounting for newly discovered or misclassified endpoints that still have access. The result? No reliable way to trace risk from detection through deployment to actual exposure.

Consider this: the average organization manages only 60% of their edge devices, according to Ivanti's Securing the Borderless Digital Landscape Report. That means 40% of potential entry points exist outside IT's view and outside their patch workflows. Security sees them. IT doesn't. That's your vulnerability gap. Without that continuity, teams are forced to reconcile partial views manually. Data gets debated instead of acted on.

Different data views lead to friction

Imagine it’s Monday morning: Security discovers a critical zero-day in a widely used VPN client. They send an urgent alert to IT: "30,000 vulnerable endpoints detected — patch immediately."

IT checks their deployment console: "VPN client already updated across 28,000 devices last Thursday."

Both statements are true. Security is scanning the entire network — including contractor laptops, BYOD devices and systems that briefly connected to the VPN but aren't under IT management. IT patched everything in their device inventory.

Meanwhile, 2,000 genuinely vulnerable endpoints remain exposed because they exist in Security's view but not IT's. The patch that should have taken 24 hours now requires three days of manual reconciliation.

When IT and security operate from different data sources, misaligned vulnerability management priorities are inevitable. Security teams focus on vulnerability counts, severity scores and exploit intelligence. IT teams prioritize deployment success, system stability and user impact. Both perspectives are necessary, but without a shared frame of reference, they pull in different directions.

What follows isn’t just tension; it’s decision paralysis. Remediation slows while teams reconcile inventories, validate findings and argue about scope. Vulnerabilities remain open longer than they should, not because patches aren’t available, but because there’s no single view that connects detection, deployment and exposure.

The risk of misaligned patching priorities

Misalignment slows collaboration, but more so, it creates measurable risk that extends well beyond internal friction.

Ivanti’s Autonomous Endpoint Management research reflects this challenge in practice:

38% of IT professionals report difficulty tracking patch status.
35% struggle to meet remediation timelines due to incomplete endpoint visibility.

When vulnerabilities remain open longer than necessary, the window of exposure grows. Attackers don’t wait. The CISA KEV catalog reveals the difficult truth: 30% of vulnerabilities being actively exploited right now were originally disclosed more than five years ago.

That's not a patching problem; it’s a visibility problem. Organizations aren't ignoring available patches; they're missing the endpoints that still need them.

Prolonged exposure windows and breach risk

Fragmentation stretches exposure windows in subtle ways. Devices that were never enrolled in management platforms, such as shadow BYOD, unsecured contractor devices or remote endpoints outside the traditional perimeter, often go unnoticed.

Research from Ivanti shows that only one in three employers have implemented zero trust network access for remote workers, leaving significant gaps in visibility across distributed environments. Newly discovered endpoints appear after patch reports are generated. Systems drift out of compliance between scan cycles. Each delay compounds the risk, extending the time attackers have to weaponize known weaknesses.

Common post-patch issues and IT ticket overload

Even when patches are deployed on schedule, manual patching often creates downstream issues. Failed updates, broken agents, performance problems and unexpected reboots trigger support tickets and emergency fixes. What starts as a security task quickly becomes an operational drain.

IT teams spend time resolving predictable failures instead of improving endpoint posture. Security teams see delays as unresolved risk. Users associate patching with disruption. That friction persists across teams, even when their goals are aligned.

Transforming patch management with autonomous endpoint management

AI and automation address the core disconnects in patch management by unifying visibility and reducing manual coordination. When endpoint discovery, vulnerability data, device health and patch status are correlated into a unified view, IT and security teams can work from the same facts instead of reconciling partial data across tools.

Autonomous endpoint management (AEM) brings clarity to the confusion by using AI intelligence and automation to give IT and security a single, continuously updated view of endpoints, their health and their exposure.

How AI improves patching decisions

AI improves patching decisions by prioritizing vulnerabilities based on real-world risk rather than severity scores alone. By factoring in exploit activity, asset criticality and exposure context, teams can align on what to patch first and focus effort where it will reduce risk fastest.

With autonomous endpoint management, that same Monday morning scenario plays out differently:

The vulnerability is detected, and AI immediately cross-references it against a unified endpoint inventory. It identifies 1,560 devices running the vulnerable version, including 217 devices that were previously unmanaged.

Automated patch workflows simultaneously: enroll the unmanaged devices, prioritize patching based on exposure risk and asset criticality. They then schedule deployment during low-usage windows, and begin ring-based rollout.

By the time the security team sends the alert, IT already has a real-time dashboard showing remediation in progress — with the same device count, the same exposure data and the same prioritization logic. No reconciliation necessary.

How automation accelerates remediation

Automation then turns those decisions into action. Patch workflows can be orchestrated end to end: identifying affected devices, deploying updates and validating remediation without constant manual intervention.

AI-powered intelligent patch scheduling minimizes user impact by aligning deployments with device usage patterns, maintenance windows and operational constraints. Ring-based rollouts allow patches to be validated on smaller groups before wider deployment, reducing disruption while accelerating remediation. The result is faster patching, less downtime and a more predictable process for both teams.

Self-healing workflows detect and resolve common issues automatically, such as restarting services, reinstalling agents or correcting misconfigurations. These workflows prevent avoidable incidents before they turn into support tickets.

From data debates to unified intelligence and shared visibility

AI-driven platforms unify endpoint visibility by correlating discovery data, vulnerability context, device health and patch status into a single endpoint record, with enrollment and access controls ensuring that devices are continuously discovered and managed throughout their lifecycle. IT and security teams see the same devices, the same exposure and the same remediation status in real time.

This unified intelligence eliminates debates over whose data is correct and replaces them with agreement on which risks to address first. By integrating remediation into broader endpoint workflows, teams reduce manual effort and maintain consistent patch outcomes at scale. By integrating remediation into broader endpoint workflows, teams reduce manual effort and maintain consistent patch outcomes at scale.

Shared patch ownership: powering IT and security collaboration

AI and automation only improve patch management when they’re paired with shared ownership. When IT and security teams operate from the same endpoint data and remediation workflows, accountability shifts from defending individual reports to jointly reducing exposure.

A data-driven patch process starts with mutual goals. Instead of tracking success in isolated tools, organizations align IT and security around common metrics that reflect real-world risk and operational impact. This shared measurement creates clarity on priorities and removes ambiguity around ownership.

Effective collaboration depends on metrics both teams trust and act on together. Common KPIs include:

Mean Time to Remediate (MTTR): How quickly critical vulnerabilities are resolved
Patch compliance rates: Across both managed and previously unmanaged endpoints
Exposure duration: How long high-risk vulnerabilities remain open
Endpoint visibility: Percentage of devices fully discovered and managed

These metrics shift conversations from patch volume to measured risk outcomes and help teams focus on outcomes instead of activity.

Joint ownership requires workflows that span the entire patch lifecycle. AI-driven platforms support this by automating routine tasks while surfacing exceptions that require human judgment.

IT and security leaders define guardrails for automation, including approval thresholds, testing requirements and rollout constraints. Within those boundaries, automation executes remediation consistently and at scale, without constant manual coordination. Over time, trust in the process grows, coordination overhead decreases, and patching becomes a cooperative operational responsibility rather than a point of friction.

Visit our solutions page to discover how Ivanti's autonomous endpoint management solutions give IT and security teams the unified visibility they need to eliminate patching silos and close vulnerabilities faster.

March 2026 Patch Tuesday

Tue, 10 Mar 2026 21:01:35 Z

March Patch Tuesday resolves 79 CVEs, of which three are Critical and 76 are Important. There are two publicly disclosed CVEs this month, but none exploited. Microsoft has also released an Edge update resolving nine Chrome CVEs. The public disclosures include a Denial-of-Service vulnerability in .Net and an Elevation of Privilege vulnerability in SQL Server. Both disclosures are listed as Unproven for Exploit Code Maturity indicating the disclosures did not include any code samples.

Adobe and Mozilla have released updates as part of the March Patch Tuesday including eight updates from Adobe resolving a total of 80 CVEs, 21 of which are rated Critical. Mozilla Firefox 148.0.2 released resolving three high severity CVEs.

Microsoft’s publicly disclosed vulnerability

Microsoft resolved an Elevation of Privilege vulnerability in SQL Server (CVE-2026-21262). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 8.8, but it has been publicly disclosed. An attacker who successfully exploited this vulnerability could gain SAL sysadmin privileges. The vulnerability affects SQL Server 2016 and later editions.

Microsoft resolved an Denial of Service vulnerability in .NET (CVE-2026-26127). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.5, but it has been publicly disclosed. An attacker could cause an out-of-bounds read in .NET allowing an unauthorized attacker to deny service over a network. The vulnerability affects .NET 9 and 10 on Windows, Mac OS and Linux as well as NuGet 9 and 10 packages.

Third-party vulnerabilities

Adobe has released eight updates this month resolving a total of 80 CVEs, 21 of which are rated Critical. Adobe Commerce is the highest priority this month with a Priority 2 rating. Other affected products include Adobe Illustrator, Substance 3D Painter, Acrobat and Acrobat Reader, Premier Pro, Experience Manager, Substance 3D Stager, and DNG SDK.

Mozilla has released an update for Firefox 148.0.2 resolving three High severity vulnerabilities.

March update to-do list

The Microsoft OS and Office updates will resolve the majority of the CVEs resolved this month in two easy updates.

Mozilla Firefox, Microsoft Edge and Google Chrome are all released frequently. Prioritize browser updates on a weekly or daily basis to reduce risks continuously with minimal risk of impact.

February 2026 Patch Tuesday

Tue, 10 Feb 2026 21:58:44 Z

February Patch Tuesday includes recent out-of-band updates from Microsoft between January 17th and 29th, including multiple bug fixes and a fix for a zero-day exploit in Microsoft Office. In addition, Microsoft announced the phased disablement of NTLM precede the February 2026 Patch Tuesday release.

For the February Patch Tuesday release, Microsoft has resolved 57 unique CVEs. Six CVEs are flagged as Exploited and three of those are Publicly Disclosed as well. Add the out-of-band (OOB) zero-day and you have a lineup of CVEs that need some attention.

January Out-of-Band Releases

The first OOB release on January 17th resolved a credential prompt failure when attempting remote desktop or remote appliance connections. The second round of OOB updates occurred on January 24th and 26th resolving application crashes in Outlook and OneDrive, and system hibernation/shut down issues. And finally, the third OOB update on January 26th was a zero-day vulnerability CVE-2026-21509, a Microsoft Office Security Feature bypass vulnerability.

Microsoft plans phased NTLM disablement

Microsoft released their plan for the phased disablement of New Technology LAN Manager (NTLM) in the latest operating systems starting now in 2026 and beyond. The NTLM authentication protocol was introduced back in 1993 and has since been superseded by Kerberos protocols, which are far more secure. However, NTLM has remained the fallback when Kerberos is unavailable despite being deprecated and having weak algorithms.

Phase one introduces additional auditing to help identify where NTLM may still be running and changing it out where you can. Starting now, Microsoft recommends using advanced NTLM auditing already available in Server 2025, and Windows 11 24H2 and newer. Phase two begins with major OS updates coming later this year. This update will address the ‘pain points’ or blockers by removing multiple fallback scenarios where Kerberos reverts back to NTLM.

And finally in phase three, NTLM will be disabled by default. The code will still be there, but you will need to explicitly re-enable it if absolutely needed. This three-phase approach will happen quickly, so plan appropriately to replace NTLM in your environment and take a giant security step forward. The ‘NTLM disabled by default’ phase will occur with the next major Server update.

Microsoft’s exploited vulnerability 

On January 29th, Microsoft resolved a Security Feature Bypass vulnerability in Microsoft Office (CVE-2026-21509). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but it has been confirmed to be exploited in the wild. An attacker can send a user a malicious Office file and convince them to open the file to exploit the vulnerability. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved an Elevation of Privilege vulnerability in Remote Desktop Services (CVE-2026-21533). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but it has been confirmed to be exploited in the wild. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. The vulnerability affects Windows 10 and later editions of the OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved an Elevation of Privilege vulnerability in Desktop Window Manager (CVE-2026-21519). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but it has been confirmed to be exploited in the wild. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. The vulnerability affects all currently supported and ESU supported versions of Windows OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved a Security Feature Bypass vulnerability in MSHTML Framework (CVE-2026-21513). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 8.8, but it has been confirmed to be exploited in the wild. An attacker who successfully exploited this vulnerability could bypass a security feature over a network. The vulnerability affects Windows 10 and later editions of the OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved a Security Feature Bypass vulnerability in Windows Shell (CVE-2026-21510). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 8.8, but it has been confirmed to be exploited in the wild. An attacker who successfully exploited this vulnerability could bypass a security feature over a network. The vulnerability affects all currently supported and ESU supported versions of Windows OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved an Security Feature Bypass vulnerability in Microsoft Word (CVE-2026-21514). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but it has been confirmed to be exploited in the wild. An attacker can bypass a security feature locally due to a reliance on untrusted inputs. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved a Denial of Service vulnerability in Windows Remote Access Connection Manager (CVE-2026-21525). The vulnerability is rated Moderate by Microsoft and has a CVSS v3.1 score of 6.2, but it has been confirmed to be exploited in the wild. A null pointer dereference in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally. The vulnerability affects all currently supported and ESU supported versions of Windows OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Ivanti security advisories 

Ivanti has released one security update for February. The update affects Ivanti Endpoint Manager and resolves two new CVEs and 11 medium severity CVEs that were disclosed in late 2025. More details and information about mitigations can be found in the February Security Advisory.

In addition, there was a security advisory on January 29th for Ivanti Endpoint Manager Mobile (EPMM) that had a limited number of customers impacted at time of disclosure. Ivanti urges all customers using the on-prem EPMM product to promptly install the Security Update. The security advisory, additional technical analysis, and an Exploitation Detection script co-developed with NCSC-NL can be found in the January Security Advisory.

Third-party vulnerabilities  

Adobe has released nine updates this month resolving 43 CVEs, 27 of which are Critical. All nine updates are rated Priority three by Adobe.

February update to-do list

Windows OS and Microsoft Office updates are priority this month resolving six new and one OOB zero-day exploits.

Review Microsoft phased disablement of NTLM announcement and documentation to start planning for the deprecation and disablement of NTLM.

January 2026 Patch Tuesday

Tue, 13 Jan 2026 21:52:53 Z

New year, new updates! Welcome back to the Ivanti Patch Tuesday blog where we provide you critical insights to optimize your exposure management activities.

This month there are a pair of Mozilla CVEs that are suspected of being exploited and a Microsoft CVE that has been exploited.

In addition, Microsoft has a pair of publicly disclosed vulnerabilities that will need to be reviewed to see if your organization may be impacted by the changes Microsoft is making.

There are additional third-party updates from Adobe, and you should expect more from Google and Oracle over the next few days and into next week that should be included in your monthly maintenance.

A side note of good news: Microsoft has broken the Server 2025 update out into a separate KB, so it is only 1.9GB in size, versus this month’s 4GB+ Windows 11 cumulative update.

Microsoft’s exploited vulnerability 

Microsoft has resolved an Information Disclosure vulnerability in Desktop Window Manager (CVE-2026-20805). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 5.5, but it has been confirmed to be exploited in the wild. The exposure could be used to disclose a section address from a remote ALPC port that is user-mode memory. The vulnerability affects all currently supported and extended security update-supported versions of the Windows OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft’s publicly disclosed vulnerabilities 

Microsoft has resolved a Security Feature Bypass vulnerability in Secure Boot Certification Expiration (CVE-2026-21265). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 6.4, but it has been publicly disclosed. In addition the update, the fix provides a warning regarding certificates that will be expiring in 2026 and details on actions that are required to up renew certificates prior to their expiration. It is recommended to start investigating what actions your organization may need to take to prevent potential serviceability and security as certificates expire.   

Microsoft is addressing an Elevation of Privilege vulnerability in Windows Agere Soft Modem Driver (CVE-2023-31096). The vulnerability CVE ID was assigned by MITRE in 2023. It is rated Important and has a CVSS v3.1 score of 7.8. The CVE has been publicly disclosed. Microsoft’s resolution is to remove the affected drivers from the Windows OS as of the January 2026 cumulative update. Microsoft recommends removing any existing dependencies on this hardware.

Ivanti security advisories 

Ivanti has released no security advisories this month.

Third-party vulnerabilities  

Mozilla has released updates for Firefox and Firefox ESR, resolving a total of 34 CVEs. All three updates have an Impact rating of High. Two CVEs are suspected to be exploited (CVE-2026-0891 and CVE-2026-0892). Both are resolved in Firefox 147 (MFSA2026-01), and CVE-2026-0891 is resolved in Firefox ESR 140.7 (MFSA2026-03).
Expect Google Chrome and Microsoft Edge updates this week in addition to a high-severity vulnerability in Chrome WebView that was resolved in the January 6 Chrome update (CVE-2026-0628).
Adobe has released 11 updates this month affecting DreamWeaver, InDesign, Illustrator, InCopy, Bridge, Substance 3D Modeler, Stager, Painter, Sampler and Designer and Coldfusion. Coldfusion is a priority 1. Everything else is priority 3, but most of the updates include Critical CVEs.
Oracle’s Quarterly CPU is scheduled to release on January 20, so be prepared for updates for Oracle solutions, including Java. Once the Java release is out, expect all of the Java-based frameworks to update over the next few weeks.

January update to-do list

Browser updates are a priority this month. Mozilla resolved two suspected zero-day exploits (CVE-2026-0891 and CVE-2026-0892), and Chrome resolved a high-severity CVE (CVE-2026-0628).
The Windows OS update resolves one exploited and two publicly disclosed vulnerabilities this month, putting the Windows OS update as top priority this month alongside the browser updates.
Review Secure Boot Certificate timelines and usage of Agere Soft Modem drivers to avoid serviceability and security issues.

DLL Hijacking: Risks, Real-World Examples and How to Prevent Attacks

Wed, 17 Dec 2025 14:00:02 Z

There’s been buzz around CVE-2025-56383 (published on Sept. 26, 2025), a hijacking vulnerability in Notepad++ v8.8.3 in which a DLL file can be swapped to execute malicious code.

The CVE has been disputed by multiple parties, but we’re not here to comment on that. However, we are here to comment on DLL hijacking and discuss the very real threat that it poses to an organization. Let’s look into what DLL hijacking is and what measures you can take to keep your DLLs safe.

What DLL hijacking is and how it happens

DLL hijacking (also known as a DLL preloading attack) is a security vulnerability where a legitimate and trusted Dynamic Link Library (DLL) file in a Windows application is replaced with a malicious one.

This method exploits the way applications load DLL files, which contain code and data used by multiple programs. By loading a malicious DLL, a threat actor can execute their own code with the same privileges as the legitimate application, leading to privilege escalation, persistence and defense evasion.

When a program starts, it often needs to load various DLLs to perform specific functions, typically from trusted system directories. However, if an application is not careful about where it looks for these DLLs, it might load a malicious DLL from an insecure or predictable location (i.e., the current working directory or a network share). This can happen if the application does not specify the full path to the DLL or if it searches for the DLL in a directory that can be accessed or modified by an attacker.

While this type of attack is not new, it remains effective due to its simplicity. And although this specific issue pertains to Windows applications, it's important to call out that similar vulnerabilities can affect other operating systems (like Linux and macOS, which use dynamic loading for shared libraries).

DLL hijacking introduces multiple security risks, including:

Data theft: The malicious DLL can intercept and steal sensitive data, such as passwords or personal information.
Compromised systems: The attacker can gain control over the system, potentially leading to further attacks or the installation of additional malware.
Malware: The malicious DLL can act as a conduit for spreading malware, infecting other parts of the system or network.

A DLL can be hijacked in several different ways; here are some of the most common techniques:

Insecure DLL search order: Attackers place malicious DLLs in directories searched before the legitimate DLL's location.
Relative path manipulation: Malicious DLLs are loaded when applications use relative paths.
DLL redirection: Techniques like path manipulation redirect the DLL loading process.
Weak permissions: Attackers replace legitimate DLLs with malicious ones in directories with weak permissions.
Phantom DLL hijacking: Attackers exploit applications loading non-existent DLLs by placing malicious DLLs with the same name in searched directories.

These potential vulnerabilities highlight the importance of secure coding practices and directory permission management when it comes to preventing this form of attack.

How to prevent DLL hijacking and keep your DLLs safe and secure

Although DLL hijacking remains a threat, there are best practices you can follow and implement to reduce your risk for a safer, more secure IT environment.

Secure DLL loading:

Use full paths: Always specify the full path to the DLL when loading it. This ensures that the application loads the DLL from a trusted location (and not from an insecure directory).
Set the safe search path: Use the SetDllDirectory function in Windows to add trusted directories to the search path and exclude insecure ones. This can help prevent the application from loading DLLs from unexpected locations.

File integrity checks:

Digital signatures: Ensure that DLLs are signed with a digital signature and verify the signature before loading the DLL. This can help confirm that the DLL has not been tampered with.
Hash verification: Use cryptographic hash functions to verify the integrity of DLL files. If the hash of the DLL does not match the expected value, the file may have been modified.

User permissions:

Least privilege principle: Run applications with the least privilege necessary. This limits the potential damage of a DLL hijacking, as the malicious code will have fewer permissions to execute harmful actions.
User Account Control (UAC): Enable UAC on Windows systems to prompt users for permission before running applications with elevated privileges. This can help prevent unauthorized changes to system files.

Application control and privilege management:

Known and trusted applications: Application control ensures that only known and trusted applications are launchable, removing the risk of unauthorized applications being introduced.
Privilege control: Effective privilege management is crucial in preventing DLL hijacking. By ensuring that applications have the correct rights and privileges to launch, you limit the ability of unauthorized users to introduce malicious files. This control acts as a key barrier, restricting the access an attacker needs to exploit the DLL search mechanism and thereby enhancing the security of your environment.

Security software:

Antivirus and anti-Malware: Use reputable antivirus and anti-malware software to detect and prevent the loading of malicious DLLs. These tools can scan for known malicious files and behaviors.
Intrusion Detection Systems (IDS): Implement IDS to monitor for unusual activity, such as unexpected changes to DLL files or attempts to load DLLs from insecure locations.

Patch management:

Keep software updated: Regularly update applications and operating systems with the latest security patches. Many DLL hijacking vulnerabilities are fixed via updates, so stay current to help protect against known threats.
Automated patching: Use an automated patch management tool to ensure that all systems are kept up to date without manual intervention. This reduces the window of opportunity for attackers to exploit known vulnerabilities, including those that could be used for DLL hijacking. This proactive approach helps maintain the integrity of your applications and operating systems, making it much harder for attackers to inject malicious DLLs.

By implementing these best practices, you can significantly reduce the risk of DLL hijacking and enhance the overall security of your applications and systems.

Combine the right tools and tactics to prevent DLL hijackings

DLL hijacking has been a persistent form of attack for years, proving that it’s still effective and will therefore continue to be an issue for organizations.

Future-proof your organization using the best practices mentioned above combined with proven solutions like Ivanti Neurons for App Control to help keep your DLLs secure. Capabilities like Trusted Ownership catch and deny a hijacked DLL from being executed by ensuring that ownership of the items matches your approved list of trusted owners.

And, keep your apps up to date to limit exposure to known vulnerabilities. Remove the risk of human error by automating patching with Ivanti Neurons for Patch Management, ensuring that systems are automatically updated and secured.

December 2025 Patch Tuesday

Tue, 09 Dec 2025 22:05:21 Z

Here we are at the final Patch Tuesday for 2025. Microsoft has resolved 56 CVEs (two Critical and 54 Important). Included in this release is one known exploited (CVE-2025-62221) and two publicly disclosed CVEs (CVE-2025-54100 and CVE-2025-64671). This month’s OS update resolves the exploit (CVE-2025-62221) and one of the public disclosures (CVE-2025-54100), making the Windows OS a top priority this month. The other public disclosure is in GitHub Copilot for Jetbrains (CVE-2025-64671), which would require developers to download and update the GitHub Copilot plugin.

Third-party updates this Patch Tuesday include multiple releases from Mozilla for Firefox 146 and Firefox ESR 115.31 and 140.6. Adobe released five updates to resolve 142 CVEs including an update for Adobe Acrobat and Reader. Four of five updates are rated as Priority Three, but the Adobe ColdFusion update is rated Priority One. There are no known exploits, but the ColdFusion update resolves the bulk of the CVEs resolved by Adobe this month.

Microsoft’s exploited vulnerability

Microsoft has resolved an Elevation of Privilege vulnerability in Cloud Files Mini Filter Driver (CVE-2025-62221). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8 but is confirmed to be exploited in the wild. An attacker who successfully exploits this CVE could gain SYSTEM privileges. The CVE affects Windows 10 and later Windows editions. A risk-based prioritization approach would prioritize this CVE as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved a Remote Code Execution vulnerability in PowerShell (CVE-2025-54100). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8 but has been publicly disclosed. The fix provides a warning and guidance to avoid the potential remote code execution, but the nature of the exposure makes it improbable to fully remediate. The Invoke-WebRequest command can parse the contents of a web page and could potentially run script code in the web page when it is parsed. A warning is presented recommending the use of the -UseBasicParsing switch to avoid script code execution. The CVE affects Server 2008 and later Windows editions.

Microsoft has resolved a Remote Code Execution vulnerability in GitHub Copilot for Jetbrains (CVE-2025-64671). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 8.4 but has been publicly disclosed. An attacker could exploit code using a malicious Cross Prompt Inject in untrusted files or MCP servers, allowing the execution of additional commands by appending them to commands allowed in the user’s terminal auto-approve setting.

Ivanti security advisories

Ivanti has released one security update this month. The update affects Ivanti Endpoint Manager and resolves four vulnerabilities. More details and information about mitigations can be found in the December Security Advisory.

Third-party vulnerabilities 

Mozilla has released updates for Firefox and Firefox ESR resolving a total of 27 CVEs. All three updates have an Impact rating of High.

Adobe released five updates this month affecting ColdFusion, Experience Manager, DNG SDK, Acrobat and Reader and Creative Cloud Desktop. ColdFusion is a Priority One and resolves the majority of the 142 CVEs. The other four updates are rated Priority Three.

December update priorities

The Windows OS update is the priority this month to resolve CVE-2025-62221.

All other updates can be resolved under normal SLA priorities.

November 2025 Patch Tuesday

Tue, 11 Nov 2025 20:26:09 Z

November Patch Tuesday is the first Patch Tuesday after the EoL of Windows 10. In the shadow of Windows 10, there are a number of other product EoLs of note. Exchange Server, for one, is getting some additional attention. Microsoft announced a 6-month ESU option for Exchange 2016/2019 servers for customers who need the extension. Their guidance, however, is not to rely on this program and to make every attempt to move off of Exchange and move to Exchange SE in time. Cybersecurity agencies across the globe have also collaborated to provide a Security Best Practices guide for Microsoft Exchange Server.

Microsoft resolved 63 unique vulnerabilities this month, including one known exploited CVE (CVE-2025-62215). The exploited CVE is an Elevation of Privilege vulnerability in the Windows Kernel that can allow an attacker to gain SYSTEM-level privileges on the target system. Affected products this month include Windows OS, Office, SharePoint, SQL Server, Visual Studio, GitHub Copilot and Azure Monitor Agent.

For third-party updates, Oracle released their quarterly Critical Patch Update on October 21, 2025. This included many updates including Java. With the release of Java comes a stream of Java framework updates, including RedHat OpenJDK, Amazon Corretto, Azul Zulu, Eclipse Adoptium, Adopt OpenJDK and others.

Patch Tuesday third-party updates include eight from Adobe and three from Mozilla, and Google Chrome released a stability and performance update this month (no CVEs reported).

Microsoft’s exploited vulnerability

Microsoft has resolved an Elevation of Privilege vulnerability (CVE-2025-62215), which Microsoft has confirmed is exploited in the wild. The CVE is rated Important and has a CVSS 3.1 score of 7.0. The vulnerability requires an attacker to win a race condition, but if exploited it would allow the attacker to gain SYSTEM privileges on the affected system. The vulnerability affects all currently supported Windows OS editions and Windows 10 ESU, which means the risk of running Windows 10 past the EoL without ESU is not hypothetical. Ensure you are subscribing to Windows 10 ESU and providing additional mitigations where possible.

Ivanti security advisories

Ivanti has released one Security Advisory for November Patch Tuesday, resolving three CVEs. The security advisory for Ivanti Endpoint Manager provides details on vulnerable versions. Also, the advisory reminds Ivanti Endpoint Manager customers that version 2022 reached End of Life at the end of October 2025. All Ivanti EPM customers are urged to upgrade to 2024 SU4 to remediate the three vulnerabilities.

For more details, you can view the updates and information provided in the November Security Update on the Ivanti blog.

Third-party vulnerabilities

Adobe released eight updates resolving 28 CVEs. All eight updates are rated priority three.
Mozilla released three updates resolving a total of 29 CVEs.
Google Chrome just released a stability and performance update, but it has resolved 27 CVEs since October Patch Tuesday.

November update priorities

The Windows OS is the highest priority this month, with one zero-day exploit.
Continue to monitor your environment for EoL software. Beyond Windows 10 EoL, there are editions of Office that are now EoL along with Exchange. The first month after the Windows 10 EoL has a zero-day that affects the Windows 10 OS. The risks of continuing to run EoL software without extended support are very real, and threat actors will be looking to take advantage.

Unpatchable Vulnerabilities: Key Risk Mitigation Strategies

Mon, 20 Oct 2025 13:00:00 Z

Wouldn’t it be great if every vulnerability had a fix waiting in the wings? If patching were always fast, easy, and complete?

That’s not the world we live in.

Some vulnerabilities can’t be patched at all. Others are buried in systems or services you don’t fully control. And the longer your focus stays limited to internal infrastructure, the more risk slips through the cracks.

This is where the conversation broadens, from vulnerability management to full spectrum exposure management. Because unpatchable vulnerabilities aren’t edge cases. They're part of your everyday risk landscape and deserve a seat at every CISO’s table.

The problem? Too many organizations still equate vulnerability management with patching, and that mindset creates blind spots big enough for attackers to walk right through. It ignores the exposures lurking outside traditional infrastructure: Cloud misconfigs, expired certs, third-party software dependencies, identity abuse and more.

What are unpatchable vulnerabilities?

Unpatchable vulnerabilities live up to their name. They’re flaws you can’t fix with a vendor patch, and not as rare as you might think. In today’s environment, risk is as likely to come from a cloud misconfiguration or expired certificate as it is from a missing update. But if your strategy focuses only on infrastructure vulnerabilities, you’re leaving massive gaps in your defenses.

Most teams lack total attack surface visibility and treat infrastructure as the entire attack surface. Full stop. But that’s only one layer in a much broader landscape. The reality is that there are five critical layers where vulnerabilities live, and only one of them can be reliably managed with traditional patching.

The rest? They're unpatchable by nature. And each requires a different approach if you want to close the gaps. Let’s go through each one at a time:

1. Infrastructure

Infrastructure is the attack surface layer that everyone knows. It’s where traditional vulnerability management and patch management lives. And yes, it’s critical. But treating this as the whole (or only) attack surface is like locking your front door and ignoring the open windows.

2. External attack surface

The external attack surface is what an adversary sees when they look at your organization from the outside. Your domains, subdomains and exposed services are entry points you don’t always control directly and often aren’t picked up in infrastructure scans.

3. Cloud services

Cloud misconfigurations are one of today’s most dangerous blind spots and also among the most overlooked, particularly in environments that have rapidly adopted cloud services without simultaneously evolving their security practices. We’ve seen the headlines about data exposed through misconfigured storage buckets or overly permissive APIs. These aren’t software flaws. They’re setup mistakes, and no patch can fix a poorly set permission.

4. Identity

Then there’s identity. Every user account, credential and session token is a target. If a threat actor phishes your credentials or cracks a weak password, they’re not even exploiting a system vulnerability. They’re using your systems exactly as designed. Don’t mistake identity for a layer of access control. It serves as its own attack surface.

5. Data

And finally: data. The way you classify, store and secure data all represent a surface area always being probed by attackers. If sensitive information is in the wrong place, with the wrong permissions, that’s an open invitation.

Patching is critical. It gives you remediation coverage on endpoints and servers. But it only addresses one piece of the puzzle. The rest of your environment requires a wider lens.

The reality is: exposures aren’t buried in code. They live in misconfigurations, overly broad permissions, architectural shortcuts and legacy systems either forgotten or left to rot in the background. Those don’t get fixed with a patch. They get fixed with strategy.

Examples of unpatchable vulnerabilities

Log4j was a wake-up call. A single vulnerable library embedded across dozens of applications, many of them business-critical. You couldn’t just “push a patch”. You had to wait for each vendor to update their software, and/or manually disable vulnerable components until you closed that hole.

That’s just one example of how complexity can derail vulnerability management. Other cases are even more problematic:

IoT devices often operate as closed systems, with firmware controlled entirely by the vendor. If vendor support ends, you’re left with internet-connected assets that IT can’t update directly as firmware is locked behind vendor-controlled gates. Without updates, vulnerabilities remain exposed.

Network Edge Devices (Firewalls, VPNs, etc.) come with layers of complex rules, configurations and dependencies, configurations and dependencies that can’t be blindly updated. Every change must be tested against business-critical services to avoid outages. One single misstep can knock systems offline or break key integrations. That’s why most teams treat these updates like surgical procedures: slow, meticulous and weighed carefully against the organization’s risk appetite.

And then there’s cryptographic decay. It’s the slow decay of trust in encryption as attackers get faster and standards grow older. TLS and SSL protocols, once considered rock solid, become exploitable over time.

And none of them can be addressed by traditional patching models. They live outside the boundaries of what scanners catch and patching can solve. That’s why a broader security strategy, one rooted in exposure reduction and not just patching, needs to guide your approach.

Multifaceted risk mitigation strategies

Start by targeting the weakest links in your environment: outdated protocols, misconfigurations and overexposed assets. Then, assess who and what has access to your systems. Shrink those access pathways to only what’s essential. This reduces the damage radius when something goes wrong.

Next, break risk mitigation into multiple workstreams. Not every vulnerability can be addressed the same way or on the same timeline. You need parallel tracks for short-term containment and long-term resilience.

In the short term, if you're facing an unpatchable vulnerability, ask: how do we minimize impact now? The Log4j response is a good model. There, we deployed scripts that disabled vulnerable components in real time, limiting exposure while waiting for a vendor patch.

At the same time, build a longer-term framework. Automate configuration updates wherever possible. Create a roadmap for phasing out end-of-life apps and platforms. Map ownership across critical systems, including which teams or vendors control updates and what permissions or dependencies might block timely fixes. When an issue arises, that prep work determines whether you're reacting in chaos or executing a plan.

The tactics will vary — scripts, segmentation, zero trust, re-architecture — but the goal stays the same: reduce the time and space adversaries have to exploit your systems. Shrink the window. Stay ahead of it.

The organizations that succeed in managing unpatchable vulnerabilities are the ones who understand their environment inside and out. They never stop refining that understanding. That means having a real-time asset inventory, visibility into what’s running where and a comprehensive Software Bill of Materials (SBOM) that tells you what’s inside your software.

They also monitor the entire attack surface. Not just endpoints, but external perimeters, cloud configurations, identity systems, and the data itself. Anything less than that leaves blind spots wide open.

They build tight operational bridges between teams. When a high-risk exposure surfaces, network ops, application owners and developers already know who’s on point, what actions to take and how to move fast without triggering service disruptions.

Above all, they know that “unpatchable” doesn’t mean unmanageable. It just means you need a different playbook: one that’s layered, cross-functional and laser-focused on reducing real-world risk.

For more on how to elevate your approach to vulnerability management and risk mitigation, check out Ivanti’s research report: Risk-Based Patch Prioritization.

October 2025 Patch Tuesday

Tue, 14 Oct 2025 21:43:03 Z

October Patch Tuesday is going to be a busy one from all angles. Microsoft exceeded the January CVE count (159 CVEs) by a healthy margin, with 172 CVEs resolved this month. There are three exploited and two publicly disclosed vulnerabilities this month, but fortunately all of them are in the cumulative OS update, making resolution quick and clean. They are also end of life-ing a lot of products, including Windows 10! Additionally, Office 2016 and 2019 and Exchange Server 2016 and 2019 have also reached end of life.

Adobe released 12 updates resolving 36 CVEs. Mozilla released five updates resolving 45 CVEs and are cautioning users that three of these CVEs are showing signs they may have been exploited in the wild (unconfirmed). And of course, Google Chrome is expected to release their weekly update in the next 24 hours.

There is a lot to unpack, so let’s get started.

Microsoft’s exploited vulnerabilities

Microsoft has resolved a Secure Boot bypass in IGEL OS before 11 vulnerability (CVE-2025-47827), which Microsoft has confirmed is exploited in the wild. The CVE is rated Important and has a CVSS 3.1 score of 4.6. Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptographic signature, allowing a crafted root file system to be mounted from an unverified image.

Microsoft has resolved an Elevation of Privilege vulnerability in Remote Access Connection Manager (CVE-2025-59230), which Microsoft has confirmed is exploited in the wild. The CVE is rated Important and has a CVSS 3.1 score of 7.8. Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally. A risk-based prioritization methodology would warrant treating this as Critical.

Microsoft has resolved an Elevation of Privilege vulnerability in Agere Modem Driver (CVE-2025-24990), which Microsoft has confirmed is exploited in the wild. The CVE is rated Important and has a CVSS 3.1 score of 7.8. The driver shipped natively with the Windows OS. Microsoft has removed the driver with the October cumulative update and recommends removing any existing dependencies on this fax modem hardware. Exploit is possible even if the drive is not being used. A risk-based prioritization methodology would warrant treating this as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Agere Modem Driver (CVE-2024-24052), which Microsoft has confirmed is publicly disclosed. The CVE is rated Important and has a CVSS 3.1 score of 7.8. The exploit code maturity is listed as proof-of-concept, which increases the risk of exploitation. A risk-based prioritization methodology would warrant treating this as Critical.

Microsoft has resolved an out-of-bounds read vulnerability in TCG TPM2.0 reference implementation (CVE-2024-2884), which Microsoft has confirmed is publicly disclosed. The CVE is rated Important and has a CVSS 3.1 score of 5.3. The exploit code maturity is listed as unproven, indicating there is currently no publicly available code.

Ivanti security advisories

Ivanti has released two updates and one Security Advisory for October Patch Tuesday, resolving a total of seven CVEs. The affected products include Ivanti Neurons for MDM and Ivanti Endpoint Manager Mobile. The Ivanti Neurons for MDM vulnerabilities were resolved for all customers on October 10, 2025. An additional Security Advisory was released for Ivanti Endpoint Manager, which provides mitigation options for vulnerabilities disclosed October 7, 2025.

For more details, you can view the updates and information provided in the October Security Update on the Ivanti blog.

Third-party vulnerabilities

Adobe released 12 updates addressing 36 CVEs. Adobe has rated the Commerce update as a priority two and the rest of the updates as priority three.
Mozilla released five updates resolving 45 CVEs. Three of the CVEs included variations of the statement, “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” indicating a possibility of exploitation in the wild. All five updates include at least one of the suspected exploit CVEs, we recommend treating all five as containing a known exploited CVE.
Google Chrome is expected to release in the next 24 hours, so plan a Chrome update and a possible Edge update shortly after.

October update priorities

The Windows OS cumulative update is the top priority this month, as it resolves three exploited and two publicly disclosed CVEs.
All Mozilla updates should be deployed during your current maintenance, but any deferral or delay would come with risks as there are three CVEs that are speculated to be exploitable in the wild already.

Is Your Patch Process Hurting End Users’ Experience? Here’s How to Fix It

Tue, 23 Sep 2025 14:58:00 Z

Just one bad patch can cause key systems to fail, disrupting your teams and, ultimately, your customer experience.

While I was checking out at a supermarket self-service machine, the screen suddenly froze and then dreaded blue screen of death appeared. A nearby staff member quickly came over and, with a bit of a sigh, said it was the third time that day this happened. While I’ll never know for certain whether a patch was the only cause, businesses want to minimize these types of issues.

One bad patch can impact your organization, too. Imagine your customers unable to contact your client success team or your frontline workers unable to access critical data.

While you could delay patch deployment, you run the risk of a total company outage due to a ransomware breach or other cyberattack.

The reality is that vulnerability remediation requires never-ending vigilance. You can address many vulnerabilities through patch management, but without adequate testing, critical systems and business services can get disrupted, affecting your teams and, in short order, reducing profitability.

Let’s take a look at how poorly managed patch updates can cause major disruptions. I’ll also discuss how a ring-based deployment strategy, combined with user surveys after each stage of the rollout, provides a safer and smarter way to mitigate vulnerabilities and outages.

Patch deployment: The need for speed

Regular patch management is one the best ways to secure your data and services. Security frameworks provide best practices, guidance and standards for customers to adhere to; for example, CIS Controls v8 guides teams to apply critical patches in less than seven days, and remediation must occur faster (within 24 hours) if a vulnerability is part of the CISA KEV list.

Organizations comply with these (and the other controls) to reduce risk of catastrophic breaches, maintain regulatory compliance and reduction cyber insurance costs.

In addition, vulnerability exploitation surged by 34% compared to last year (2024). Ransomware-as-a-Service (RaaS) has transformed cybercrime into a subscription economy, where low-skilled attackers can rent powerful ransomware kits from dark web marketplaces. This model dramatically lowered the barrier to entry, fueling a surge in global attacks and extortion attempts.

Now, with the integration of artificial intelligence, threat actors can automate reconnaissance in attempts to locate vulnerable targets at speed. All this makes proper patch management more essential than ever. When a critically rated vulnerability is identified (e.g., a zero day), deployment speed is crucial — but you must balance it with control. Ring deployment acts as an early warning system by rolling out updates in controlled waves.

Ring deployment for secure, scalable patch management

Ring deployment for patch management is a phased approach to rolling out software updates or patches across an organization. Devices are grouped into “rings” based on risk tolerance and criticality. This tried-and-true method helps reduce the risk of widespread disruption by detecting and resolving issues early in the deployment cycle.

And it gets even more powerful when you combine it with telemetry from devices and user sentiment. Direct user feedback during each ring allows IT to deploy at scale and maintain speed.

Combine user surveys and ring deployment to stay ahead of potential patch issues

It’s that time again: your organization is rolling out a patch to address a critical vulnerability.

You start with a ring-based deployment — a small group of IT staff and early adopters gets the update first. This initial phase helps validate that the patch installs cleanly without breaking core systems. Once it clears that stage, the patch moves to the next ring — maybe 500 general users from non-critical departments.

With this quantity and diversity of devices, user feedback helps you determine if the overall update worked and can even help you identify when downstream issues may occur before you move onto the next ring.

In your user surveys, collect feedback on:

System performance.
Usability.
Post-patch issues experienced by users in the current ring.

This way, you can gate your rollout — if survey results reveal a high rate of negative feedback or unresolved issues, pause the deployment for investigation and remediation. Open support tickets, gather device logs and alert your IT team.

This feedback loop ensures that only stable, well-received updates advance, reinforcing trust in IT processes and reducing the risk of vulnerabilities making it into high-impact environments, like your customer care center.

Scale your security posture and minimize disruptions with ring deployment and user feedback

When you combine ring deployment and patch experience user surveys, your organization can successfully deploy all critical patches in a timely manner, meeting both security best practices and compliance requirements. Systems are secure, risks from known vulnerabilities are reduced and auditors can see evidence of a timely, controlled process.

Ivanti Neurons for Patch Management helps you make patch deployment a seamless process by surveying users directly in the patch experience, automatically pausing rollouts if survey results reveal issues or users respond negatively.

Remember, patching is never truly finished—new vulnerabilities are disclosed daily, and the next cycle of updates is already on the horizon. Staying secure means repeating this process consistently, ensuring that each patch cycle closes today’s risks while preparing for tomorrow’s threats.

September 2025 Patch Tuesday

Tue, 09 Sep 2025 21:28:36 Z

The days leading into September Patch Tuesday include a bit of chaos from a pair of actively exploited Android CVEs (CVE-2025-38352, CVE-2025-48543), a zero day in WhatsApp (CVE-2025-55177), another zero day in WinRAR (CVE-2025-8088), and a major supply chain attack through the Drift AI Chat Agent exposing Salesforce customers data.

The good news is Microsoft only has a pair of publicly disclosed vulnerabilities (CVE-2025-55234, CVE-2024-21907) out of 81 total CVEs resolved this month, making this about as close to a calm Patch Tuesday as we can hope for.

The Windows OS and Office updates are rated Critical this month, putting those as the highest priority, but with no zero-day exploits, this month should be focused on routine maintenance from a Microsoft perspective.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Windows SMB (CVE-2025-55234), which Microsoft has confirmed is publicly disclosed. Microsoft rates the CVE as Important, and it has a CVSS v3.1 score of 8.8 and affects all Windows OS editions. The code maturity is unproven, which would indicate no code samples have been disclosed. A risk-based prioritization methodology would warrant treating this as Important.

Microsoft has resolved an Improper Handling of Exceptional Conditions vulnerability in Newtonsoft.Json (CVE-2024-21907), which Microsoft has confirmed is publicly disclosed. The CVE is unrated and affects SQL Server 2016, 2017 and 2019. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial-of-service condition. A risk-based prioritization methodology would warrant treating this as Important.

Third-party vulnerabilities

Adobe has released nine updates resolving 22 CVEs, 12 of which are rated Critical. The products affected include Adobe Acrobat Reader, After Effects, Premiere Pro, Commerce, Substance 3D Viewer, Experience Manager, Dreamweaver, 3D Substance Modeler and ColdFusion. Adobe has rated the ColdFusion update as a priority one and Commerce as a priority two. The other seven updates are rated priority three.

Ivanti security advisories

Ivanti has released two updates for September Patch Tuesday resolving a total of 13 CVEs. The affected products include Ivanti Connect Secure and Policy Secure and Ivanti EPM.

For more details, you can view the updates and information provided in the September Security Update on the Ivanti blog.

September update priorities

With no zero-days released on Patch Tuesday, the updates this month are predominantly low risk. Ensure you have the zero days leading up to Patch Tuesday in hand, and plan to deploy the Microsoft and Adobe updates through your regular maintenance activities this month.

August 2025 Patch Tuesday

Tue, 12 Aug 2025 22:08:03 Z

Let me start this month off with a question. Have you already decided what you are going to do for your remediation plan this month? Think about it for a second. OS updates, productivity apps, browsers, and other apps are already likely under consideration for your August patch maintenance. The real decisions you need to consider are around timing. Do you proceed with your typical Patch Tuesday plan or do you need to accelerate any zero-days, etc?

What you just thought about was a generalization of defining your risk appetite. There is a lot of discussion across the vulnerability management market about how to modernize vulnerability management. When you think about trends like 32% of 1H 2025 known exploited vulnerabilities (KEVs) being zero-day or 1-day exploits it can feel overwhelming. How do you keep up with a continuous stream of updates? Ideally by defining your outcome and configuring for success.

If we break this month’s Patch Tuesday down into parallel remediation streams:

Routine Maintenance: Much of what just released today will fall into your reoccurring monthly maintenance which typically starts on Patch Tuesday and runs for two weeks or more depending on your SLAs, OS, productivity apps, third-party apps, etc.
Priority updates: Browsers tend to release more frequently (typically weekly) and may warrant a priority update track to keep up with the constant stream of new exposures in your environment. This patch cycle you may be resolving CVEs in multiple browsers from the past four weeks if you don’t have a more frequent update plan in place for the browsers.
Zero-day Response: The recent SharePoint exploits are a good example of the disruptive\unpredictable nature of zero-day exploits.
Continuous Compliance: The three previous tracks could solve most of your remediation challenges, but what about users who are on vacation, leave of absence, got a new system and shipping bypassed the current month’s maintenance window or installed something new that was not the latest version? Defining a baseline and keeping that updated as new updates pass your quality tests would keep your systems in compliance when the multitude of reasons for drift occur.

Microsoft’s publicly disclosed vulnerabilities

Microsoft resolved one publicly disclosed vulnerability in Windows Kerberos (CVE-2025-53779). The CVE is an Elevation of Privilege vulnerability that could allow an attacker to gain domain admin privileges. The CVE is rated Medium and has a CVSS score of 7.2. The vulnerability only affects Windows Server 2025.

Third-party vulnerabilities

Adobe released thirteen new updates on Patch Tuesday, but the most urgent is the Adobe Experience Manager Forms update released on August 5 resolving two publicly disclosed CVEs (CVE-2025-54253 and CVE-2025-54254). APSB25-82
Google Chrome 139.0.7258 released resolving five CVEs and is rated Critical. This will also affect Microsoft Edge so watch for that update to come likely later this week.

August update priorities

Microsoft SharePoint is the top priority this month to resolve recent zero-day exploits being targeted by multiple nation state level threat actors. Update ASAP.
Adobe Experience Manager Forms update released on August 5 is your second highest priority.
Windows OS and Office have Critical CVEs this month. Get them updated as part of your regular maintenance and you should be good.
Microsoft Exchange Server and SQL Server each received updates. The CVEs were only rated as Important so no need to escalate remediation, but server admins should start to test and rollout within the next month.

Windows 11 Migration: Ivanti's Customer Zero Journey with Win11 Upgrades

Mon, 21 Jul 2025 15:46:23 Z

Windows 11 offers enhanced security and a modern user interface, but the transition can be complex for large organizations, with logistical and employee buy-in challenges. Microsoft will end support for Windows 10 on October 14, 2025, so it's crucial to start planning and executing Windows 11 deployments now.

The need to migrate to Windows 11

Migrating to Windows 11 is essential for staying current, secure and efficient. It provides advanced security features like stronger encryption and improved threat detection, safeguarding your data and enhancing IT resilience. The user-friendly interface also streamlines daily tasks, boosting productivity. With Microsoft ending support for Windows 10 this year, upgrading can help organizations avoid increased security risks and potential downtime. According to Gartner, many enterprises are opting to replace even compatible machines with new hardware to ensure optimal performance with Windows 11. Proactive planning ensures a smooth and seamless transition.

Ivanti’s use-case for Windows 10 to Windows 11 migration

At Ivanti, we’ve been successfully rolling out Windows 11 migrations since the beginning of 2025. Like many large organizations, this migration is something we’ve been discussing and planning for quite some time. The goal is to update every eligible machine in a timely manner and triage ineligible machines for further troubleshooting or replacement.

To meet this goal, we prioritized using our own Ivanti Neurons platform solutions, which equipped us with the proactive tools and insights necessary for a successful Windows 11 deployment. Using a phased approach, we were able to identify and address issues coming back from early adopters and gather valuable feedback. Once we saw validation of our plan, we could gradually roll out the upgrade to the rest of the organization, ensuring a smoother migration overall.

Potential challenges

Like any other company, we wanted to get ahead of any potential barriers to a successful migration.

Hardware compatibility and unknown devices

One of the biggest challenges in upgrading to Windows 11 is meeting the hardware requirements. Many existing devices may not satisfy Microsoft's strict criteria, limiting the number of eligible machines. This can be especially problematic for organizations with a mix of older hardware. To tackle this, Ivanti’s IT team used our discovery capabilities to perform a thorough inventory and assessment of all devices, identifying those that would need to be upgraded or replaced before starting the migration. You can’t migrate devices you don’t know about, which made a comprehensive view of our IT landscape a key first step.

End-user friction and disruptions to productivity

User resistance to new interfaces and features can be another barrier to success. Change can be daunting, and the new look and features of Windows 11 may intimidate users accustomed to older versions. OS upgrades can also cause disruptions to users’ work, causing frustrations and downtime. To minimize these issues, Ivanti’s IT team wanted to make sure that updates were happening at a time most convenient to the end user to avoid losing unsaved work or disrupting productivity in general.

Continuing security updates with extended support

Not every machine can immediately upgrade to Windows 11 due to hardware requirements. However, Ivanti’s extended support will allow us to continue Windows 10 security updates past October, keeping these devices protected and functional.

Ivanti’s Extended Security Update (ESU) deployment streamlines the patching process, reduces IT workload and maintains compliance with regulations like GDPR, HIPAA, or PCI-DSS. Unpatched systems face over 1,200 vulnerabilities annually, and a data breach can cost an average of $4.45 million, according to IBM. We need to make sure that any devices that don’t update to Windows 11 are kept safe and secure from vulnerabilities.

Extended support also helps us extend our device lifecycle for devices that aren’t quite ready to be replaced, or when budget constraints are a factor. According to Gartner, many enterprises are still delaying purchases despite the need to move from Windows 10 to Windows 11, extending the lifecycle of their existing equipment and seeking alternatives to maximize their budgets. Ivanti’s ESU solutions help extend the lifespan of these devices, avoiding the high costs of a full hardware refresh. This ensures seamless patching, minimizes security risks and reduces manual IT effort, helping us avoid potential losses and disruptions.

Ivanti’s Windows 11 migration workflow

Ivanti Neurons allowed us to automate key elements of the migration, from the initial device assessment to the upgrade itself, streamlining each phase and allowing our IT team to concentrate on other mission-critical activities. In general, here is how the workflow for updating devices from Windows 10 to Windows 11 looks at Ivanti.

1. Preparation

Identify Devices: Create a group of Windows 10 devices that need to be upgraded.
Download Files: Push necessary files to the devices, ensuring efficient data transfer by using ZIP files.

2. Pre-Check

Eligibility Check: Run PowerShell scripts to verify if the device meets the hardware requirements for Windows 11.
Power Check: Ensure the device is connected to A/C power.

3. User Interaction

Notification: Use Teams bot integration to notify users about the upgrade and allow them to schedule it.
Consent: Users provide consent for the upgrade via an interactive Teams message.

4. Upgrade Execution

Run Upgrade: Execute the Windows Update Assistant to perform the upgrade.
Monitor Progress: Track the upgrade process and handle any errors or issues that arise.

5. Post-Upgrade Actions

Restart Device: Prompt users to restart their devices to complete the upgrade.
Activation Check: Verify that the device is activated with an enterprise license key.
Additional Updates: Apply any necessary Windows updates post-upgrade.

6. Error Handling

Automated Ticket Creation: Use a bot to generate tickets for devices that fail the upgrade process.
Troubleshooting: Enterprise services team handles cases where devices cannot be upgraded automatically.

7. Continuous Improvement

Refinement: Break down the upgrade process into smaller automated steps to streamline operations.
Feedback: Incorporate user feedback to improve the upgrade experience.

This workflow ensures a smooth transition from Windows 10 to Windows 11 while minimizing disruptions and handling exceptions efficiently. This process has been rolled out gradually, taking it one week at a time. It’s been thoughtful and intentional, working to build this process and workflow for the future by ensuring it’s flexible and modular. That way, we can revisit a similar process for the next generation of Windows whenever it comes.

Ready to start your Windows 11 migration?

Migrating to Windows 11 is essential for maintaining security, efficiency and compliance. Ivanti has leveraged our own solutions to automate key steps, gather user feedback and provide extended security updates for ineligible devices, all while ensuring a smooth transition that minimizes end-user disruption and maximizes IT efficiency.

Ivanti’s approach and workflow not only addresses current challenges but also sets up a flexible and modular foundation for future OS upgrades.

Ready to start your own Windows 11 migration? Learn how Ivanti Neurons can simplify and automate the process.

Explore Ivanti Neurons

July 2025 Patch Tuesday

Tue, 08 Jul 2025 21:17:47 Z

July Patch Tuesday is a sizable one, but no significant security risk. Microsoft resolved 130 new CVEs, including one public disclosure. There are seven additional CVEs from MITRE regarding vulnerabilities in Git resolved through the Visual Studio update this month. Fourteen CVEs are rated Critical by Microsoft, affecting Windows OS, Office, SharePoint, and SQL.

The DHCP issue caused by the June 2025 update appears to be resolved. It is not reported as a known issue for Windows OS KBs, and some quick querying through Gemini agrees the issue appears to be resolved.

Gemini’s response to the query is below:

July update server DHCP issue resolved

Yes, according to information available on July 8, 2025, Microsoft has resolved the DHCP server issue that was caused by the June 2025 security updates.

Key points:

June 2025 updates caused the problem: Microsoft's June 2025 Patch Tuesday updates introduced a bug that could cause the DHCP service to freeze or stop responding on Windows Server 2016 through 2025. This issue prevented some clients from renewing their IP addresses.

Fix released in July updates: Microsoft released Windows updates on July 8, 2025, and subsequent updates that resolve this issue.

Workaround before the fix: Before the July updates were available, the recommended workaround was to uninstall the affected June updates and restart the server, but this left systems vulnerable to security threats patched in those updates.

The Windows Server OS updates this month resolve 16 CVEs in Windows Routing and Remote Access Service (RRAS). These vulnerabilities could allow an unauthenticated attacker to convince a user to initiate a connection to a malicious server that could allow them to execute arbitrary code. The attack would require no privileges and could be exploited over the network. Applying the updates to the OS is the best solution, but additional mitigations like restricting RRAS ports to trusted networks or VPN concentrators can limit exposure, as well as employing firewall rules and disabling unused RRAS features.

Developers have a bit of work to do on their side this month. Microsoft resolved seven CVEs in Git and two additional CVEs that require a Visual studio update this month.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved an Information Disclosure in Microsoft SQL (CVE-2025-49719), which Microsoft has confirmed is publicly disclosed. Microsoft rates the CVE as Important, and it has a CVSS v3.1 score of 7.5. The code maturity is unproven, which would indicate no code samples. A risk-based prioritization methodology would warrant treating this as Important.

Third-party vulnerabilities

Google Chrome resolved their fourth zero-day exploit on June 30, so from a risk-based prioritization perspective, Chrome and Edge updates that take the focus leading up to Patch Tuesday. CVE-2025-6554 was resolved in build 138.9.7204.96/.97 for Windows, 138.0.7204.92/.93 for Mac and 138.0.7204.92 for Linux, which they indicated would roll out over the coming days/weeks.

Ivanti security advisory

Ivanti has released three updates for July Patch Tuesday resolving a total of 11 CVEs. The affected products include Ivanti Connect Secure and Policy Secure, Ivanti EPMM and Ivanti EPM.

For more details, you can view the updates and information provided in the July Security Update on the Ivanti blog.

July update priorities

The Google Chrome and Microsoft Edge browsers are the top priority this month. Ensure you have deployed the latest updates to resolve the zero-day exploit (CVE-2025-6554) that was identified on June 30.
Windows Server OS updates are likely the biggest security priority this month, especially for those who experienced the DHCP issues after the June update and had to uninstall the June update.

June 2025 Patch Tuesday

Tue, 10 Jun 2025 20:52:28 Z

June Patch Tuesday is upon us. There has been a lot of activity in the past few weeks. Mid-May was the Pwn2Own Berlin 2025 event, and the $1M USD in rewards that were paid out came with many newly discovered vulnerabilities affecting Microsoft, Google, Mozilla, VMware, NVIDIA, Oracle and other vendors. Since the event, there have been several updates from many of these vendors, so expect a lot of third-party updates to update this month from releases leading up to Patch Tuesday.

Microsoft released updates resolving 66 CVEs, nine of which are rated Critical. In addition, there is one public disclosure and one zero-day exploit. Updates this month affect Windows, Office, SharePoint, Visual Studio, and .Net. The zero day and public disclosure are both resolved by the Windows OS update this month.

Third-party updates from Mozilla, Google (including two recent zero-day exploits) and Adobe leading up to Patch Tuesday will add to the load. If your organization is updating applications like browsers on a weekly basis to keep up with continuous release applications commonly used to target end users, you should be up to date on all but Adobe. If not, you will want to ensure to get these queued up for your patch maintenance.

Microsoft exploited vulnerabilities

Microsoft has resolved a Remote Code Execution vulnerability in Web Distributed Authoring and Versioning (WEBDAV) (CVE-2025–33053) which Microsoft has confirmed to be exploited in the wild. Microsoft rates the CVE as Important and it has a CVSS v3.1 score of 8.8. Risk-based prioritization would treat this as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Windows SMB Client (CVE-2025–33073), which Microsoft has confirmed is publicly disclosed. Microsoft rates the CVE as Important and it has a CVSS v3.1 score of 8.8. The code maturity is Proof-of-Concept and the vulnerability is remotely exploitable, which will make this a desirable target for threat actors. A risk-based prioritization methodology would warrant treating this as Critical.

Third-party vulnerabilities

Google Chrome continues their weekly security update cadence. Expect a Chrome update this week to add to the four releases and 14 CVEs resolved since May Patch Tuesday. This includes two zero-day exploits resolved in the past few weeks (CVE-2025–5419 and CVE-2025–4664).

Mozilla has released multiple security updates since the Pwn2Own Berlin event. The two CVEs exploited in the event were resolved in the May 17 release (Firefox 138.0.4) and since then, Mozilla has released Firefox 139 and 139.0.4, as well as updates for Firefox ESR and Thunderbird. Ensure you have the latest Mozilla updates queued up this Patch Tuesday.

Adobe has released updates for Acrobat Reader and six other products, resolving 259 CVEs. 225 of these were included in the Experience Manager update, with hefty contributions from a handful of diligent security researchers.

Ivanti security advisory

Ivanti has released one update for June Patch Tuesday resolving a total of three CVEs. The affected product is Ivanti Workspace Control.

For more details you can view the updates and information provided in the June Security Update on the Ivanti blog.

June update priorities

The Windows OS is the top priority this month with one zero-day exploit (CVE-2025–33053) and one public disclosure (CVE-2025–33073).
Google Chrome should be a top priority if you have not deployed updates for June 2 and earlier, as it will resolve two zero-day exploits (CVE-2025–5419 and CVE-2025–4664).
Browsers in general should be updated weekly to keep up with the continuous release cycle. Edge, Chrome and Firefox received multiple updates since May Patch Tuesday, including multiple high-profile disclosures and zero-day exploits.

May 2025 Patch Tuesday

Tue, 13 May 2025 22:03:04 Z

May Patch Tuesday resolves five actively exploited and two publicly disclosed vulnerabilities. Spoiler alert: all five zero-days are resolved by deploying the Windows OS update. Also, this month Windows 11 and Server 2025 updates include some new AI features, but they carry a lot of baggage. Literally – they are around 4GB! New AI features include Recall, Click to Do and Improved Windows Search.

Microsoft has resolved a total of 72 new CVEs this month, six of which are rated Critical. The five zero-day vulnerabilities are rated Important, but using a risk-adjusted scoring model they would all be rated Critical.

Microsoft exploited vulnerabilities

Microsoft resolved an Elevation of Privilege vulnerability in Windows Ancillary Function Driver for WinSock (CVE-2025-32709) that could allow an attacker to elevate privileges locally to gain administrator privileges. The vulnerability affects Windows Server 2012 and later OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft resolved a pair of Elevation of Privilege vulnerabilities in Windows’ Common Log File System Drive (CVE-2025-32706 and CVE-2025-32701) that could allow an attacker to elevate privileges locally to gain SYSTEM privileges. The vulnerabilities affect all Windows OS versions. The vulnerabilities are confirmed to be exploited in the wild. Microsoft’s severity rating for both CVEs is Important and CVSS 3.1 of 7.8. Risk-based prioritization warrants treating these vulnerabilities as Critical.

Microsoft resolved an Elevation of Privilege vulnerability in Microsoft DWM Core Library (CVE-2025-30400) that could allow an attacker to elevate privileges locally to gain SYSTEM privileges. The vulnerability affects Windows 10, Server 2016 and later OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft’s severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft resolved a Memory Corruption vulnerability in Microsoft Scripting Engine (CVE-2025-30397) that could allow an unauthorized attacker to execute code over a network. The vulnerability affects all Windows OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft’s severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft resolved a Remote Code Execution vulnerability in Visual Studio (CVE-2025-30397) that could allow an unauthorized attacker to execute code locally. The vulnerability affects Visual Studio 2019 and 2022. The vulnerability has been publicly disclosed, but the code maturity was set to Unproven and exploitability assessment is less likely.

Microsoft resolved an Identity Spoofing vulnerability in Microsoft Defender (CVE-2025-26685) that could allow an unauthorized attacker to perform spoofing over an adjacent network. The vulnerability affects Microsoft Defender for Identity. The vulnerability has been publicly disclosed, but the code maturity was set to Unproven and exploitability assessment is less likely.

Third-party vulnerabilities

Adobe has released 13 updates this month resolving 39 CVEs, 33 of which are Critical. For more details, see Adobe’s Latest Product Security Updates.
Google Chrome is expected to release a weekly update shortly, so keep an eye out.

Ivanti security advisory

Ivanti has released four updates for May Patch Tuesday resolving a total of four CVEs and one CWE. The affected products include Ivanti Neurons for ITSM (on-prem only), Ivanti ICS, Ivanti Neurons for MDM and Ivanti EPMM.

The Ivanti EPMM update resolves a medium and a high CVE that when chained together, successful exploitation could lead to unauthenticated remote code execution. Ivanti is aware of a very limited number of customers whose solution has been exploited at the time of disclosure.

For more details you can view the updates and information provided in the May Security Update on the Ivanti blog and EPMM Security Updated.

May update priorities

Windows OS is your top priority this month with five zero-day exploits reported (CVEs).
Ivanti EPMM customers should apply either of the mitigation options or update as soon as possible.

What is Ring Deployment? A Guide to Phased Software Rollouts

Tue, 22 Apr 2025 19:06:30 Z

Exploitation of vulnerabilities increased 180% year over year from 2023 to 2024, which means that quickly and effectively securing endpoints – always a priority – will only continue to escalate. Patching these vulnerabilities promptly, but without sacrificing stability, can present operational challenges. One way to achieve this: ring deployment — a technique that progressively scales rollouts to user groups. Below, we'll explore what ring deployment is, how it works and why it's an essential strategy for IT and security teams.

Understanding the ring deployment model

The ring deployment model is a structured approach to software rollouts that involves deploying updates or new features in progressive stages, or "rings." Each ring represents a different group of users, starting with a small, controlled group and gradually expanding to a larger audience. This method allows teams to test and validate changes in a controlled environment before releasing them to the entire user base.

Once the initial ring-based deployment proves successful and any issues are ironed out, teams can confidently expand the update to the next ring. This step-by-step expansion helps minimize the risk of widespread problems and makes the deployment more reliable.

How ring-based deployment works: a step-by step guide

The first step in implementing a ring deployment strategy is to define your rings. Each ring should represent a different group of users, with the size and composition of each group tailored to your organization's needs. Rings can be tailored to suit business needs, including:

Test ring: a small group of internal testers or IT staff responsible for identifying critical issues.
Early adopters ring: A slightly larger group of users, including key stakeholders who are willing to test new features and provide feedback.
Full production ring: The final stage, where the software is released to the entire user base not covered in the test and early adopters rings.

Once your rings are defined, the next step is to deploy the software to the early rings and closely monitor performance. At this stage, you’ll track performance, bugs such as app crashes and error rates and user feedback. This data will help identify any issues that need to be addressed before progressing to the next ring.

After successfully deploying to the early rings and addressing any issues, the next step is to gradually expand the rollout to larger groups. This phased approach ensures that the software remains stable and performs well as it reaches a broader audience.

The final stage is the full production deployment, where the software is released to the entire user base. Even after reaching this stage, it's important to continue monitoring performance and gathering feedback to make ongoing improvements.

Best practices for implementing a ring deployment strategy

Aligning rings with business impact levels: Ensuring that rings are aligned with the business impact levels of your organization makes sure you to protect critical business functions and promptly address potential issues.
Automating deployments for efficiency: This can help improve efficiency and reduce the risk of human error. Tools and scripts can be used to automate the deployment to each ring, ensuring a consistent and reliable process.
Continuous monitoring: A robust monitoring system can track performance, user feedback and any anomalies. This allows you to swiftly detect and resolve issues, ensuring a seamless user experience.
Having rollback plans in case of failure: Issues can still arise after the test ring deployment. Having a rollback plan in place allows teams to quickly revert to a previous version of the software if necessary, minimizing the impact on users.
Communicating with users in different rings: Keep users in each ring informed about the deployment process, including any known issues and expected timelines. This helps manage expectations and ensures that users are prepared for any changes.
Following up with a user sentiment survey: Early users are invaluable, offering insights that can drive significant refinements. By actively engaging with user feedback via a user survey, teams can pinpoint issues, address bugs and uncover areas for improvement that may not have been evident during the deployment process.

Key benefits of using ring deployment

Reduces risk

One of the primary benefits of ring deployment is the ability to catch and resolve issues early in the deployment process. By starting with a small group of users, teams can identify and address critical bugs and performance issues before they affect the entire user base, allowing for seamless facilitation of continuous improvement. This iterative process enables teams to make rapid adjustments and enhancements, ensuring that the final version of deployed patches aligns perfectly with the needs and expectations of broader user bases.

Improves user experience

By testing new patches with smaller groups, teams can gather valuable feedback and make necessary adjustments. Any errors that might occur with releases are caught and iterated upon before they can interrupt the majority of users.

Avoids major disruptions

Ring-based deployment not only reduces user disruption but also keeps productivity flowing during updates. By introducing changes gradually, users are less likely to be to be caught off guard by sudden, major shifts that could derail their workflows. This methodical, controlled rollout guarantees a smoother transition, keeping downtime and frustration to a minimum. Users can acclimate to new features and updates at a comfortable pace, which is especially crucial in enterprise settings where stability and reliability are non-negotiable.

Supports iterative improvements

Ring deployment supports continuous improvement by letting teams gather feedback from users at each stage of the rollout. This feedback can be used to make iterative improvements, ensuring that the final update meets user needs and expectations.

Why ring deployment is a smart choice

A ring-based deployment strategy can help organizations achieve a smoother and more stable deployment process, ultimately leading to better software and happier users. If your organization is looking to adopt ring deployment, start by defining your rings, automating the deployment process and maintaining effective communication with users. With careful planning and execution, ring deployment can become a valuable part of your IT and software development strategy.

April 2025 Patch Tuesday

Tue, 08 Apr 2025 21:19:58 Z

April Patch Tuesday appears to be a high count of resolved CVEs, but a low number of high priority risks. Microsoft has resolved 121 new unique CVEs this month, 11 of which are rated critical and one known to be exploited. The zero-day vulnerability is in the Windows OS this month, making that your top priority.

In addition, Adobe has released 12 updates resolving 54 CVEs. Adobe ColdFusion was rated highest (Priority 1) and resolves 15 CVEs. Adobe Commerce and Experience Manager Forms were rated Priority 2 and resolved five CVEs and two CVEs respectively. The rest of the Adobe lineup was Priority 3.

Update your browsers! Google Chrome updated this Patch Tuesday resolving two additional CVEs. On April 1, both Mozilla Firefox and Google Chrome updated. Mozilla Firefox resolved eight CVEs, and Chrome resolved thirteen CVEs. Microsoft Edge (Chromium) updated on April 3 in response to the April 1 Chrome update, which means we will have an additional Edge update coming later this week.

Oracle is due to release their quarterly CPU on April 15, so keep an eye out for Oracle updates including Java, which will kick off the domino effect of alternative Java frameworks getting updates through the end of April and into early May.

Microsoft exploited vulnerabilities

Microsoft resolved an Elevation of Privilege vulnerability in Windows Common Log File System Driver (CVE-2025-29824) that could allow an attacker to gain SYSTEM privileges on the affected system. The vulnerability affects all Windows OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritization warrants treating this vulnerability as Critical.

Third-party vulnerabilities

Adobe released updates for most of the Creative Suite including After Effects, Animate, Bridge, Illustrator, Media Encoder, Photoshop and Premiere Pro.
Google Chrome released an update resolving two CVEs. Expect Edge to be released later this week.
Oracle’s quarterly CPU is scheduled for April 15, 2025. Expect updates for a number of Oracle products, but this release will also kick off the domino effect on all Java frameworks like RedHat OpenJDK, Amazon Corretto, Azul Zulu, Eclipse Adoptium, Adopt OpenJDK and others.

Ivanti security advisory

Ivanti has released one update for April Patch Tuesday resolving a total of six CVEs. The affected products include Ivanti EPM 2022 and EPM 2024. For more details you can view the updates and information provided in the April Security Update on the Ivanti blog.

April update priorities

The Windows OS is your top priority this month, with the only zero-day exploit reported (CVE-2025-29824).
Update all of your browsers! Last week Mozilla, Chrome and Edge received updates, and an additional Chrome update was released on Patch Tuesday. If you have not already, you should consider moving browser updates to a weekly cadence to reduce exposure time, as Chrome and Edge will receive weekly updates, and Firefox typically has two to three updates per month.
Expect Oracle updates on April 15 and additional updates for Java frameworks over the next few weeks.