Ivanti Blog: Patch Tuesday

April 2026 Patch Tuesday

Tue, 14 Apr 2026 22:51:36 Z

The lead up to Patch Tuesday has been interesting. We had a Google Chrome zero-day (CVE-2026-5281) that was patched on April 1, an Adobe Acrobat Reader zero-day (CVE-2026-34621) late in the day on Friday April 10, and several older CVEs that were added to the CISA KEV list yesterday (April 13). All of this amidst a lot of industry buzz about Anthropic Mythos and Project Glasswing.

What is the correlation between these events and Project Glasswing you ask? Most of the discussions around Mythos have been focused on where it will be used and the ramifications.

Finding exploitable flaws in code can be a powerful tool for good when used by the vendor writing the code before it is released. However, it will also be used by researchers and threat actors to find flaws in code that is already released and that is where my speculation is directed.

Consider the knock-on effects of a massive model like Mythos and what it will mean near term and longer term for the software that companies consume. Near term you will have the big players using a solution like this to release more secure code. As researchers and threat actors adopt more robust AI models to identify exploitable flaws this will result in more coordinated disclosures (good), zero-day exploits (bad) and n-day exploits (bad). All of this will result in more frequent, and more importantly, urgent software updates.

Many organizations currently struggle to keep up with priority updates resolving exploited vulnerabilities when they occur outside of their normal monthly maintenance. I suspect most organizations were not aware of the Adobe Acrobat zero-day exploit until the CISA KEV update yesterday. This means that threat actors had another 2-3 days of free reign to exploit CVE-2026-34621 before most organizations became aware and many of those organizations will likely handle the update as part of their regular maintenance that is starting today on Patch Tuesday.

Browser security updates are a weekly occurrence. Many other applications that users are utilizing regularly release updates on a continuous cadence, not a set monthly release date. This means many of the user targeted exploits are going to occur in software that is releasing outside of the average organizations maintenance schedules and that frequency is about to increase. It is hard to say if that increase is going to be 1.5x or 5x, but rest assured that the increase will be noticeable and will exacerbate a challenge that most organizations already struggle with – timely patch management.

Enter Exposure Management. This is really a mindset and maturity change as much as a technology evolution. The mindset change requires us to consider a world where we need to make the decisions up front and monitor those decisions. This is called defining your Risk Appetite and monitoring your Risk Posture. Doing this effectively matures an organizations’ response to risks and makes remediation activities much more clear cut.

The technology evolution requires the traditional vulnerability assessment technologies to integrate into a broader ecosystem where asset visibility or system of record comes together with vulnerability assessment and vulnerability intelligence solutions to refine when risks require more immediate action vs waiting for your regular maintenance activities to occur. Most important is the need for this tech stack to be integrated with your AEM (Autonomous Endpoint Management) platform as this is where remediation predominantly (and automatically) occurs.

Now, back to our regularly scheduled Patch Tuesday update. Microsoft has resolved 169 CVEs this month which is a massive patch Tuesday lineup. April Patch Tuesday is the second-largest Patch Tuesday on record behind the October 2025 Patch Tuesday which resolved 175 CVEs. The lineup includes one zero-day exploit (CVE-2026-3220) and one public disclosure (CVE-2026-33825) and breaks down into 8 Critical, 156 Important, 3 Moderate and 1 Low severity.

The zero-day CVE is in Microsoft SharePoint and the public disclosure is in Microsoft Defender making those two updates the most urgent for this month in addition to the Adobe Acrobat and Google Chrome updates leading up to Patch Tuesday.

Microsoft’s known exploited vulnerabilities

Microsoft resolved a Server Spoofing Vulnerability in Microsoft SharePoint (CVE-2026-32201). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 6.5, but it has been confirmed to be exploited in the wild. An attacker who successfully exploits this vulnerability can view sensitive information and make changes to the disclosed information. The vulnerability affects SharePoint server Subscription Edition, SharePoint Server 2019 and SharePoint Server 2016. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft’s publicly disclosed vulnerabilities

Microsoft resolved an Elevation of Privilege Vulnerability in Microsoft Defender (CVE-2026-33825). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but has been publicly disclosed. The CVE lists exploit code maturity as Proof-of-Concept which puts this at a higher risk of exploitation. An attacker could use this vulnerability to allow an authorized attacker to elevate their privileges to SYSTEM on the local machine.

Ivanti security advisories

Ivanti has released one security update for April. The update affects Ivanti Neurons for ITSM and resolves two CVEs. More details and information about mitigations can be found in the April Security Advisory.

Third-party vulnerabilities

Adobe has released twelve updates this month, eleven of which released on Patch Tuesday and the zero-day update for Acrobat that released on Friday, April 10. 54 CVEs were resolved with a breakdown of 39 Critical, 13 Important and 2 Moderate. APSB26-43 resolved the zero-day exploit (CVE-2026-34621).

April update to-do list

Adobe Acrobat (CVE-2026-34621) and Google Chrome (CVE-2026-5281) each had zero-day exploits leading up to Patch Tuesday. Ensure that you are prioritizing remediation of these two products to the latest version.
Microsoft SharePoint includes a zero-day exploit (CVE-2026-32201) and should be investigated as a priority especially if you have known update challenges with your SharePoint environments.
The Microsoft Windows OS update this month resolves 133 CVEs (depending on edition) and includes 4 Critical CVEs. This update will resolve a significant number of findings across your environment.

March 2026 Patch Tuesday

Tue, 10 Mar 2026 21:01:35 Z

March Patch Tuesday resolves 79 CVEs, of which three are Critical and 76 are Important. There are two publicly disclosed CVEs this month, but none exploited. Microsoft has also released an Edge update resolving nine Chrome CVEs. The public disclosures include a Denial-of-Service vulnerability in .Net and an Elevation of Privilege vulnerability in SQL Server. Both disclosures are listed as Unproven for Exploit Code Maturity indicating the disclosures did not include any code samples.

Adobe and Mozilla have released updates as part of the March Patch Tuesday including eight updates from Adobe resolving a total of 80 CVEs, 21 of which are rated Critical. Mozilla Firefox 148.0.2 released resolving three high severity CVEs.

Microsoft’s publicly disclosed vulnerability

Microsoft resolved an Elevation of Privilege vulnerability in SQL Server (CVE-2026-21262). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 8.8, but it has been publicly disclosed. An attacker who successfully exploited this vulnerability could gain SAL sysadmin privileges. The vulnerability affects SQL Server 2016 and later editions.

Microsoft resolved an Denial of Service vulnerability in .NET (CVE-2026-26127). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.5, but it has been publicly disclosed. An attacker could cause an out-of-bounds read in .NET allowing an unauthorized attacker to deny service over a network. The vulnerability affects .NET 9 and 10 on Windows, Mac OS and Linux as well as NuGet 9 and 10 packages.

Third-party vulnerabilities

Adobe has released eight updates this month resolving a total of 80 CVEs, 21 of which are rated Critical. Adobe Commerce is the highest priority this month with a Priority 2 rating. Other affected products include Adobe Illustrator, Substance 3D Painter, Acrobat and Acrobat Reader, Premier Pro, Experience Manager, Substance 3D Stager, and DNG SDK.

Mozilla has released an update for Firefox 148.0.2 resolving three High severity vulnerabilities.

March update to-do list

The Microsoft OS and Office updates will resolve the majority of the CVEs resolved this month in two easy updates.

Mozilla Firefox, Microsoft Edge and Google Chrome are all released frequently. Prioritize browser updates on a weekly or daily basis to reduce risks continuously with minimal risk of impact.

February 2026 Patch Tuesday

Tue, 10 Feb 2026 21:58:44 Z

February Patch Tuesday includes recent out-of-band updates from Microsoft between January 17th and 29th, including multiple bug fixes and a fix for a zero-day exploit in Microsoft Office. In addition, Microsoft announced the phased disablement of NTLM precede the February 2026 Patch Tuesday release.

For the February Patch Tuesday release, Microsoft has resolved 57 unique CVEs. Six CVEs are flagged as Exploited and three of those are Publicly Disclosed as well. Add the out-of-band (OOB) zero-day and you have a lineup of CVEs that need some attention.

January Out-of-Band Releases

The first OOB release on January 17th resolved a credential prompt failure when attempting remote desktop or remote appliance connections. The second round of OOB updates occurred on January 24th and 26th resolving application crashes in Outlook and OneDrive, and system hibernation/shut down issues. And finally, the third OOB update on January 26th was a zero-day vulnerability CVE-2026-21509, a Microsoft Office Security Feature bypass vulnerability.

Microsoft plans phased NTLM disablement

Microsoft released their plan for the phased disablement of New Technology LAN Manager (NTLM) in the latest operating systems starting now in 2026 and beyond. The NTLM authentication protocol was introduced back in 1993 and has since been superseded by Kerberos protocols, which are far more secure. However, NTLM has remained the fallback when Kerberos is unavailable despite being deprecated and having weak algorithms.

Phase one introduces additional auditing to help identify where NTLM may still be running and changing it out where you can. Starting now, Microsoft recommends using advanced NTLM auditing already available in Server 2025, and Windows 11 24H2 and newer. Phase two begins with major OS updates coming later this year. This update will address the ‘pain points’ or blockers by removing multiple fallback scenarios where Kerberos reverts back to NTLM.

And finally in phase three, NTLM will be disabled by default. The code will still be there, but you will need to explicitly re-enable it if absolutely needed. This three-phase approach will happen quickly, so plan appropriately to replace NTLM in your environment and take a giant security step forward. The ‘NTLM disabled by default’ phase will occur with the next major Server update.

Microsoft’s exploited vulnerability 

On January 29th, Microsoft resolved a Security Feature Bypass vulnerability in Microsoft Office (CVE-2026-21509). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but it has been confirmed to be exploited in the wild. An attacker can send a user a malicious Office file and convince them to open the file to exploit the vulnerability. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved an Elevation of Privilege vulnerability in Remote Desktop Services (CVE-2026-21533). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but it has been confirmed to be exploited in the wild. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. The vulnerability affects Windows 10 and later editions of the OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved an Elevation of Privilege vulnerability in Desktop Window Manager (CVE-2026-21519). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but it has been confirmed to be exploited in the wild. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. The vulnerability affects all currently supported and ESU supported versions of Windows OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved a Security Feature Bypass vulnerability in MSHTML Framework (CVE-2026-21513). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 8.8, but it has been confirmed to be exploited in the wild. An attacker who successfully exploited this vulnerability could bypass a security feature over a network. The vulnerability affects Windows 10 and later editions of the OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved a Security Feature Bypass vulnerability in Windows Shell (CVE-2026-21510). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 8.8, but it has been confirmed to be exploited in the wild. An attacker who successfully exploited this vulnerability could bypass a security feature over a network. The vulnerability affects all currently supported and ESU supported versions of Windows OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved an Security Feature Bypass vulnerability in Microsoft Word (CVE-2026-21514). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but it has been confirmed to be exploited in the wild. An attacker can bypass a security feature locally due to a reliance on untrusted inputs. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved a Denial of Service vulnerability in Windows Remote Access Connection Manager (CVE-2026-21525). The vulnerability is rated Moderate by Microsoft and has a CVSS v3.1 score of 6.2, but it has been confirmed to be exploited in the wild. A null pointer dereference in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally. The vulnerability affects all currently supported and ESU supported versions of Windows OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Ivanti security advisories 

Ivanti has released one security update for February. The update affects Ivanti Endpoint Manager and resolves two new CVEs and 11 medium severity CVEs that were disclosed in late 2025. More details and information about mitigations can be found in the February Security Advisory.

In addition, there was a security advisory on January 29th for Ivanti Endpoint Manager Mobile (EPMM) that had a limited number of customers impacted at time of disclosure. Ivanti urges all customers using the on-prem EPMM product to promptly install the Security Update. The security advisory, additional technical analysis, and an Exploitation Detection script co-developed with NCSC-NL can be found in the January Security Advisory.

Third-party vulnerabilities  

Adobe has released nine updates this month resolving 43 CVEs, 27 of which are Critical. All nine updates are rated Priority three by Adobe.

February update to-do list

Windows OS and Microsoft Office updates are priority this month resolving six new and one OOB zero-day exploits.

Review Microsoft phased disablement of NTLM announcement and documentation to start planning for the deprecation and disablement of NTLM.

January 2026 Patch Tuesday

Tue, 13 Jan 2026 21:52:53 Z

New year, new updates! Welcome back to the Ivanti Patch Tuesday blog where we provide you critical insights to optimize your exposure management activities.

This month there are a pair of Mozilla CVEs that are suspected of being exploited and a Microsoft CVE that has been exploited.

In addition, Microsoft has a pair of publicly disclosed vulnerabilities that will need to be reviewed to see if your organization may be impacted by the changes Microsoft is making.

There are additional third-party updates from Adobe, and you should expect more from Google and Oracle over the next few days and into next week that should be included in your monthly maintenance.

A side note of good news: Microsoft has broken the Server 2025 update out into a separate KB, so it is only 1.9GB in size, versus this month’s 4GB+ Windows 11 cumulative update.

Microsoft’s exploited vulnerability 

Microsoft has resolved an Information Disclosure vulnerability in Desktop Window Manager (CVE-2026-20805). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 5.5, but it has been confirmed to be exploited in the wild. The exposure could be used to disclose a section address from a remote ALPC port that is user-mode memory. The vulnerability affects all currently supported and extended security update-supported versions of the Windows OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft’s publicly disclosed vulnerabilities 

Microsoft has resolved a Security Feature Bypass vulnerability in Secure Boot Certification Expiration (CVE-2026-21265). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 6.4, but it has been publicly disclosed. In addition the update, the fix provides a warning regarding certificates that will be expiring in 2026 and details on actions that are required to up renew certificates prior to their expiration. It is recommended to start investigating what actions your organization may need to take to prevent potential serviceability and security as certificates expire.   

Microsoft is addressing an Elevation of Privilege vulnerability in Windows Agere Soft Modem Driver (CVE-2023-31096). The vulnerability CVE ID was assigned by MITRE in 2023. It is rated Important and has a CVSS v3.1 score of 7.8. The CVE has been publicly disclosed. Microsoft’s resolution is to remove the affected drivers from the Windows OS as of the January 2026 cumulative update. Microsoft recommends removing any existing dependencies on this hardware.

Ivanti security advisories 

Ivanti has released no security advisories this month.

Third-party vulnerabilities  

Mozilla has released updates for Firefox and Firefox ESR, resolving a total of 34 CVEs. All three updates have an Impact rating of High. Two CVEs are suspected to be exploited (CVE-2026-0891 and CVE-2026-0892). Both are resolved in Firefox 147 (MFSA2026-01), and CVE-2026-0891 is resolved in Firefox ESR 140.7 (MFSA2026-03).
Expect Google Chrome and Microsoft Edge updates this week in addition to a high-severity vulnerability in Chrome WebView that was resolved in the January 6 Chrome update (CVE-2026-0628).
Adobe has released 11 updates this month affecting DreamWeaver, InDesign, Illustrator, InCopy, Bridge, Substance 3D Modeler, Stager, Painter, Sampler and Designer and Coldfusion. Coldfusion is a priority 1. Everything else is priority 3, but most of the updates include Critical CVEs.
Oracle’s Quarterly CPU is scheduled to release on January 20, so be prepared for updates for Oracle solutions, including Java. Once the Java release is out, expect all of the Java-based frameworks to update over the next few weeks.

January update to-do list

Browser updates are a priority this month. Mozilla resolved two suspected zero-day exploits (CVE-2026-0891 and CVE-2026-0892), and Chrome resolved a high-severity CVE (CVE-2026-0628).
The Windows OS update resolves one exploited and two publicly disclosed vulnerabilities this month, putting the Windows OS update as top priority this month alongside the browser updates.
Review Secure Boot Certificate timelines and usage of Agere Soft Modem drivers to avoid serviceability and security issues.

December 2025 Patch Tuesday

Tue, 09 Dec 2025 22:05:21 Z

Here we are at the final Patch Tuesday for 2025. Microsoft has resolved 56 CVEs (two Critical and 54 Important). Included in this release is one known exploited (CVE-2025-62221) and two publicly disclosed CVEs (CVE-2025-54100 and CVE-2025-64671). This month’s OS update resolves the exploit (CVE-2025-62221) and one of the public disclosures (CVE-2025-54100), making the Windows OS a top priority this month. The other public disclosure is in GitHub Copilot for Jetbrains (CVE-2025-64671), which would require developers to download and update the GitHub Copilot plugin.

Third-party updates this Patch Tuesday include multiple releases from Mozilla for Firefox 146 and Firefox ESR 115.31 and 140.6. Adobe released five updates to resolve 142 CVEs including an update for Adobe Acrobat and Reader. Four of five updates are rated as Priority Three, but the Adobe ColdFusion update is rated Priority One. There are no known exploits, but the ColdFusion update resolves the bulk of the CVEs resolved by Adobe this month.

Microsoft’s exploited vulnerability

Microsoft has resolved an Elevation of Privilege vulnerability in Cloud Files Mini Filter Driver (CVE-2025-62221). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8 but is confirmed to be exploited in the wild. An attacker who successfully exploits this CVE could gain SYSTEM privileges. The CVE affects Windows 10 and later Windows editions. A risk-based prioritization approach would prioritize this CVE as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved a Remote Code Execution vulnerability in PowerShell (CVE-2025-54100). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8 but has been publicly disclosed. The fix provides a warning and guidance to avoid the potential remote code execution, but the nature of the exposure makes it improbable to fully remediate. The Invoke-WebRequest command can parse the contents of a web page and could potentially run script code in the web page when it is parsed. A warning is presented recommending the use of the -UseBasicParsing switch to avoid script code execution. The CVE affects Server 2008 and later Windows editions.

Microsoft has resolved a Remote Code Execution vulnerability in GitHub Copilot for Jetbrains (CVE-2025-64671). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 8.4 but has been publicly disclosed. An attacker could exploit code using a malicious Cross Prompt Inject in untrusted files or MCP servers, allowing the execution of additional commands by appending them to commands allowed in the user’s terminal auto-approve setting.

Ivanti security advisories

Ivanti has released one security update this month. The update affects Ivanti Endpoint Manager and resolves four vulnerabilities. More details and information about mitigations can be found in the December Security Advisory.

Third-party vulnerabilities 

Mozilla has released updates for Firefox and Firefox ESR resolving a total of 27 CVEs. All three updates have an Impact rating of High.

Adobe released five updates this month affecting ColdFusion, Experience Manager, DNG SDK, Acrobat and Reader and Creative Cloud Desktop. ColdFusion is a Priority One and resolves the majority of the 142 CVEs. The other four updates are rated Priority Three.

December update priorities

The Windows OS update is the priority this month to resolve CVE-2025-62221.

All other updates can be resolved under normal SLA priorities.

November 2025 Patch Tuesday

Tue, 11 Nov 2025 20:26:09 Z

November Patch Tuesday is the first Patch Tuesday after the EoL of Windows 10. In the shadow of Windows 10, there are a number of other product EoLs of note. Exchange Server, for one, is getting some additional attention. Microsoft announced a 6-month ESU option for Exchange 2016/2019 servers for customers who need the extension. Their guidance, however, is not to rely on this program and to make every attempt to move off of Exchange and move to Exchange SE in time. Cybersecurity agencies across the globe have also collaborated to provide a Security Best Practices guide for Microsoft Exchange Server.

Microsoft resolved 63 unique vulnerabilities this month, including one known exploited CVE (CVE-2025-62215). The exploited CVE is an Elevation of Privilege vulnerability in the Windows Kernel that can allow an attacker to gain SYSTEM-level privileges on the target system. Affected products this month include Windows OS, Office, SharePoint, SQL Server, Visual Studio, GitHub Copilot and Azure Monitor Agent.

For third-party updates, Oracle released their quarterly Critical Patch Update on October 21, 2025. This included many updates including Java. With the release of Java comes a stream of Java framework updates, including RedHat OpenJDK, Amazon Corretto, Azul Zulu, Eclipse Adoptium, Adopt OpenJDK and others.

Patch Tuesday third-party updates include eight from Adobe and three from Mozilla, and Google Chrome released a stability and performance update this month (no CVEs reported).

Microsoft’s exploited vulnerability

Microsoft has resolved an Elevation of Privilege vulnerability (CVE-2025-62215), which Microsoft has confirmed is exploited in the wild. The CVE is rated Important and has a CVSS 3.1 score of 7.0. The vulnerability requires an attacker to win a race condition, but if exploited it would allow the attacker to gain SYSTEM privileges on the affected system. The vulnerability affects all currently supported Windows OS editions and Windows 10 ESU, which means the risk of running Windows 10 past the EoL without ESU is not hypothetical. Ensure you are subscribing to Windows 10 ESU and providing additional mitigations where possible.

Ivanti security advisories

Ivanti has released one Security Advisory for November Patch Tuesday, resolving three CVEs. The security advisory for Ivanti Endpoint Manager provides details on vulnerable versions. Also, the advisory reminds Ivanti Endpoint Manager customers that version 2022 reached End of Life at the end of October 2025. All Ivanti EPM customers are urged to upgrade to 2024 SU4 to remediate the three vulnerabilities.

For more details, you can view the updates and information provided in the November Security Update on the Ivanti blog.

Third-party vulnerabilities

Adobe released eight updates resolving 28 CVEs. All eight updates are rated priority three.
Mozilla released three updates resolving a total of 29 CVEs.
Google Chrome just released a stability and performance update, but it has resolved 27 CVEs since October Patch Tuesday.

November update priorities

The Windows OS is the highest priority this month, with one zero-day exploit.
Continue to monitor your environment for EoL software. Beyond Windows 10 EoL, there are editions of Office that are now EoL along with Exchange. The first month after the Windows 10 EoL has a zero-day that affects the Windows 10 OS. The risks of continuing to run EoL software without extended support are very real, and threat actors will be looking to take advantage.

October 2025 Patch Tuesday

Tue, 14 Oct 2025 21:43:03 Z

October Patch Tuesday is going to be a busy one from all angles. Microsoft exceeded the January CVE count (159 CVEs) by a healthy margin, with 172 CVEs resolved this month. There are three exploited and two publicly disclosed vulnerabilities this month, but fortunately all of them are in the cumulative OS update, making resolution quick and clean. They are also end of life-ing a lot of products, including Windows 10! Additionally, Office 2016 and 2019 and Exchange Server 2016 and 2019 have also reached end of life.

Adobe released 12 updates resolving 36 CVEs. Mozilla released five updates resolving 45 CVEs and are cautioning users that three of these CVEs are showing signs they may have been exploited in the wild (unconfirmed). And of course, Google Chrome is expected to release their weekly update in the next 24 hours.

There is a lot to unpack, so let’s get started.

Microsoft’s exploited vulnerabilities

Microsoft has resolved a Secure Boot bypass in IGEL OS before 11 vulnerability (CVE-2025-47827), which Microsoft has confirmed is exploited in the wild. The CVE is rated Important and has a CVSS 3.1 score of 4.6. Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptographic signature, allowing a crafted root file system to be mounted from an unverified image.

Microsoft has resolved an Elevation of Privilege vulnerability in Remote Access Connection Manager (CVE-2025-59230), which Microsoft has confirmed is exploited in the wild. The CVE is rated Important and has a CVSS 3.1 score of 7.8. Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally. A risk-based prioritization methodology would warrant treating this as Critical.

Microsoft has resolved an Elevation of Privilege vulnerability in Agere Modem Driver (CVE-2025-24990), which Microsoft has confirmed is exploited in the wild. The CVE is rated Important and has a CVSS 3.1 score of 7.8. The driver shipped natively with the Windows OS. Microsoft has removed the driver with the October cumulative update and recommends removing any existing dependencies on this fax modem hardware. Exploit is possible even if the drive is not being used. A risk-based prioritization methodology would warrant treating this as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Agere Modem Driver (CVE-2024-24052), which Microsoft has confirmed is publicly disclosed. The CVE is rated Important and has a CVSS 3.1 score of 7.8. The exploit code maturity is listed as proof-of-concept, which increases the risk of exploitation. A risk-based prioritization methodology would warrant treating this as Critical.

Microsoft has resolved an out-of-bounds read vulnerability in TCG TPM2.0 reference implementation (CVE-2024-2884), which Microsoft has confirmed is publicly disclosed. The CVE is rated Important and has a CVSS 3.1 score of 5.3. The exploit code maturity is listed as unproven, indicating there is currently no publicly available code.

Ivanti security advisories

Ivanti has released two updates and one Security Advisory for October Patch Tuesday, resolving a total of seven CVEs. The affected products include Ivanti Neurons for MDM and Ivanti Endpoint Manager Mobile. The Ivanti Neurons for MDM vulnerabilities were resolved for all customers on October 10, 2025. An additional Security Advisory was released for Ivanti Endpoint Manager, which provides mitigation options for vulnerabilities disclosed October 7, 2025.

For more details, you can view the updates and information provided in the October Security Update on the Ivanti blog.

Third-party vulnerabilities

Adobe released 12 updates addressing 36 CVEs. Adobe has rated the Commerce update as a priority two and the rest of the updates as priority three.
Mozilla released five updates resolving 45 CVEs. Three of the CVEs included variations of the statement, “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” indicating a possibility of exploitation in the wild. All five updates include at least one of the suspected exploit CVEs, we recommend treating all five as containing a known exploited CVE.
Google Chrome is expected to release in the next 24 hours, so plan a Chrome update and a possible Edge update shortly after.

October update priorities

The Windows OS cumulative update is the top priority this month, as it resolves three exploited and two publicly disclosed CVEs.
All Mozilla updates should be deployed during your current maintenance, but any deferral or delay would come with risks as there are three CVEs that are speculated to be exploitable in the wild already.

September 2025 Patch Tuesday

Tue, 09 Sep 2025 21:28:36 Z

The days leading into September Patch Tuesday include a bit of chaos from a pair of actively exploited Android CVEs (CVE-2025-38352, CVE-2025-48543), a zero day in WhatsApp (CVE-2025-55177), another zero day in WinRAR (CVE-2025-8088), and a major supply chain attack through the Drift AI Chat Agent exposing Salesforce customers data.

The good news is Microsoft only has a pair of publicly disclosed vulnerabilities (CVE-2025-55234, CVE-2024-21907) out of 81 total CVEs resolved this month, making this about as close to a calm Patch Tuesday as we can hope for.

The Windows OS and Office updates are rated Critical this month, putting those as the highest priority, but with no zero-day exploits, this month should be focused on routine maintenance from a Microsoft perspective.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Windows SMB (CVE-2025-55234), which Microsoft has confirmed is publicly disclosed. Microsoft rates the CVE as Important, and it has a CVSS v3.1 score of 8.8 and affects all Windows OS editions. The code maturity is unproven, which would indicate no code samples have been disclosed. A risk-based prioritization methodology would warrant treating this as Important.

Microsoft has resolved an Improper Handling of Exceptional Conditions vulnerability in Newtonsoft.Json (CVE-2024-21907), which Microsoft has confirmed is publicly disclosed. The CVE is unrated and affects SQL Server 2016, 2017 and 2019. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial-of-service condition. A risk-based prioritization methodology would warrant treating this as Important.

Third-party vulnerabilities

Adobe has released nine updates resolving 22 CVEs, 12 of which are rated Critical. The products affected include Adobe Acrobat Reader, After Effects, Premiere Pro, Commerce, Substance 3D Viewer, Experience Manager, Dreamweaver, 3D Substance Modeler and ColdFusion. Adobe has rated the ColdFusion update as a priority one and Commerce as a priority two. The other seven updates are rated priority three.

Ivanti security advisories

Ivanti has released two updates for September Patch Tuesday resolving a total of 13 CVEs. The affected products include Ivanti Connect Secure and Policy Secure and Ivanti EPM.

For more details, you can view the updates and information provided in the September Security Update on the Ivanti blog.

September update priorities

With no zero-days released on Patch Tuesday, the updates this month are predominantly low risk. Ensure you have the zero days leading up to Patch Tuesday in hand, and plan to deploy the Microsoft and Adobe updates through your regular maintenance activities this month.

August 2025 Patch Tuesday

Tue, 12 Aug 2025 22:08:03 Z

Let me start this month off with a question. Have you already decided what you are going to do for your remediation plan this month? Think about it for a second. OS updates, productivity apps, browsers, and other apps are already likely under consideration for your August patch maintenance. The real decisions you need to consider are around timing. Do you proceed with your typical Patch Tuesday plan or do you need to accelerate any zero-days, etc?

What you just thought about was a generalization of defining your risk appetite. There is a lot of discussion across the vulnerability management market about how to modernize vulnerability management. When you think about trends like 32% of 1H 2025 known exploited vulnerabilities (KEVs) being zero-day or 1-day exploits it can feel overwhelming. How do you keep up with a continuous stream of updates? Ideally by defining your outcome and configuring for success.

If we break this month’s Patch Tuesday down into parallel remediation streams:

Routine Maintenance: Much of what just released today will fall into your reoccurring monthly maintenance which typically starts on Patch Tuesday and runs for two weeks or more depending on your SLAs, OS, productivity apps, third-party apps, etc.
Priority updates: Browsers tend to release more frequently (typically weekly) and may warrant a priority update track to keep up with the constant stream of new exposures in your environment. This patch cycle you may be resolving CVEs in multiple browsers from the past four weeks if you don’t have a more frequent update plan in place for the browsers.
Zero-day Response: The recent SharePoint exploits are a good example of the disruptive\unpredictable nature of zero-day exploits.
Continuous Compliance: The three previous tracks could solve most of your remediation challenges, but what about users who are on vacation, leave of absence, got a new system and shipping bypassed the current month’s maintenance window or installed something new that was not the latest version? Defining a baseline and keeping that updated as new updates pass your quality tests would keep your systems in compliance when the multitude of reasons for drift occur.

Microsoft’s publicly disclosed vulnerabilities

Microsoft resolved one publicly disclosed vulnerability in Windows Kerberos (CVE-2025-53779). The CVE is an Elevation of Privilege vulnerability that could allow an attacker to gain domain admin privileges. The CVE is rated Medium and has a CVSS score of 7.2. The vulnerability only affects Windows Server 2025.

Third-party vulnerabilities

Adobe released thirteen new updates on Patch Tuesday, but the most urgent is the Adobe Experience Manager Forms update released on August 5 resolving two publicly disclosed CVEs (CVE-2025-54253 and CVE-2025-54254). APSB25-82
Google Chrome 139.0.7258 released resolving five CVEs and is rated Critical. This will also affect Microsoft Edge so watch for that update to come likely later this week.

August update priorities

Microsoft SharePoint is the top priority this month to resolve recent zero-day exploits being targeted by multiple nation state level threat actors. Update ASAP.
Adobe Experience Manager Forms update released on August 5 is your second highest priority.
Windows OS and Office have Critical CVEs this month. Get them updated as part of your regular maintenance and you should be good.
Microsoft Exchange Server and SQL Server each received updates. The CVEs were only rated as Important so no need to escalate remediation, but server admins should start to test and rollout within the next month.

July 2025 Patch Tuesday

Tue, 08 Jul 2025 21:17:47 Z

July Patch Tuesday is a sizable one, but no significant security risk. Microsoft resolved 130 new CVEs, including one public disclosure. There are seven additional CVEs from MITRE regarding vulnerabilities in Git resolved through the Visual Studio update this month. Fourteen CVEs are rated Critical by Microsoft, affecting Windows OS, Office, SharePoint, and SQL.

The DHCP issue caused by the June 2025 update appears to be resolved. It is not reported as a known issue for Windows OS KBs, and some quick querying through Gemini agrees the issue appears to be resolved.

Gemini’s response to the query is below:

July update server DHCP issue resolved

Yes, according to information available on July 8, 2025, Microsoft has resolved the DHCP server issue that was caused by the June 2025 security updates.

Key points:

June 2025 updates caused the problem: Microsoft's June 2025 Patch Tuesday updates introduced a bug that could cause the DHCP service to freeze or stop responding on Windows Server 2016 through 2025. This issue prevented some clients from renewing their IP addresses.

Fix released in July updates: Microsoft released Windows updates on July 8, 2025, and subsequent updates that resolve this issue.

Workaround before the fix: Before the July updates were available, the recommended workaround was to uninstall the affected June updates and restart the server, but this left systems vulnerable to security threats patched in those updates.

The Windows Server OS updates this month resolve 16 CVEs in Windows Routing and Remote Access Service (RRAS). These vulnerabilities could allow an unauthenticated attacker to convince a user to initiate a connection to a malicious server that could allow them to execute arbitrary code. The attack would require no privileges and could be exploited over the network. Applying the updates to the OS is the best solution, but additional mitigations like restricting RRAS ports to trusted networks or VPN concentrators can limit exposure, as well as employing firewall rules and disabling unused RRAS features.

Developers have a bit of work to do on their side this month. Microsoft resolved seven CVEs in Git and two additional CVEs that require a Visual studio update this month.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved an Information Disclosure in Microsoft SQL (CVE-2025-49719), which Microsoft has confirmed is publicly disclosed. Microsoft rates the CVE as Important, and it has a CVSS v3.1 score of 7.5. The code maturity is unproven, which would indicate no code samples. A risk-based prioritization methodology would warrant treating this as Important.

Third-party vulnerabilities

Google Chrome resolved their fourth zero-day exploit on June 30, so from a risk-based prioritization perspective, Chrome and Edge updates that take the focus leading up to Patch Tuesday. CVE-2025-6554 was resolved in build 138.9.7204.96/.97 for Windows, 138.0.7204.92/.93 for Mac and 138.0.7204.92 for Linux, which they indicated would roll out over the coming days/weeks.

Ivanti security advisory

Ivanti has released three updates for July Patch Tuesday resolving a total of 11 CVEs. The affected products include Ivanti Connect Secure and Policy Secure, Ivanti EPMM and Ivanti EPM.

For more details, you can view the updates and information provided in the July Security Update on the Ivanti blog.

July update priorities

The Google Chrome and Microsoft Edge browsers are the top priority this month. Ensure you have deployed the latest updates to resolve the zero-day exploit (CVE-2025-6554) that was identified on June 30.
Windows Server OS updates are likely the biggest security priority this month, especially for those who experienced the DHCP issues after the June update and had to uninstall the June update.

June 2025 Patch Tuesday

Tue, 10 Jun 2025 20:52:28 Z

June Patch Tuesday is upon us. There has been a lot of activity in the past few weeks. Mid-May was the Pwn2Own Berlin 2025 event, and the $1M USD in rewards that were paid out came with many newly discovered vulnerabilities affecting Microsoft, Google, Mozilla, VMware, NVIDIA, Oracle and other vendors. Since the event, there have been several updates from many of these vendors, so expect a lot of third-party updates to update this month from releases leading up to Patch Tuesday.

Microsoft released updates resolving 66 CVEs, nine of which are rated Critical. In addition, there is one public disclosure and one zero-day exploit. Updates this month affect Windows, Office, SharePoint, Visual Studio, and .Net. The zero day and public disclosure are both resolved by the Windows OS update this month.

Third-party updates from Mozilla, Google (including two recent zero-day exploits) and Adobe leading up to Patch Tuesday will add to the load. If your organization is updating applications like browsers on a weekly basis to keep up with continuous release applications commonly used to target end users, you should be up to date on all but Adobe. If not, you will want to ensure to get these queued up for your patch maintenance.

Microsoft exploited vulnerabilities

Microsoft has resolved a Remote Code Execution vulnerability in Web Distributed Authoring and Versioning (WEBDAV) (CVE-2025–33053) which Microsoft has confirmed to be exploited in the wild. Microsoft rates the CVE as Important and it has a CVSS v3.1 score of 8.8. Risk-based prioritization would treat this as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Windows SMB Client (CVE-2025–33073), which Microsoft has confirmed is publicly disclosed. Microsoft rates the CVE as Important and it has a CVSS v3.1 score of 8.8. The code maturity is Proof-of-Concept and the vulnerability is remotely exploitable, which will make this a desirable target for threat actors. A risk-based prioritization methodology would warrant treating this as Critical.

Third-party vulnerabilities

Google Chrome continues their weekly security update cadence. Expect a Chrome update this week to add to the four releases and 14 CVEs resolved since May Patch Tuesday. This includes two zero-day exploits resolved in the past few weeks (CVE-2025–5419 and CVE-2025–4664).

Mozilla has released multiple security updates since the Pwn2Own Berlin event. The two CVEs exploited in the event were resolved in the May 17 release (Firefox 138.0.4) and since then, Mozilla has released Firefox 139 and 139.0.4, as well as updates for Firefox ESR and Thunderbird. Ensure you have the latest Mozilla updates queued up this Patch Tuesday.

Adobe has released updates for Acrobat Reader and six other products, resolving 259 CVEs. 225 of these were included in the Experience Manager update, with hefty contributions from a handful of diligent security researchers.

Ivanti security advisory

Ivanti has released one update for June Patch Tuesday resolving a total of three CVEs. The affected product is Ivanti Workspace Control.

For more details you can view the updates and information provided in the June Security Update on the Ivanti blog.

June update priorities

The Windows OS is the top priority this month with one zero-day exploit (CVE-2025–33053) and one public disclosure (CVE-2025–33073).
Google Chrome should be a top priority if you have not deployed updates for June 2 and earlier, as it will resolve two zero-day exploits (CVE-2025–5419 and CVE-2025–4664).
Browsers in general should be updated weekly to keep up with the continuous release cycle. Edge, Chrome and Firefox received multiple updates since May Patch Tuesday, including multiple high-profile disclosures and zero-day exploits.

May 2025 Patch Tuesday

Tue, 13 May 2025 22:03:04 Z

May Patch Tuesday resolves five actively exploited and two publicly disclosed vulnerabilities. Spoiler alert: all five zero-days are resolved by deploying the Windows OS update. Also, this month Windows 11 and Server 2025 updates include some new AI features, but they carry a lot of baggage. Literally – they are around 4GB! New AI features include Recall, Click to Do and Improved Windows Search.

Microsoft has resolved a total of 72 new CVEs this month, six of which are rated Critical. The five zero-day vulnerabilities are rated Important, but using a risk-adjusted scoring model they would all be rated Critical.

Microsoft exploited vulnerabilities

Microsoft resolved an Elevation of Privilege vulnerability in Windows Ancillary Function Driver for WinSock (CVE-2025-32709) that could allow an attacker to elevate privileges locally to gain administrator privileges. The vulnerability affects Windows Server 2012 and later OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft resolved a pair of Elevation of Privilege vulnerabilities in Windows’ Common Log File System Drive (CVE-2025-32706 and CVE-2025-32701) that could allow an attacker to elevate privileges locally to gain SYSTEM privileges. The vulnerabilities affect all Windows OS versions. The vulnerabilities are confirmed to be exploited in the wild. Microsoft’s severity rating for both CVEs is Important and CVSS 3.1 of 7.8. Risk-based prioritization warrants treating these vulnerabilities as Critical.

Microsoft resolved an Elevation of Privilege vulnerability in Microsoft DWM Core Library (CVE-2025-30400) that could allow an attacker to elevate privileges locally to gain SYSTEM privileges. The vulnerability affects Windows 10, Server 2016 and later OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft’s severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft resolved a Memory Corruption vulnerability in Microsoft Scripting Engine (CVE-2025-30397) that could allow an unauthorized attacker to execute code over a network. The vulnerability affects all Windows OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft’s severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft resolved a Remote Code Execution vulnerability in Visual Studio (CVE-2025-30397) that could allow an unauthorized attacker to execute code locally. The vulnerability affects Visual Studio 2019 and 2022. The vulnerability has been publicly disclosed, but the code maturity was set to Unproven and exploitability assessment is less likely.

Microsoft resolved an Identity Spoofing vulnerability in Microsoft Defender (CVE-2025-26685) that could allow an unauthorized attacker to perform spoofing over an adjacent network. The vulnerability affects Microsoft Defender for Identity. The vulnerability has been publicly disclosed, but the code maturity was set to Unproven and exploitability assessment is less likely.

Third-party vulnerabilities

Adobe has released 13 updates this month resolving 39 CVEs, 33 of which are Critical. For more details, see Adobe’s Latest Product Security Updates.
Google Chrome is expected to release a weekly update shortly, so keep an eye out.

Ivanti security advisory

Ivanti has released four updates for May Patch Tuesday resolving a total of four CVEs and one CWE. The affected products include Ivanti Neurons for ITSM (on-prem only), Ivanti ICS, Ivanti Neurons for MDM and Ivanti EPMM.

The Ivanti EPMM update resolves a medium and a high CVE that when chained together, successful exploitation could lead to unauthenticated remote code execution. Ivanti is aware of a very limited number of customers whose solution has been exploited at the time of disclosure.

For more details you can view the updates and information provided in the May Security Update on the Ivanti blog and EPMM Security Updated.

May update priorities

Windows OS is your top priority this month with five zero-day exploits reported (CVEs).
Ivanti EPMM customers should apply either of the mitigation options or update as soon as possible.

April 2025 Patch Tuesday

Tue, 08 Apr 2025 21:19:58 Z

April Patch Tuesday appears to be a high count of resolved CVEs, but a low number of high priority risks. Microsoft has resolved 121 new unique CVEs this month, 11 of which are rated critical and one known to be exploited. The zero-day vulnerability is in the Windows OS this month, making that your top priority.

In addition, Adobe has released 12 updates resolving 54 CVEs. Adobe ColdFusion was rated highest (Priority 1) and resolves 15 CVEs. Adobe Commerce and Experience Manager Forms were rated Priority 2 and resolved five CVEs and two CVEs respectively. The rest of the Adobe lineup was Priority 3.

Update your browsers! Google Chrome updated this Patch Tuesday resolving two additional CVEs. On April 1, both Mozilla Firefox and Google Chrome updated. Mozilla Firefox resolved eight CVEs, and Chrome resolved thirteen CVEs. Microsoft Edge (Chromium) updated on April 3 in response to the April 1 Chrome update, which means we will have an additional Edge update coming later this week.

Oracle is due to release their quarterly CPU on April 15, so keep an eye out for Oracle updates including Java, which will kick off the domino effect of alternative Java frameworks getting updates through the end of April and into early May.

Microsoft exploited vulnerabilities

Microsoft resolved an Elevation of Privilege vulnerability in Windows Common Log File System Driver (CVE-2025-29824) that could allow an attacker to gain SYSTEM privileges on the affected system. The vulnerability affects all Windows OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritization warrants treating this vulnerability as Critical.

Third-party vulnerabilities

Adobe released updates for most of the Creative Suite including After Effects, Animate, Bridge, Illustrator, Media Encoder, Photoshop and Premiere Pro.
Google Chrome released an update resolving two CVEs. Expect Edge to be released later this week.
Oracle’s quarterly CPU is scheduled for April 15, 2025. Expect updates for a number of Oracle products, but this release will also kick off the domino effect on all Java frameworks like RedHat OpenJDK, Amazon Corretto, Azul Zulu, Eclipse Adoptium, Adopt OpenJDK and others.

Ivanti security advisory

Ivanti has released one update for April Patch Tuesday resolving a total of six CVEs. The affected products include Ivanti EPM 2022 and EPM 2024. For more details you can view the updates and information provided in the April Security Update on the Ivanti blog.

April update priorities

The Windows OS is your top priority this month, with the only zero-day exploit reported (CVE-2025-29824).
Update all of your browsers! Last week Mozilla, Chrome and Edge received updates, and an additional Chrome update was released on Patch Tuesday. If you have not already, you should consider moving browser updates to a weekly cadence to reduce exposure time, as Chrome and Edge will receive weekly updates, and Firefox typically has two to three updates per month.
Expect Oracle updates on April 15 and additional updates for Java frameworks over the next few weeks.

March 2025 Patch Tuesday

Tue, 11 Mar 2025 21:27:51 Z

Here in the Midwest US, we have a saying about March, “In like a lion, out like a lamb.” This is in reference to the month starting with strong winter weather and letting off as the month progresses. In fact, we just had a blizzard that dropped 9-12 inches of snow across most of the region overnight, but a week later I see grass and sunny skies and have shed the winter coat!

At first glance, March Patch Tuesday looks like a lamb, but this lamb might have the teeth of a lion. The standard lineup of updates resolves 57 CVEs across the Windows OS, Office, .Net and Visual Studio, with a couple of Azure component updates in the mix. Google Chrome updated in the lead up to Patch Tuesday (March 10 update), and Adobe released seven updates, including Adobe Acrobat and Acrobat Reader.

Now let’s talk teeth. There are seven known exploited CVEs for the March lineup.

Microsoft resolved six known exploited CVEs. The zero-day exploits affect the Microsoft Management Console, NTFS, Fast FAT, and the Win32 Kernel Subsystem. All six exploits are rated Important with CVSS scores ranging from 4.6 to 7.8. The good news is all six are resolved by the March Windows OS update, so the majority of the immediate risk is resolved by that one update.
Google resolved one known exploited CVE (CVE-2025-24201), which according to the release notes from Google is an out of bounds write-in GPU on Mac reported by the Apple Security Engineering and Architecture (SEAR) team – so likely only a concern for Mac users. (Based on Microsoft’s release notes, it looks like Edge has not resolved the five CVEs in the March 10 release.)

Microsoft exploited vulnerabilities

Microsoft has resolved a Security Feature Bypass in Microsoft Management Console (CVE-2025-26633). The vulnerability is rated Important and has a CVSSv3.1 score of 7.0. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. An attacker would need to take additional actions to prepare the target environment for exploitation, but the vulnerability allows for a variety of user-targeted tactics to exploit, including instant message, email and web-based attacks scenarios. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved a Remote Code Execution vulnerability in Windows NTFS (CVE-2025-24993). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved an Information Disclosure vulnerability in Windows NTFS (CVE-2025-24991). The vulnerability is rated Important and has a CVSSv3.1 score of 5.5. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved a Remote Code Execution vulnerability in Windows Fast FAT File System Driver (CVE-2025-24985). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved an Information Disclosure in Windows NTFS (CVE-2025-24984). The vulnerability is rated Important and has a CVSSv3.1 score of 4.6. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Win32 Kernel Subsystem (CVE-2025-24983). The vulnerability is rated Important and has a CVSSv3.1 score of 7.0. The vulnerability affects older Windows editions including Windows 10 and Server 2008 to Server 2016. Microsoft has confirmed that this CVE is exploited in the wild. If exploited, the attacker could gain SYSTEM-level privileges. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved a Remote Code Execution vulnerability in Microsoft Access (CVE-2025-26630). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects Microsoft Access 2016, Office 2019, Office LTSC 2021 and 2024, and Microsoft 365 Apps for Enterprise. Microsoft has confirmed that this CVE has been publicly disclosed, but the code maturity is set to be unproven. The disclosure could provide attackers with some additional information to formulate an exploit, but the lack of code samples will increase their efforts. Risk-based prioritization would indicate a slightly higher risk for a disclosure without functional code, but not enough to bump this CVE up to Critical.

Third-party vulnerabilities 

Google Chrome released updates on March 10 resolving five CVEs, including one known exploited CVE (CVE-2025-24201). The exploit is documented as an out of bounds write-in GPU on Mac. The priority is higher for macOS than Windows for this update.
Adobe released seven updates resolving 37 CVEs. The updates affect Adobe Acrobat and Reader, Illustrator, InDesign, Substance 3D Sampler, Painter, Modeler and Designer. All seven updates are rated priority three and can be handled in the course of your monthly update activities.

Ivanti security advisory

Ivanti has released two updates for the March Patch Tuesday resolving a total of two CVEs. The affected products are Ivanti Secure Access Client (ISAC) and Ivanti Neurons for MDM (N-MDM). For more details you can view the updates and information provided in the March Security Update on the Ivanti blog.

March update priorities

The Windows OS update is the top priority update this month resolving six known exploited CVEs.
The March 10 Google Chrome update resolves one known exploited vulnerability on macOS, making the macOS Chrome update a priority.

February 2025 Patch Tuesday

Tue, 11 Feb 2025 22:45:40 Z

February Patch Tuesday is ramping up with releases from Adobe and Microsoft and an expected release from Google. Adobe resolved 45 CVEs across seven updates. The largest and highest priority is Adobe Commerce, which resolves 30 CVEs. Microsoft is coming down off a huge January release and only resolved 56 new CVEs this February. There are two new zero-day exploits and a revised Secure Boot zero-day in the mix, making the Windows OS a top priority this month.

Microsoft exploited vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Ancillary Function Driver for WinSock (CVE-2025-21418). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. An attacker who exploited this vulnerability could gain SYSTEM privileges. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Storage (CVE-2025-21391). The vulnerability is rated Important and has a CVSSv3.1 score of 7.1. The vulnerability affects Windows 10 to 11 and Server 2016 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has revised the previously resolved Security Feature Bypass in Secure Boot (CVE-2023-24932). The vulnerability is rated Important and has a CVSSv3.1 score of 6.7. The vulnerability was updated to include Windows 11 24H2 and Server 2025 as they are also affected by this known exploited and publicly exploited vulnerability. Additionally, Microsoft has released a more comprehensive update to all affected versions to fully protect against this vulnerability. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft publicly disclosed vulnerabilities

Microsoft has resolved a Spoofing Vulnerability in NTLM Hash Disclosure (CVE-2025-21377). The vulnerability is rated Important and has a CVSSv3.1 score of 6.5. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is publicly disclosed. The temporal metrics indicate Exploit Code Maturity is Functional, further increasing the risk of exploitation. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved a Security Feature Bypass in Microsoft Surface (CVE-2025-21194). The vulnerability is rated Important and has a CVSSv3.1 score of 7.1. The vulnerability affects Microsoft Surface and Surface Dev Kit systems. Microsoft has confirmed that this vulnerability is publicly disclosed, but the code maturity is unproven.

Third-party vulnerabilities

Adobe released updates for InDesign, Commerce, Substance 3D Stager, InCopy, Illustrator, Substance 3D Designer and Photoshop Elements, resolving a total of 45 CVEs. Six of the updates are Priority 3. Adobe Commerce is set to Priority 1. The Commerce update resolves 30 of the 45 total CVEs Adobe resolved this month and warrants more immediate attention.

Google Chrome is expected to update later today, which will trigger updates for Chromium-based browsers including Microsoft Edge, so be on the lookout for Chrome and Edge updates as we proceed through the week.

Ivanti security advisory

Ivanti has released five product updates resolving 11 CVEs, four of which are Critical. The affected products include Ivanti Cloud Service Application, Ivanti Neurons for MDM, Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Secure Access Client. At the time of release, Ivanti is not aware of any exploitation or public discloses for the 11 resolved CVEs. For more information, see the February Security Advisory page.

February update priorities

Microsoft Windows is the top priority this month, with three known exploited CVEs, two publicly disclosed vulnerabilities resolved and two Critical CVEs.
Browsers are a prime target for attackers to target users. While including browsers in your monthly update process is recommended, it leaves a lot of CVEs exposed in between cycles. It’s recommended to move browsers to a weekly Priority Updates cadence. Mozilla Firefox releases two to three times a month. Google Chrome has been releasing security updates weekly since August 2023. The Chromium-based Microsoft Edge has also been releasing weekly. Updating all browsers on a weekly basis is recommended to keep up with the steady stream of security fixes.

January 2025 Patch Tuesday

Tue, 14 Jan 2025 23:35:11 Z

Microsoft has released updates resolving 159 unique CVEs for January. Among the lineup are three zero-day exploits and five publicly disclosed vulnerabilities. The exploited CVEs are all targeting Windows Hyper-V NT Kernel Integration VSP, making the OS update this month your most urgent priority. The public disclosures impact Windows Themes, Windows App Package Installer and three CVEs for Microsoft Access. There are 10 CVEs rated Critical affecting the components of the Windows OS and Microsoft Excel.

Microsoft exploited vulnerabilities

Microsoft has resolved three Elevation of Privilege vulnerabilities in Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335). All three vulnerabilities are rated Important and each has a CVSSv3.1 score of 7.8. These vulnerabilities affect Microsoft Windows versions 10, 11 and Server 2025. Microsoft is aware of exploitation of these vulnerabilities. Risk-based prioritization warrants treating these vulnerabilities as Critical.

Microsoft publicly disclosed vulnerabilities

Microsoft has resolved a Spoofing Vulnerability in Windows Themes (CVE-2025-21308). The vulnerability is rated Important and has a CVSSv3.1 score of 6.5. The vulnerability affects Windows 10 and 11 as well as Server 2012 up to Server 2025. The CVE has been publicly disclosed, increasing the risk of exploitation. There are mitigations that could reduce the risk of this vulnerability or future security risks. For more details, refer to the Mitigations section of the CVE page.

Microsoft has resolved an Elevation of Privilege vulnerability in Windows App Package Installer (CVE-2025-21275). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects Microsoft Windows versions 10, 11, and Server 2025. If exploited, an attacker could gain SYSTEM level privileges. The CVE has been publicly disclosed, increasing the risk of exploitation.

Microsoft has resolved three Remote Code Execution vulnerabilities in Microsoft Access (CVE-2025-21186, CVE-2025-21395 and CVE-2025-21366). All three vulnerabilities are rated Important and each has a CVSSv3.1 score of 7.8. The vulnerabilities affect Microsoft Office 2019, Access 2016, Office LTSC 2021 and 2024 and Microsoft 365 Apps. The CVEs have been publicly disclosed, increasing the risk of exploitation.

Third-party vulnerabilities

Oracle’s Quarterly CPU is scheduled to release on January 21, so be prepared for updates for Oracle solutions, including Java. Once the Java release is out, expect all of the Java-based frameworks to update over the next few weeks.

Adobe has released updates for Photoshop, Substance 3D Stager, Illustrator on iPad, Animate and Substance 3D Designer, resolving a total of 14 CVEs. All of the CVEs resolved are rated as Critical, but no exploitation or disclosures have been reported.

Expect Google Chrome’s weekly security update today or tomorrow along with an update for Microsoft Edge shortly after.

Ivanti security advisory

Ivanti has released three product updates resolving 20 CVEs. The affected products include Ivanti Avalanche, Ivanti Application Control Engine and Ivanti Endpoint Manager. Ivanti is not aware of any exploitation or public disclosures for the 20 resolved CVEs. For more information, see the January Patch Tuesday Security Advisory page.

January update priorities:

Microsoft Windows is the top priority this month, with three known exploited CVEs, two publicly disclosed vulnerabilities resolved and eight Critical CVEs.
Microsoft Office is next in priority from a risk-based perspective. The update this month resolved three publicly disclosed CVEs in Access and two Critical CVEs in Excel. The two Excel CVEs could use the Preview Pane as an attack vector, making them ideal targets for threat actors.
Ensure your browsers are all up to date. Mozilla released last week and Google Chrome and Microsoft Edge update weekly with security fixes.

December 2024 Patch Tuesday

Tue, 10 Dec 2024 22:28:26 Z

Microsoft’s December Patch Tuesday release looks pretty straight-forward. They’ve resolved 70 new CVEs affecting Windows OS, Office, SharePoint, System Center Operations Monitor, Defender and a Microsoft AI project called Muzic.

Adobe has released several updates, including Acrobat and Acrobat Reader. For details on all 16 Adobe product updates, check out their security advisory page. Adobe has set all updates as a priority 3 this month.

Google Chrome has not released at the time of this blog but is expected to release soon.

Microsoft summary

While most of that lineup is pretty normal, the Microsoft Muzic AI project is an interesting one. CVE-2024-49063 is a remote code execution vulnerability in Microsoft Muzic. To resolve this, CVE developers would need to take the latest build from GitHub to update their implementation.

Priority wise, the big one for December is the Windows OS update, which accounts for 58, including all 16 Critical CVEs and the one Known Exploited CVE.

Zero-day vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Common Log File System Driver (CVE-2024-49138), which could allow an attacker to gain SYSTEM privileges on the affected system. The vulnerability affects all Windows OS editions back to Server 2008. The vulnerability is confirmed to be exploited in the wild, and some information about the vulnerability has been publicly disclosed, but that disclosure may not include code samples. The CVE is rated Important by Microsoft and has a CVSSv3.1 score of 7.8. Risk-based prioritization would rate this vulnerability as Critical, which makes the Windows OS update this month your top priority.

Ivanti security updates

Ivanti has released five security advisories for December, resolving a total of 11 CVEs. Affected products include Ivanti Cloud Service Application, Desktop and Server Management, Connect Secure and Policy Secure, and Patch SDK. For more details on the vulnerabilities resolved and links to product updates see the December Security Update.

December update priorities

The Windows OS update is the highest priority this month, resolving 16 critical CVEs, one zero-day, and a total of 58 of the 70 new CVEs resolved by Microsoft this month.
Third-party updates for Chrome and Acrobat/Acrobat Reader and the Microsoft Office updates should be part of your normal maintenance schedule this month.

November 2024 Patch Tuesday

Tue, 12 Nov 2024 21:43:48 Z

Microsoft has released updates resolving 88 new CVEs, four of which are rated Critical. The updates affect the Windows OS, Office, SQL Server, Exchange Server, .Net and Visual Studio. Two of the CVEs are confirmed to be exploited, two CVEs are publicly disclosed, and there is an advisory for Sharepoint Server.

Zero-day vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Task Scheduler (CVE-2024-49039). The vulnerability is rated Important and has a CVSS v3.1 score of 8.8. The vulnerability is confirmed to be exploited. The vulnerability requires an attacker to run a specially crafted application on the target system to exploit the vulnerability and elevate their privileges to a Medium integrity level. The vulnerability affects Windows 10 and later OS editions including Windows 11 24H2 and Server 2025. From a risk-based prioritization perspective, the vulnerability should be treated as Critical.

Microsoft has resolved a Spoofing vulnerability in NTLM (CVE-2024-43451). The vulnerability is rated Important and has a CVSS v3.1 score of 6.5. The vulnerability has been confirmed to be exploited and has been publicly disclosed. If exploited, this vulnerability discloses a user’s NTLMv2 to the attacker who could use it to authenticate as the user. The attack would require minimal interaction with a malicious file, such as selecting (single-click), inspecting (right-click) or performing actions on the file. The vulnerability affects Server 2008 and later Windows OS editions, including Windows 11 24H2 and Server 2025. From a risk-based prioritization perspective, the vulnerability should be treated as Critical.

Public disclosures, third-party vulnerabilities and security advisories

Active Directory Certificate Services

Microsoft has resolved an Elevation of Privilege vulnerability in Active Directory Certificate Services (CVE-2024-49019). The vulnerability is rated Important and has a CVSS v3.1 score of 7.8. The vulnerability has been publicly disclosed. If exploited, the attacker could gain domain administrator privileges. The vulnerability does provide additional mitigations including removing overly broad enroll or auto-enroll permissions, removing unused templates from certificate authorities and securing templates that allow you to specify the subject in the request. The vulnerability affects Windows Server 2008 and later Server OS editions. From a risk-based perspective, a public disclosure puts this vulnerability at a higher risk of being exploited and may warrant treating the vulnerability as a higher severity.

Microsoft Exchange Server

Microsoft has resolved a Spoofing vulnerability in Microsoft Exchange Server (CVE-2024-49040). The vulnerability is rated Important and has a CVSS v3.1 score of 7.5. The vulnerability has been publicly disclosed and exploit code maturity is Proof-of-Concept level making exploitation much easier for threat actors. The vulnerability exists in the P2 From header verification. Starting with the Exchange Server November 2024 Security Update, Exchange Server can detect and flag email messages that contain potentially malicious patterns in the P2 From header. By default, a message will be prepended to the message warning of suspicious behavior. Additional mail flow rules can be configured to automatically reject messages that exhibit suspicious behavior. Microsoft Exchange Server is often targeted by threat actors who specialize in Exchange exploits. From a risk-based prioritization perspective, the public disclosure and availably of PoC-level exploit code warrants treating this vulnerability as Critical.

Microsoft Defender

Microsoft has resolved an OpenSSL library vulnerability in Microsoft Defender (CVE-2024-5535). The vulnerability is rated as Important by Microsoft and has a CVSS v3.1 score of 9.1. The vulnerability affects Microsoft Defender Endpoint for iOS and Android, Azure Linux 3.0 and CVL Mariner. To exploit the vulnerability, an attacker could send a malicious link to a victim via email or convince the user to click a link. The attacker could also send a specially crafted email to the user without the need for them to open, read or click the link.

SharePoint Server

Microsoft has released a Defense in Depth update for SharePoint Server (ADV240001). The update does not include a severity or have any associated CVEs; it is just informing about the availability of defense in depth updates for SharePoint Server.

Third-party updates

Adobe has released eight updates this month. All updates are rated Priority 3 by Adobe. Guidance from Adobe for Priority 3 updates: This update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.

Google Chrome has released an update on November Patch Tuesday which did not include CVEs in their release notes.

November update priorities:

The Microsoft Windows OS updates should be your top priority this month as they resolve both known and exploited vulnerabilities.
Microsoft Exchange Server should be a priority for organizations running Exchange Server. The public disclosure with proof-of-concept puts this vulnerability at elevated risk of exploitation.

October 2024 Patch Tuesday

Tue, 08 Oct 2024 22:15:28 Z

October Patch Tuesday Summary

October is Cybersecurity Awareness Month! What better way to stay cyber-aware than to read up on the latest security updates hitting the market. Microsoft released updates for Windows, Office, .Net and several Azure services resolving a total of 117 new CVEs. There are two Zero-Day Exploits both of which have also been publicly disclosed. In addition, there are three more CVEs that have been publicly disclosed, but no reports of exploitation.

Four additional third-party CVEs were reported as resolved in Microsoft’s release this month. These include three Chromium CVEs resolved in the latest Edge browser update and a CVE in Windows cURL Implementation. In addition, Zoom released an update resolving two vulnerabilities.

Microsoft Summary

Microsoft resolved 117 new CVEs this month, three of which are rated Critical by Microsoft. This month’s lineup has two Zero-Day exploits that have also been publicly disclosed putting them at risk of more widespread exploitation. Both of the zero-day vulnerabilities are resolved by this month’s Windows OS update making that your top priority to reduce risk quickly.

Microsoft zero-day vulnerabilities

Microsoft has resolved a Remote Code Execution vulnerability in Microsoft Management Console (CVE-2024-43572). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8. The vulnerability has been publicly disclosed and there are confirmed exploits of this vulnerability in the wild. The CVE affects all versions of Windows including the newly released Windows 11 24H2. Due to the confirmed exploitation, this vulnerability should be treated as a high priority this month.

Microsoft has resolved a Spoofing vulnerability in MSHTML (CVE-2024-43573). The vulnerability is rated Moderate by Microsoft and has a CVSS v3.1 score of 6.5. The vulnerability has been publicly disclosed and there are confirmed exploits of this vulnerability in the wild. The CVE affects all versions of Windows including the newly released Windows 11 24H2. Due to the confirmed exploitation, this vulnerability should be treated as a high priority this month.

Ivanti Security Advisories

Ivanti has released five security updates for October Patch Tuesday resolving eleven CVEs. Products affected include Ivanti Connect Secure\Policy Secure, Ivanti Avalanche, Ivanti Velocity License Server, Ivanti EPMM, and Ivanti CSA.

Ivanti is aware of a limited number of customers running CSA v4.6 being exploited. Updating to CSA 4.6 519 will address CVE-2024-8963, but Ivanti is guiding customers to upgrade to CSA 5.0.

Details on these releases can be found in Ivanti’s October Security Update blog.

Third-party Security Advisories

Zoom has released an update this month resolving two CVEs affecting Zoom Workplace App, Zoom Rooms App, and Zoom Meeting SDK. Both are information disclosure vulnerabilities and are rated Medium with CVSS Scores of 4.9.

October Priorities

Windows OS updates are the highest priority this month. Both zero-day exploits are resolved by the OS update.