Ivanti Blog: Posts by

April 2026 Patch Tuesday

Tue, 14 Apr 2026 22:51:36 Z

The lead up to Patch Tuesday has been interesting. We had a Google Chrome zero-day (CVE-2026-5281) that was patched on April 1, an Adobe Acrobat Reader zero-day (CVE-2026-34621) late in the day on Friday April 10, and several older CVEs that were added to the CISA KEV list yesterday (April 13). All of this amidst a lot of industry buzz about Anthropic Mythos and Project Glasswing.

What is the correlation between these events and Project Glasswing you ask? Most of the discussions around Mythos have been focused on where it will be used and the ramifications.

Finding exploitable flaws in code can be a powerful tool for good when used by the vendor writing the code before it is released. However, it will also be used by researchers and threat actors to find flaws in code that is already released and that is where my speculation is directed.

Consider the knock-on effects of a massive model like Mythos and what it will mean near term and longer term for the software that companies consume. Near term you will have the big players using a solution like this to release more secure code. As researchers and threat actors adopt more robust AI models to identify exploitable flaws this will result in more coordinated disclosures (good), zero-day exploits (bad) and n-day exploits (bad). All of this will result in more frequent, and more importantly, urgent software updates.

Many organisations currently struggle to keep up with priority updates resolving exploited vulnerabilities when they occur outside of their normal monthly maintenance. I suspect most organisations were not aware of the Adobe Acrobat zero-day exploit until the CISA KEV update yesterday. This means that threat actors had another 2-3 days of free reign to exploit CVE-2026-34621 before most organisations became aware and many of those organisations will likely handle the update as part of their regular maintenance that is starting today on Patch Tuesday.

Browser security updates are a weekly occurrence. Many other applications that users are utilising regularly release updates on a continuous cadence, not a set monthly release date. This means many of the user targeted exploits are going to occur in software that is releasing outside of the average organisations maintenance schedules and that frequency is about to increase. It is hard to say if that increase is going to be 1.5x or 5x, but rest assured that the increase will be noticeable and will exacerbate a challenge that most organisations already struggle with – timely patch management.

Enter Exposure Management. This is really a mindset and maturity change as much as a technology evolution. The mindset change requires us to consider a world where we need to make the decisions up front and monitor those decisions. This is called defining your Risk Appetite and monitoring your Risk Posture. Doing this effectively matures an organisations’ response to risks and makes remediation activities much more clear cut.

The technology evolution requires the traditional vulnerability assessment technologies to integrate into a broader ecosystem where asset visibility or system of record comes together with vulnerability assessment and vulnerability intelligence solutions to refine when risks require more immediate action vs waiting for your regular maintenance activities to occur. Most important is the need for this tech stack to be integrated with your AEM (Autonomous Endpoint Management) platform as this is where remediation predominantly (and automatically) occurs.

Now, back to our regularly scheduled Patch Tuesday update. Microsoft has resolved 169 CVEs this month which is a massive patch Tuesday lineup. April Patch Tuesday is the second-largest Patch Tuesday on record behind the October 2025 Patch Tuesday which resolved 175 CVEs. The lineup includes one zero-day exploit (CVE-2026-3220) and one public disclosure (CVE-2026-33825) and breaks down into 8 Critical, 156 Important, 3 Moderate and 1 Low severity.

The zero-day CVE is in Microsoft SharePoint and the public disclosure is in Microsoft Defender making those two updates the most urgent for this month in addition to the Adobe Acrobat and Google Chrome updates leading up to Patch Tuesday.

Microsoft’s known exploited vulnerabilities

Microsoft resolved a Server Spoofing Vulnerability in Microsoft SharePoint (CVE-2026-32201). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 6.5, but it has been confirmed to be exploited in the wild. An attacker who successfully exploits this vulnerability can view sensitive information and make changes to the disclosed information. The vulnerability affects SharePoint server Subscription Edition, SharePoint Server 2019 and SharePoint Server 2016. A risk-based prioritisation methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft’s publicly disclosed vulnerabilities

Microsoft resolved an Elevation of Privilege Vulnerability in Microsoft Defender (CVE-2026-33825). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but has been publicly disclosed. The CVE lists exploit code maturity as Proof-of-Concept which puts this at a higher risk of exploitation. An attacker could use this vulnerability to allow an authorised attacker to elevate their privileges to SYSTEM on the local machine.

Ivanti security advisories

Ivanti has released one security update for April. The update affects Ivanti Neurons for ITSM and resolves two CVEs. More details and information about mitigations can be found in the April Security Advisory.

Third-party vulnerabilities

Adobe has released twelve updates this month, eleven of which released on Patch Tuesday and the zero-day update for Acrobat that released on Friday, April 10. 54 CVEs were resolved with a breakdown of 39 Critical, 13 Important and 2 Moderate. APSB26-43 resolved the zero-day exploit (CVE-2026-34621).

April update to-do list

Adobe Acrobat (CVE-2026-34621) and Google Chrome (CVE-2026-5281) each had zero-day exploits leading up to Patch Tuesday. Ensure that you are prioritising remediation of these two products to the latest version.
Microsoft SharePoint includes a zero-day exploit (CVE-2026-32201) and should be investigated as a priority especially if you have known update challenges with your SharePoint environments.
The Microsoft Windows OS update this month resolves 133 CVEs (depending on edition) and includes 4 Critical CVEs. This update will resolve a significant number of findings across your environment.

March 2026 Patch Tuesday

Tue, 10 Mar 2026 21:01:35 Z

March Patch Tuesday resolves 79 CVEs, of which three are Critical and 76 are Important. There are two publicly disclosed CVEs this month, but none exploited. Microsoft has also released an Edge update resolving nine Chrome CVEs. The public disclosures include a Denial-of-Service vulnerability in .Net and an Elevation of Privilege vulnerability in SQL Server. Both disclosures are listed as Unproven for Exploit Code Maturity indicating the disclosures did not include any code samples.

Adobe and Mozilla have released updates as part of the March Patch Tuesday including eight updates from Adobe resolving a total of 80 CVEs, 21 of which are rated Critical. Mozilla Firefox 148.0.2 released resolving three high severity CVEs.

Microsoft’s publicly disclosed vulnerability

Microsoft resolved an Elevation of Privilege vulnerability in SQL Server (CVE-2026-21262). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 8.8, but it has been publicly disclosed. An attacker who successfully exploited this vulnerability could gain SAL sysadmin privileges. The vulnerability affects SQL Server 2016 and later editions.

Microsoft resolved an Denial of Service vulnerability in .NET (CVE-2026-26127). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.5, but it has been publicly disclosed. An attacker could cause an out-of-bounds read in .NET allowing an unauthorised attacker to deny service over a network. The vulnerability affects .NET 9 and 10 on Windows, Mac OS and Linux as well as NuGet 9 and 10 packages.

Third-party vulnerabilities

Adobe has released eight updates this month resolving a total of 80 CVEs, 21 of which are rated Critical. Adobe Commerce is the highest priority this month with a Priority 2 rating. Other affected products include Adobe Illustrator, Substance 3D Painter, Acrobat and Acrobat Reader, Premier Pro, Experience Manager, Substance 3D Stager, and DNG SDK.

Mozilla has released an update for Firefox 148.0.2 resolving three High severity vulnerabilities.

March update to-do list

The Microsoft OS and Office updates will resolve the majority of the CVEs resolved this month in two easy updates.

Mozilla Firefox, Microsoft Edge and Google Chrome are all released frequently. Prioritise browser updates on a weekly or daily basis to reduce risks continuously with minimal risk of impact.

February 2026 Patch Tuesday

Tue, 10 Feb 2026 21:58:44 Z

February Patch Tuesday includes recent out-of-band updates from Microsoft between January 17th and 29th, including multiple bug fixes and a fix for a zero-day exploit in Microsoft Office. In addition, Microsoft announced the phased disablement of NTLM precede the February 2026 Patch Tuesday release.

For the February Patch Tuesday release, Microsoft has resolved 57 unique CVEs. Six CVEs are flagged as Exploited and three of those are Publicly Disclosed as well. Add the out-of-band (OOB) zero-day and you have a lineup of CVEs that need some attention.

January Out-of-Band Releases

The first OOB release on January 17th resolved a credential prompt failure when attempting remote desktop or remote appliance connections. The second round of OOB updates occurred on January 24th and 26th resolving application crashes in Outlook and OneDrive, and system hibernation/shut down issues. And finally, the third OOB update on January 26th was a zero-day vulnerability CVE-2026-21509, a Microsoft Office Security Feature bypass vulnerability.

Microsoft plans phased NTLM disablement

Microsoft released their plan for the phased disablement of New Technology LAN Manager (NTLM) in the latest operating systems starting now in 2026 and beyond. The NTLM authentication protocol was introduced back in 1993 and has since been superseded by Kerberos protocols, which are far more secure. However, NTLM has remained the fallback when Kerberos is unavailable despite being deprecated and having weak algorithms.

Phase one introduces additional auditing to help identify where NTLM may still be running and changing it out where you can. Starting now, Microsoft recommends using advanced NTLM auditing already available in Server 2025, and Windows 11 24H2 and newer. Phase two begins with major OS updates coming later this year. This update will address the ‘pain points’ or blockers by removing multiple fallback scenarios where Kerberos reverts back to NTLM.

And finally in phase three, NTLM will be disabled by default. The code will still be there, but you will need to explicitly re-enable it if absolutely needed. This three-phase approach will happen quickly, so plan appropriately to replace NTLM in your environment and take a giant security step forward. The ‘NTLM disabled by default’ phase will occur with the next major Server update.

Microsoft’s exploited vulnerability 

On January 29th, Microsoft resolved a Security Feature Bypass vulnerability in Microsoft Office (CVE-2026-21509). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but it has been confirmed to be exploited in the wild. An attacker can send a user a malicious Office file and convince them to open the file to exploit the vulnerability. A risk-based prioritisation methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved an Elevation of Privilege vulnerability in Remote Desktop Services (CVE-2026-21533). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but it has been confirmed to be exploited in the wild. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. The vulnerability affects Windows 10 and later editions of the OS. A risk-based prioritisation methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved an Elevation of Privilege vulnerability in Desktop Window Manager (CVE-2026-21519). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but it has been confirmed to be exploited in the wild. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. The vulnerability affects all currently supported and ESU supported versions of Windows OS. A risk-based prioritisation methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved a Security Feature Bypass vulnerability in MSHTML Framework (CVE-2026-21513). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 8.8, but it has been confirmed to be exploited in the wild. An attacker who successfully exploited this vulnerability could bypass a security feature over a network. The vulnerability affects Windows 10 and later editions of the OS. A risk-based prioritisation methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved a Security Feature Bypass vulnerability in Windows Shell (CVE-2026-21510). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 8.8, but it has been confirmed to be exploited in the wild. An attacker who successfully exploited this vulnerability could bypass a security feature over a network. The vulnerability affects all currently supported and ESU supported versions of Windows OS. A risk-based prioritisation methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved an Security Feature Bypass vulnerability in Microsoft Word (CVE-2026-21514). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but it has been confirmed to be exploited in the wild. An attacker can bypass a security feature locally due to a reliance on untrusted inputs. A risk-based prioritisation methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved a Denial of Service vulnerability in Windows Remote Access Connection Manager (CVE-2026-21525). The vulnerability is rated Moderate by Microsoft and has a CVSS v3.1 score of 6.2, but it has been confirmed to be exploited in the wild. A null pointer dereference in Windows Remote Access Connection Manager allows an unauthorised attacker to deny service locally. The vulnerability affects all currently supported and ESU supported versions of Windows OS. A risk-based prioritisation methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Ivanti security advisories 

Ivanti has released one security update for February. The update affects Ivanti Endpoint Manager and resolves two new CVEs and 11 medium severity CVEs that were disclosed in late 2025. More details and information about mitigations can be found in the February Security Advisory.

In addition, there was a security advisory on January 29th for Ivanti Endpoint Manager Mobile (EPMM) that had a limited number of customers impacted at time of disclosure. Ivanti urges all customers using the on-prem EPMM product to promptly instal the Security Update. The security advisory, additional technical analysis, and an Exploitation Detection script co-developed with NCSC-NL can be found in the January Security Advisory.

Third-party vulnerabilities  

Adobe has released nine updates this month resolving 43 CVEs, 27 of which are Critical. All nine updates are rated Priority three by Adobe.

February update to-do list

Windows OS and Microsoft Office updates are priority this month resolving six new and one OOB zero-day exploits.

Review Microsoft phased disablement of NTLM announcement and documentation to start planning for the deprecation and disablement of NTLM.

January 2026 Patch Tuesday

Tue, 13 Jan 2026 21:52:53 Z

New year, new updates! Welcome back to the Ivanti Patch Tuesday blog where we provide you critical insights to optimise your exposure management activities.

This month there are a pair of Mozilla CVEs that are suspected of being exploited and a Microsoft CVE that has been exploited.

In addition, Microsoft has a pair of publicly disclosed vulnerabilities that will need to be reviewed to see if your organisation may be impacted by the changes Microsoft is making.

There are additional third-party updates from Adobe, and you should expect more from Google and Oracle over the next few days and into next week that should be included in your monthly maintenance.

A side note of good news: Microsoft has broken the Server 2025 update out into a separate KB, so it is only 1.9GB in size, versus this month’s 4GB+ Windows 11 cumulative update.

Microsoft’s exploited vulnerability 

Microsoft has resolved an Information Disclosure vulnerability in Desktop Window Manager (CVE-2026-20805). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 5.5, but it has been confirmed to be exploited in the wild. The exposure could be used to disclose a section address from a remote ALPC port that is user-mode memory. The vulnerability affects all currently supported and extended security update-supported versions of the Windows OS. A risk-based prioritisation methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft’s publicly disclosed vulnerabilities 

Microsoft has resolved a Security Feature Bypass vulnerability in Secure Boot Certification Expiration (CVE-2026-21265). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 6.4, but it has been publicly disclosed. In addition the update, the fix provides a warning regarding certificates that will be expiring in 2026 and details on actions that are required to up renew certificates prior to their expiration. It is recommended to start investigating what actions your organisation may need to take to prevent potential serviceability and security as certificates expire.   

Microsoft is addressing an Elevation of Privilege vulnerability in Windows Agere Soft Modem Driver (CVE-2023-31096). The vulnerability CVE ID was assigned by MITRE in 2023. It is rated Important and has a CVSS v3.1 score of 7.8. The CVE has been publicly disclosed. Microsoft’s resolution is to remove the affected drivers from the Windows OS as of the January 2026 cumulative update. Microsoft recommends removing any existing dependencies on this hardware.

Ivanti security advisories 

Ivanti has released no security advisories this month.

Third-party vulnerabilities  

Mozilla has released updates for Firefox and Firefox ESR, resolving a total of 34 CVEs. All three updates have an Impact rating of High. Two CVEs are suspected to be exploited (CVE-2026-0891 and CVE-2026-0892). Both are resolved in Firefox 147 (MFSA2026-01), and CVE-2026-0891 is resolved in Firefox ESR 140.7 (MFSA2026-03).
Expect Google Chrome and Microsoft Edge updates this week in addition to a high-severity vulnerability in Chrome WebView that was resolved in the January 6 Chrome update (CVE-2026-0628).
Adobe has released 11 updates this month affecting DreamWeaver, InDesign, Illustrator, InCopy, Bridge, Substance 3D Modeller, Stager, Painter, Sampler and Designer and Coldfusion. Coldfusion is a priority 1. Everything else is priority 3, but most of the updates include Critical CVEs.
Oracle’s Quarterly CPU is scheduled to release on January 20, so be prepared for updates for Oracle solutions, including Java. Once the Java release is out, expect all of the Java-based frameworks to update over the next few weeks.

January update to-do list

Browser updates are a priority this month. Mozilla resolved two suspected zero-day exploits (CVE-2026-0891 and CVE-2026-0892), and Chrome resolved a high-severity CVE (CVE-2026-0628).
The Windows OS update resolves one exploited and two publicly disclosed vulnerabilities this month, putting the Windows OS update as top priority this month alongside the browser updates.
Review Secure Boot Certificate timelines and usage of Agere Soft Modem drivers to avoid serviceability and security issues.

December 2025 Patch Tuesday

Tue, 09 Dec 2025 22:05:21 Z

Here we are at the final Patch Tuesday for 2025. Microsoft has resolved 56 CVEs (two Critical and 54 Important). Included in this release is one known exploited (CVE-2025-62221) and two publicly disclosed CVEs (CVE-2025-54100 and CVE-2025-64671). This month’s OS update resolves the exploit (CVE-2025-62221) and one of the public disclosures (CVE-2025-54100), making the Windows OS a top priority this month. The other public disclosure is in GitHub Copilot for Jetbrains (CVE-2025-64671), which would require developers to download and update the GitHub Copilot plugin.

Third-party updates this Patch Tuesday include multiple releases from Mozilla for Firefox 146 and Firefox ESR 115.31 and 140.6. Adobe released five updates to resolve 142 CVEs including an update for Adobe Acrobat and Reader. Four of five updates are rated as Priority Three, but the Adobe ColdFusion update is rated Priority One. There are no known exploits, but the ColdFusion update resolves the bulk of the CVEs resolved by Adobe this month.

Microsoft’s exploited vulnerability

Microsoft has resolved an Elevation of Privilege vulnerability in Cloud Files Mini Filter Driver (CVE-2025-62221). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8 but is confirmed to be exploited in the wild. An attacker who successfully exploits this CVE could gain SYSTEM privileges. The CVE affects Windows 10 and later Windows editions. A risk-based prioritisation approach would prioritise this CVE as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved a Remote Code Execution vulnerability in PowerShell (CVE-2025-54100). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8 but has been publicly disclosed. The fix provides a warning and guidance to avoid the potential remote code execution, but the nature of the exposure makes it improbable to fully remediate. The Invoke-WebRequest command can parse the contents of a web page and could potentially run script code in the web page when it is parsed. A warning is presented recommending the use of the -UseBasicParsing switch to avoid script code execution. The CVE affects Server 2008 and later Windows editions.

Microsoft has resolved a Remote Code Execution vulnerability in GitHub Copilot for Jetbrains (CVE-2025-64671). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 8.4 but has been publicly disclosed. An attacker could exploit code using a malicious Cross Prompt Inject in untrusted files or MCP servers, allowing the execution of additional commands by appending them to commands allowed in the user’s terminal auto-approve setting.

Ivanti security advisories

Ivanti has released one security update this month. The update affects Ivanti Endpoint Manager and resolves four vulnerabilities. More details and information about mitigations can be found in the December Security Advisory.

Third-party vulnerabilities 

Mozilla has released updates for Firefox and Firefox ESR resolving a total of 27 CVEs. All three updates have an Impact rating of High.

Adobe released five updates this month affecting ColdFusion, Experience Manager, DNG SDK, Acrobat and Reader and Creative Cloud Desktop. ColdFusion is a Priority One and resolves the majority of the 142 CVEs. The other four updates are rated Priority Three.

December update priorities

The Windows OS update is the priority this month to resolve CVE-2025-62221.

All other updates can be resolved under normal SLA priorities.

Unpatchable Vulnerabilities: Key Risk Mitigation Strategies

Mon, 20 Oct 2025 13:00:00 Z

Wouldn’t it be great if every vulnerability had a fix waiting in the wings? If patching were always fast, easy, and complete?

That’s not the world we live in.

Some vulnerabilities can’t be patched at all. Others are buried in systems or services you don’t fully control. And the longer your focus stays limited to internal infrastructure, the more risk slips through the cracks.

This is where the conversation broadens, from vulnerability management to full spectrum exposure management. Because unpatchable vulnerabilities aren’t edge cases. They're part of your everyday risk landscape and deserve a seat at every CISO’s table.

The problem? Too many organisations still equate vulnerability management with patching, and that mindset creates blind spots big enough for attackers to walk right through. It ignores the exposures lurking outside traditional infrastructure: Cloud misconfigs, expired certs, third-party software dependencies, identity abuse and more.

What are unpatchable vulnerabilities?

Unpatchable vulnerabilities live up to their name. They’re flaws you can’t fix with a vendor patch, and not as rare as you might think. In today’s environment, risk is as likely to come from a cloud misconfiguration or expired certificate as it is from a missing update. But if your strategy focuses only on infrastructure vulnerabilities, you’re leaving massive gaps in your defences.

Most teams lack total attack surface visibility and treat infrastructure as the entire attack surface. Full stop. But that’s only one layer in a much broader landscape. The reality is that there are five critical layers where vulnerabilities live, and only one of them can be reliably managed with traditional patching.

The rest? They're unpatchable by nature. And each requires a different approach if you want to close the gaps. Let’s go through each one at a time:

1. Infrastructure

Infrastructure is the attack surface layer that everyone knows. It’s where traditional vulnerability management and patch management lives. And yes, it’s critical. But treating this as the whole (or only) attack surface is like locking your front door and ignoring the open windows.

2. External attack surface

The external attack surface is what an adversary sees when they look at your organisation from the outside. Your domains, subdomains and exposed services are entry points you don’t always control directly and often aren’t picked up in infrastructure scans.

3. Cloud services

Cloud misconfigurations are one of today’s most dangerous blind spots and also among the most overlooked, particularly in environments that have rapidly adopted cloud services without simultaneously evolving their security practices. We’ve seen the headlines about data exposed through misconfigured storage buckets or overly permissive APIs. These aren’t software flaws. They’re setup mistakes, and no patch can fix a poorly set permission.

4. Identity

Then there’s identity. Every user account, credential and session token is a target. If a threat actor phishes your credentials or cracks a weak password, they’re not even exploiting a system vulnerability. They’re using your systems exactly as designed. Don’t mistake identity for a layer of access control. It serves as its own attack surface.

5. Data

And finally: data. The way you classify, store and secure data all represent a surface area always being probed by attackers. If sensitive information is in the wrong place, with the wrong permissions, that’s an open invitation.

Patching is critical. It gives you remediation coverage on endpoints and servers. But it only addresses one piece of the puzzle. The rest of your environment requires a wider lens.

The reality is: exposures aren’t buried in code. They live in misconfigurations, overly broad permissions, architectural shortcuts and legacy systems either forgotten or left to rot in the background. Those don’t get fixed with a patch. They get fixed with strategy.

Examples of unpatchable vulnerabilities

Log4j was a wake-up call. A single vulnerable library embedded across dozens of applications, many of them business-critical. You couldn’t just “push a patch”. You had to wait for each vendor to update their software, and/or manually disable vulnerable components until you closed that hole.

That’s just one example of how complexity can derail vulnerability management. Other cases are even more problematic:

IoT devices often operate as closed systems, with firmware controlled entirely by the vendor. If vendor support ends, you’re left with internet-connected assets that IT can’t update directly as firmware is locked behind vendor-controlled gates. Without updates, vulnerabilities remain exposed.

Network Edge Devices (Firewalls, VPNs, etc.) come with layers of complex rules, configurations and dependencies, configurations and dependencies that can’t be blindly updated. Every change must be tested against business-critical services to avoid outages. One single misstep can knock systems offline or break key integrations. That’s why most teams treat these updates like surgical procedures: slow, meticulous and weighed carefully against the organisation’s risk appetite.

And then there’s cryptographic decay. It’s the slow decay of trust in encryption as attackers get faster and standards grow older. TLS and SSL protocols, once considered rock solid, become exploitable over time.

And none of them can be addressed by traditional patching models. They live outside the boundaries of what scanners catch and patching can solve. That’s why a broader security strategy, one rooted in exposure reduction and not just patching, needs to guide your approach.

Multifaceted risk mitigation strategies

Start by targeting the weakest links in your environment: outdated protocols, misconfigurations and overexposed assets. Then, assess who and what has access to your systems. Shrink those access pathways to only what’s essential. This reduces the damage radius when something goes wrong.

Next, break risk mitigation into multiple workstreams. Not every vulnerability can be addressed the same way or on the same timeline. You need parallel tracks for short-term containment and long-term resilience.

In the short term, if you're facing an unpatchable vulnerability, ask: how do we minimise impact now? The Log4j response is a good model. There, we deployed scripts that disabled vulnerable components in real time, limiting exposure while waiting for a vendor patch.

At the same time, build a longer-term framework. Automate configuration updates wherever possible. Create a roadmap for phasing out end-of-life apps and platforms. Map ownership across critical systems, including which teams or vendors control updates and what permissions or dependencies might block timely fixes. When an issue arises, that prep work determines whether you're reacting in chaos or executing a plan.

The tactics will vary — scripts, segmentation, zero trust, re-architecture — but the goal stays the same: reduce the time and space adversaries have to exploit your systems. Shrink the window. Stay ahead of it.

The organisations that succeed in managing unpatchable vulnerabilities are the ones who understand their environment inside and out. They never stop refining that understanding. That means having a real-time asset inventory, visibility into what’s running where and a comprehensive Software Bill of Materials (SBOM) that tells you what’s inside your software.

They also monitor the entire attack surface. Not just endpoints, but external perimeters, cloud configurations, identity systems, and the data itself. Anything less than that leaves blind spots wide open.

They build tight operational bridges between teams. When a high-risk exposure surfaces, network ops, application owners and developers already know who’s on point, what actions to take and how to move fast without triggering service disruptions.

Above all, they know that “unpatchable” doesn’t mean unmanageable. It just means you need a different playbook: one that’s layered, cross-functional and laser-focused on reducing real-world risk.

For more on how to elevate your approach to vulnerability management and risk mitigation, check out Ivanti’s research report: Risk-Based Patch Prioritization.

October 2025 Patch Tuesday

Tue, 14 Oct 2025 21:43:03 Z

October Patch Tuesday is going to be a busy one from all angles. Microsoft exceeded the January CVE count (159 CVEs) by a healthy margin, with 172 CVEs resolved this month. There are three exploited and two publicly disclosed vulnerabilities this month, but fortunately all of them are in the cumulative OS update, making resolution quick and clean. They are also end of life-ing a lot of products, including Windows 10! Additionally, Office 2016 and 2019 and Exchange Server 2016 and 2019 have also reached end of life.

Adobe released 12 updates resolving 36 CVEs. Mozilla released five updates resolving 45 CVEs and are cautioning users that three of these CVEs are showing signs they may have been exploited in the wild (unconfirmed). And of course, Google Chrome is expected to release their weekly update in the next 24 hours.

There is a lot to unpack, so let’s get started.

Microsoft’s exploited vulnerabilities

Microsoft has resolved a Secure Boot bypass in IGEL OS before 11 vulnerability (CVE-2025-47827), which Microsoft has confirmed is exploited in the wild. The CVE is rated Important and has a CVSS 3.1 score of 4.6. Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptographic signature, allowing a crafted root file system to be mounted from an unverified image.

Microsoft has resolved an Elevation of Privilege vulnerability in Remote Access Connection Manager (CVE-2025-59230), which Microsoft has confirmed is exploited in the wild. The CVE is rated Important and has a CVSS 3.1 score of 7.8. Improper access control in Windows Remote Access Connection Manager allows an authorised attacker to elevate privileges locally. A risk-based prioritisation methodology would warrant treating this as Critical.

Microsoft has resolved an Elevation of Privilege vulnerability in Agere Modem Driver (CVE-2025-24990), which Microsoft has confirmed is exploited in the wild. The CVE is rated Important and has a CVSS 3.1 score of 7.8. The driver shipped natively with the Windows OS. Microsoft has removed the driver with the October cumulative update and recommends removing any existing dependencies on this fax modem hardware. Exploit is possible even if the drive is not being used. A risk-based prioritisation methodology would warrant treating this as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Agere Modem Driver (CVE-2024-24052), which Microsoft has confirmed is publicly disclosed. The CVE is rated Important and has a CVSS 3.1 score of 7.8. The exploit code maturity is listed as proof-of-concept, which increases the risk of exploitation. A risk-based prioritisation methodology would warrant treating this as Critical.

Microsoft has resolved an out-of-bounds read vulnerability in TCG TPM2.0 reference implementation (CVE-2024-2884), which Microsoft has confirmed is publicly disclosed. The CVE is rated Important and has a CVSS 3.1 score of 5.3. The exploit code maturity is listed as unproven, indicating there is currently no publicly available code.

Ivanti security advisories

Ivanti has released two updates and one Security Advisory for October Patch Tuesday, resolving a total of seven CVEs. The affected products include Ivanti Neurons for MDM and Ivanti Endpoint Manager Mobile. The Ivanti Neurons for MDM vulnerabilities were resolved for all customers on October 10, 2025. An additional Security Advisory was released for Ivanti Endpoint Manager, which provides mitigation options for vulnerabilities disclosed October 7, 2025.

For more details, you can view the updates and information provided in the October Security Update on the Ivanti blog.

Third-party vulnerabilities

Adobe released 12 updates addressing 36 CVEs. Adobe has rated the Commerce update as a priority two and the rest of the updates as priority three.
Mozilla released five updates resolving 45 CVEs. Three of the CVEs included variations of the statement, “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” indicating a possibility of exploitation in the wild. All five updates include at least one of the suspected exploit CVEs, we recommend treating all five as containing a known exploited CVE.
Google Chrome is expected to release in the next 24 hours, so plan a Chrome update and a possible Edge update shortly after.

October update priorities

The Windows OS cumulative update is the top priority this month, as it resolves three exploited and two publicly disclosed CVEs.
All Mozilla updates should be deployed during your current maintenance, but any deferral or delay would come with risks as there are three CVEs that are speculated to be exploitable in the wild already.

Schrödinger’s Vulnerability: Why Continuous Vulnerability Management Isn’t Optional

Wed, 17 Sep 2025 13:00:01 Z

The classic thought experiment known as Schrödinger’s Cat imagines a cat that’s simultaneously alive and dead; that is, until someone opens the box. In other words, it’s both alive and dead until the point that we can confirm the truth.

Now, swap the cat for software vulnerabilities, and you’ve got a fantastic analogy for what happens in today’s security environment. Teams won’t know a vulnerability exists until it’s discovered and in the worst cases, until it’s already being exploited.

That uncertainty is what I call Schrödinger’s vulnerability.

It’s the gap between the assumption of safety and the reality of exposure. And it’s a gap that traditional vulnerability management practices alone can’t bridge.

With threat actors leveraging automation and AI to enhance the speed and scale of their attacks, the time between the discovery of a vulnerability and exploitation is shrinking. Organisations can’t afford to waste time identifying and patching vulnerabilities.

Traditional patching methods are on a fixed cadence – once a month or once a week – but this approach is out of touch with the realities of modern threats.

Organisations need to branch out from relying just on reactive, scheduled patch management and remediation cycles. It’s time we shift our mindset to an always-on, comprehensive way of understanding a potential vulnerability – even before we know that the vulnerability exists.

The Patch Tuesday problem: real-world threats move faster

Let’s start with what we all know: Patch Tuesday is predictable. Patch Tuesday remains an important practice in helping security teams prioritise their updates and remediate newly-identified vulnerabilities. Leading tech companies like Microsoft, Apple and Ivanti itself release their updates and patches on a regular cycle, giving IT and security teams time to prepare their own maintenance cycles.

However, the problem is that many vulnerabilities aren't so predictable.

For example, popular third-party applications such as Adobe, Mozilla and Google are continuously releasing updates to common applications — such as browsers — that we all use on a daily basis.

For organisations only anchored to a monthly maintenance schedule, this can create a dangerous delay. Each time you “close the box” and wait for the next patch window, you leave a 29-day exposure gap wide open.

Consider what happened in the spring months of 2025: in the span of five weeks, Chrome, Edge and Firefox each identified zero-day vulnerabilities that required immediate attention:

Two Firefox vulnerabilities publicly exploited at the Pwn2Own hacker competition
An actively exploited zero-day in Chrome and its sibling browser, Edge
Multiple rapid-fire CVE disclosures demanding swift action

Modern cyber attackers can reverse-engineer newly released patches to uncover the underlying vulnerability, weaponize proof-of-concept exploits and launch automated attacks.

Once a vulnerability is publicly disclosed, you enter a critical window to resolve the issue before threat actors can take advantage of it. In fact, the June 2025 zero-day in Chrome (CVE-2025–5419) was actively exploited in the wild upon patch release, underscoring how quickly adversaries can weaponize a disclosed flaw.

To extend our Schrödinger’s analogy: vulnerability management is like herding cats. And as anyone who’s tried to herd cats knows, it’s a 24/7, round-the-clock job. In other words, continuous vulnerability management is even more crucial now than before.

The IT burden: continuous releases and compressed SLAs

Threat velocity is only half the challenge. As more vendors shift to continuous release cycles, it forces security teams to shrink SLAs, sometimes dramatically. The result is often “smoke-test validation”, confirming a patch has been installed without fully checking its impact. That’s how bugs, compatibility issues and missed dependencies slip through. You’re increasing operational risk even when trying to reduce security risk. It’s like peeking in the box to see if the cat’s breathing and missing the open window behind it.

IT teams are struggling to test, validate and deploy patches at that increased pace, according to Ivanti research. Nearly four out of 10 (39%) cybersecurity professionals find it a challenge to prioritise risk remediation and patch deployment, and 35% aren’t consistently able to maintain compliance when patching.

A different approach is needed. Teams need to be more proactive and continuous in their approach. This means establishing a mindset of exposure management to be more proactive.

Risk appetite: the starting point for exposure management

Every organisation has a different tolerance threshold regarding risk. That’s your risk appetite. If you haven’t formally defined that in your teams, you can’t operationalize an effective response strategy.

That’s why continuous vulnerability management starts with a conversation across stakeholders. You must bring security ops, IT and business leadership to the table to address critical questions:

What level of exposure are we willing to tolerate?
How fast can we realistically respond to zero-day threats?
What's the financial, operational and reputational cost of being wrong?

The average cost of a ransomware incident is now reported as being upwards of $5 million. That’s no small sum, and especially for smaller organisations, the high costs may pose an existential threat to their business.

For enterprises, it’s more the brand damage and regulatory exposure where it stings the most.

No matter your size, these numbers demand a shift from measuring patching SLAs to actively managing exposure.

From cadence to coverage: tiered patch management framework

At Ivanti, we’ve operationalized this mindset through a flexible, layered policy framework within our Neurons for Patch Management platform. This starts with three policy tiers that align with real-world vulnerability response patterns:

1. Routine maintenance

This is your baseline: OS updates, scheduled, third-party patches, standard hygiene. While essential, it’s insufficient if it stands on its own. You’re keeping the lights on, but you’re not ready when a storm hits.

2. Priority updates

Browsers, collaboration tools and document apps change constantly, making them prime targets for exploitation. Because of the perpetual change and evolution of these apps, they require faster response cycles and purpose-built policies. We’ve created default configurations to help customers proactively manage these risk-prone applications with minimal friction.

3. Zero-Day response

Agility matters most here. When a zero-day is discovered and disclosed (or worse, exploited), you don’t have time to debate or argue about what to do in response. You need preconfigured, battle-tested policies that you can pivot to immediately and patch outside your normal cycle.

These three tiers running parallel to each other give organisations a starting point for moving beyond cadence-based patching. They operationalize the concept of risk appetite by matching prescribed response urgency to the nature of the threat.

Multilayered vulnerability management and continuous compliance

Not every system is perfect, though. What happens when something falls through the cracks?

Maybe an employee was on vacation. Maybe a system was turned off. Maybe a new device was integrated without the latest patches. These are the edge cases that create silent, persistent risk. These are your very own Schrödinger’s vulnerabilities.

To solve this requires a fourth remediation track: Continuous Compliance.

This task runs in the background. It monitors for devices that don’t meet your latest patching baseline from routine to zero-day. When it finds gaps, it closes them automatically. It’s like a bank’s vault automatically locking shut when thieves trigger the alarm.

There’s no need to wait for the next Patch Tuesday or have someone manually watch the dashboard 24/7. This is where true continuous vulnerability management takes shape. Ongoing coverage (and security) rather than manual reaction.

Shrinking the noise: focus on what matters

There’s another critical benefit here: dramatically reducing the volume of noise your security teams have to triage.

Take July’s Patch Tuesday. Microsoft released patches for 104 CVEs. Let’s do the math: say you have 3,000 Windows 11 machines in your user base. That means more than 300,000 “findings” for your vulnerability scanner.

But here’s the thing: if your exposure management programme is doing its job, 99% of those findings are already addressed and accounted for in your routine maintenance, priority updates or in your zero-day response tasks. No more needing to parse through mountains of redundant alerts – your team can now home in on what needs real attention, including gaps, anomalies and uncompliant systems.

That’s how you move from reactive alert fatigue to active risk reduction.

From patch management to preparedness

This, ultimately, is a mindset shift. You’re moving from a reactive model to a proactive one. You’re shifting from waiting for vulnerabilities to surface and deciding what to do about them, to responding with predefined and automated processes firmly in place.

That’s the difference between simply patching and being prepared. It matters more now than ever, with CVE counts rising and threat actors faster, smarter and better resourced.

Regulatory expectations are also growing. Whether it’s SEC disclosure rules, National Institute of Standards and Technology (NIST) frameworks or industry-specific compliance mandates, the bar for “reasonable security” is climbing.

The baseline has changed: it’s no longer patch and react. It’s continuous vulnerability management.

Not falling for Schrödinger’s vulnerability

Back to the cat. The whole point of Schrödinger’s Cat thought experiment is that uncertainty persists until you look.

That’s fun in concept, but it’s dangerous when you apply that mentality to cybersecurity. You can’t just hope you won’t get hit — you must manage risk through continuous monitoring, patching and enforcing.

With the right measures in place, you’re not opening the box wondering if a vulnerability is “alive” or not. You’ve already taken steps to keep it safe. You can open with confidence and then shut the window of exposure before it even becomes an open door.

Discover more best practices to elevate your current patching and remediation efforts to a proactive, high-performing security strategy in our full Risk-Based Patch Prioritization Report.

September 2025 Patch Tuesday

Tue, 09 Sep 2025 21:28:36 Z

The days leading into September Patch Tuesday include a bit of chaos from a pair of actively exploited Android CVEs (CVE-2025-38352, CVE-2025-48543), a zero day in WhatsApp (CVE-2025-55177), another zero day in WinRAR (CVE-2025-8088), and a major supply chain attack through the Drift AI Chat Agent exposing Salesforce customers data.

The good news is Microsoft only has a pair of publicly disclosed vulnerabilities (CVE-2025-55234, CVE-2024-21907) out of 81 total CVEs resolved this month, making this about as close to a calm Patch Tuesday as we can hope for.

The Windows OS and Office updates are rated Critical this month, putting those as the highest priority, but with no zero-day exploits, this month should be focused on routine maintenance from a Microsoft perspective.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Windows SMB (CVE-2025-55234), which Microsoft has confirmed is publicly disclosed. Microsoft rates the CVE as Important, and it has a CVSS v3.1 score of 8.8 and affects all Windows OS editions. The code maturity is unproven, which would indicate no code samples have been disclosed. A risk-based prioritisation methodology would warrant treating this as Important.

Microsoft has resolved an Improper Handling of Exceptional Conditions vulnerability in Newtonsoft.Json (CVE-2024-21907), which Microsoft has confirmed is publicly disclosed. The CVE is unrated and affects SQL Server 2016, 2017 and 2019. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial-of-service condition. A risk-based prioritisation methodology would warrant treating this as Important.

Third-party vulnerabilities

Adobe has released nine updates resolving 22 CVEs, 12 of which are rated Critical. The products affected include Adobe Acrobat Reader, After Effects, Premiere Pro, Commerce, Substance 3D Viewer, Experience Manager, Dreamweaver, 3D Substance Modeller and ColdFusion. Adobe has rated the ColdFusion update as a priority one and Commerce as a priority two. The other seven updates are rated priority three.

Ivanti security advisories

Ivanti has released two updates for September Patch Tuesday resolving a total of 13 CVEs. The affected products include Ivanti Connect Secure and Policy Secure and Ivanti EPM.

For more details, you can view the updates and information provided in the September Security Update on the Ivanti blog.

September update priorities

With no zero-days released on Patch Tuesday, the updates this month are predominantly low risk. Ensure you have the zero days leading up to Patch Tuesday in hand, and plan to deploy the Microsoft and Adobe updates through your regular maintenance activities this month.

August 2025 Patch Tuesday

Tue, 12 Aug 2025 22:08:03 Z

Let me start this month off with a question. Have you already decided what you are going to do for your remediation plan this month? Think about it for a second. OS updates, productivity apps, browsers, and other apps are already likely under consideration for your August patch maintenance. The real decisions you need to consider are around timing. Do you proceed with your typical Patch Tuesday plan or do you need to accelerate any zero-days, etc?

What you just thought about was a generalisation of defining your risk appetite. There is a lot of discussion across the vulnerability management market about how to modernise vulnerability management. When you think about trends like 32% of 1H 2025 known exploited vulnerabilities (KEVs) being zero-day or 1-day exploits it can feel overwhelming. How do you keep up with a continuous stream of updates? Ideally by defining your outcome and configuring for success.

If we break this month’s Patch Tuesday down into parallel remediation streams:

Routine Maintenance: Much of what just released today will fall into your reoccurring monthly maintenance which typically starts on Patch Tuesday and runs for two weeks or more depending on your SLAs, OS, productivity apps, third-party apps, etc.
Priority updates: Browsers tend to release more frequently (typically weekly) and may warrant a priority update track to keep up with the constant stream of new exposures in your environment. This patch cycle you may be resolving CVEs in multiple browsers from the past four weeks if you don’t have a more frequent update plan in place for the browsers.
Zero-day Response: The recent SharePoint exploits are a good example of the disruptive\unpredictable nature of zero-day exploits.
Continuous Compliance: The three previous tracks could solve most of your remediation challenges, but what about users who are on vacation, leave of absence, got a new system and shipping bypassed the current month’s maintenance window or installed something new that was not the latest version? Defining a baseline and keeping that updated as new updates pass your quality tests would keep your systems in compliance when the multitude of reasons for drift occur.

Microsoft’s publicly disclosed vulnerabilities

Microsoft resolved one publicly disclosed vulnerability in Windows Kerberos (CVE-2025-53779). The CVE is an Elevation of Privilege vulnerability that could allow an attacker to gain domain admin privileges. The CVE is rated Medium and has a CVSS score of 7.2. The vulnerability only affects Windows Server 2025.

Third-party vulnerabilities

Adobe released thirteen new updates on Patch Tuesday, but the most urgent is the Adobe Experience Manager Forms update released on August 5 resolving two publicly disclosed CVEs (CVE-2025-54253 and CVE-2025-54254). APSB25-82
Google Chrome 139.0.7258 released resolving five CVEs and is rated Critical. This will also affect Microsoft Edge so watch for that update to come likely later this week.

August update priorities

Microsoft SharePoint is the top priority this month to resolve recent zero-day exploits being targeted by multiple nation state level threat actors. Update ASAP.
Adobe Experience Manager Forms update released on August 5 is your second highest priority.
Windows OS and Office have Critical CVEs this month. Get them updated as part of your regular maintenance and you should be good.
Microsoft Exchange Server and SQL Server each received updates. The CVEs were only rated as Important so no need to escalate remediation, but server admins should start to test and rollout within the next month.

July 2025 Patch Tuesday

Tue, 08 Jul 2025 21:17:47 Z

July Patch Tuesday is a sizable one, but no significant security risk. Microsoft resolved 130 new CVEs, including one public disclosure. There are seven additional CVEs from MITRE regarding vulnerabilities in Git resolved through the Visual Studio update this month. Fourteen CVEs are rated Critical by Microsoft, affecting Windows OS, Office, SharePoint, and SQL.

The DHCP issue caused by the June 2025 update appears to be resolved. It is not reported as a known issue for Windows OS KBs, and some quick querying through Gemini agrees the issue appears to be resolved.

Gemini’s response to the query is below:

July update server DHCP issue resolved

Yes, according to information available on July 8, 2025, Microsoft has resolved the DHCP server issue that was caused by the June 2025 security updates.

Key points:

June 2025 updates caused the problem: Microsoft's June 2025 Patch Tuesday updates introduced a bug that could cause the DHCP service to freeze or stop responding on Windows Server 2016 through 2025. This issue prevented some clients from renewing their IP addresses.

Fix released in July updates: Microsoft released Windows updates on July 8, 2025, and subsequent updates that resolve this issue.

Workaround before the fix: Before the July updates were available, the recommended workaround was to uninstall the affected June updates and restart the server, but this left systems vulnerable to security threats patched in those updates.

The Windows Server OS updates this month resolve 16 CVEs in Windows Routing and Remote Access Service (RRAS). These vulnerabilities could allow an unauthenticated attacker to convince a user to initiate a connection to a malicious server that could allow them to execute arbitrary code. The attack would require no privileges and could be exploited over the network. Applying the updates to the OS is the best solution, but additional mitigations like restricting RRAS ports to trusted networks or VPN concentrators can limit exposure, as well as employing firewall rules and disabling unused RRAS features.

Developers have a bit of work to do on their side this month. Microsoft resolved seven CVEs in Git and two additional CVEs that require a Visual studio update this month.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved an Information Disclosure in Microsoft SQL (CVE-2025-49719), which Microsoft has confirmed is publicly disclosed. Microsoft rates the CVE as Important, and it has a CVSS v3.1 score of 7.5. The code maturity is unproven, which would indicate no code samples. A risk-based prioritisation methodology would warrant treating this as Important.

Third-party vulnerabilities

Google Chrome resolved their fourth zero-day exploit on June 30, so from a risk-based prioritisation perspective, Chrome and Edge updates that take the focus leading up to Patch Tuesday. CVE-2025-6554 was resolved in build 138.9.7204.96/.97 for Windows, 138.0.7204.92/.93 for Mac and 138.0.7204.92 for Linux, which they indicated would roll out over the coming days/weeks.

Ivanti security advisory

Ivanti has released three updates for July Patch Tuesday resolving a total of 11 CVEs. The affected products include Ivanti Connect Secure and Policy Secure, Ivanti EPMM and Ivanti EPM.

For more details, you can view the updates and information provided in the July Security Update on the Ivanti blog.

July update priorities

The Google Chrome and Microsoft Edge browsers are the top priority this month. Ensure you have deployed the latest updates to resolve the zero-day exploit (CVE-2025-6554) that was identified on June 30.
Windows Server OS updates are likely the biggest security priority this month, especially for those who experienced the DHCP issues after the June update and had to uninstall the June update.

June 2025 Patch Tuesday

Tue, 10 Jun 2025 20:52:28 Z

June Patch Tuesday is upon us. There has been a lot of activity in the past few weeks. Mid-May was the Pwn2Own Berlin 2025 event, and the $1M USD in rewards that were paid out came with many newly discovered vulnerabilities affecting Microsoft, Google, Mozilla, VMware, NVIDIA, Oracle and other vendors. Since the event, there have been several updates from many of these vendors, so expect a lot of third-party updates to update this month from releases leading up to Patch Tuesday.

Microsoft released updates resolving 66 CVEs, nine of which are rated Critical. In addition, there is one public disclosure and one zero-day exploit. Updates this month affect Windows, Office, SharePoint, Visual Studio, and .Net. The zero day and public disclosure are both resolved by the Windows OS update this month.

Third-party updates from Mozilla, Google (including two recent zero-day exploits) and Adobe leading up to Patch Tuesday will add to the load. If your organisation is updating applications like browsers on a weekly basis to keep up with continuous release applications commonly used to target end users, you should be up to date on all but Adobe. If not, you will want to ensure to get these queued up for your patch maintenance.

Microsoft exploited vulnerabilities

Microsoft has resolved a Remote Code Execution vulnerability in Web Distributed Authoring and Versioning (WEBDAV) (CVE-2025–33053) which Microsoft has confirmed to be exploited in the wild. Microsoft rates the CVE as Important and it has a CVSS v3.1 score of 8.8. Risk-based prioritisation would treat this as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Windows SMB Client (CVE-2025–33073), which Microsoft has confirmed is publicly disclosed. Microsoft rates the CVE as Important and it has a CVSS v3.1 score of 8.8. The code maturity is Proof-of-Concept and the vulnerability is remotely exploitable, which will make this a desirable target for threat actors. A risk-based prioritisation methodology would warrant treating this as Critical.

Third-party vulnerabilities

Google Chrome continues their weekly security update cadence. Expect a Chrome update this week to add to the four releases and 14 CVEs resolved since May Patch Tuesday. This includes two zero-day exploits resolved in the past few weeks (CVE-2025–5419 and CVE-2025–4664).

Mozilla has released multiple security updates since the Pwn2Own Berlin event. The two CVEs exploited in the event were resolved in the May 17 release (Firefox 138.0.4) and since then, Mozilla has released Firefox 139 and 139.0.4, as well as updates for Firefox ESR and Thunderbird. Ensure you have the latest Mozilla updates queued up this Patch Tuesday.

Adobe has released updates for Acrobat Reader and six other products, resolving 259 CVEs. 225 of these were included in the Experience Manager update, with hefty contributions from a handful of diligent security researchers.

Ivanti security advisory

Ivanti has released one update for June Patch Tuesday resolving a total of three CVEs. The affected product is Ivanti Workspace Control.

For more details you can view the updates and information provided in the June Security Update on the Ivanti blog.

June update priorities

The Windows OS is the top priority this month with one zero-day exploit (CVE-2025–33053) and one public disclosure (CVE-2025–33073).
Google Chrome should be a top priority if you have not deployed updates for June 2 and earlier, as it will resolve two zero-day exploits (CVE-2025–5419 and CVE-2025–4664).
Browsers in general should be updated weekly to keep up with the continuous release cycle. Edge, Chrome and Firefox received multiple updates since May Patch Tuesday, including multiple high-profile disclosures and zero-day exploits.

May 2025 Patch Tuesday

Tue, 13 May 2025 22:03:04 Z

May Patch Tuesday resolves five actively exploited and two publicly disclosed vulnerabilities. Spoiler alert: all five zero-days are resolved by deploying the Windows OS update. Also, this month Windows 11 and Server 2025 updates include some new AI features, but they carry a lot of baggage. Literally – they are around 4GB! New AI features include Recall, Click to Do and Improved Windows Search.

Microsoft has resolved a total of 72 new CVEs this month, six of which are rated Critical. The five zero-day vulnerabilities are rated Important, but using a risk-adjusted scoring model they would all be rated Critical.

Microsoft exploited vulnerabilities

Microsoft resolved an Elevation of Privilege vulnerability in Windows Ancillary Function Driver for WinSock (CVE-2025-32709) that could allow an attacker to elevate privileges locally to gain administrator privileges. The vulnerability affects Windows Server 2012 and later OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritisation warrants treating this vulnerability as Critical.

Microsoft resolved a pair of Elevation of Privilege vulnerabilities in Windows’ Common Log File System Drive (CVE-2025-32706 and CVE-2025-32701) that could allow an attacker to elevate privileges locally to gain SYSTEM privileges. The vulnerabilities affect all Windows OS versions. The vulnerabilities are confirmed to be exploited in the wild. Microsoft’s severity rating for both CVEs is Important and CVSS 3.1 of 7.8. Risk-based prioritisation warrants treating these vulnerabilities as Critical.

Microsoft resolved an Elevation of Privilege vulnerability in Microsoft DWM Core Library (CVE-2025-30400) that could allow an attacker to elevate privileges locally to gain SYSTEM privileges. The vulnerability affects Windows 10, Server 2016 and later OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft’s severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritisation warrants treating this vulnerability as Critical.

Microsoft resolved a Memory Corruption vulnerability in Microsoft Scripting Engine (CVE-2025-30397) that could allow an unauthorised attacker to execute code over a network. The vulnerability affects all Windows OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft’s severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritisation warrants treating this vulnerability as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft resolved a Remote Code Execution vulnerability in Visual Studio (CVE-2025-30397) that could allow an unauthorised attacker to execute code locally. The vulnerability affects Visual Studio 2019 and 2022. The vulnerability has been publicly disclosed, but the code maturity was set to Unproven and exploitability assessment is less likely.

Microsoft resolved an Identity Spoofing vulnerability in Microsoft Defender (CVE-2025-26685) that could allow an unauthorised attacker to perform spoofing over an adjacent network. The vulnerability affects Microsoft Defender for Identity. The vulnerability has been publicly disclosed, but the code maturity was set to Unproven and exploitability assessment is less likely.

Third-party vulnerabilities

Adobe has released 13 updates this month resolving 39 CVEs, 33 of which are Critical. For more details, see Adobe’s Latest Product Security Updates.
Google Chrome is expected to release a weekly update shortly, so keep an eye out.

Ivanti security advisory

Ivanti has released four updates for May Patch Tuesday resolving a total of four CVEs and one CWE. The affected products include Ivanti Neurons for ITSM (on-prem only), Ivanti ICS, Ivanti Neurons for MDM and Ivanti EPMM.

The Ivanti EPMM update resolves a medium and a high CVE that when chained together, successful exploitation could lead to unauthenticated remote code execution. Ivanti is aware of a very limited number of customers whose solution has been exploited at the time of disclosure.

For more details you can view the updates and information provided in the May Security Update on the Ivanti blog and EPMM Security Updated.

May update priorities

Windows OS is your top priority this month with five zero-day exploits reported (CVEs).
Ivanti EPMM customers should apply either of the mitigation options or update as soon as possible.

April 2025 Patch Tuesday

Tue, 08 Apr 2025 21:19:58 Z

April Patch Tuesday appears to be a high count of resolved CVEs, but a low number of high priority risks. Microsoft has resolved 121 new unique CVEs this month, 11 of which are rated critical and one known to be exploited. The zero-day vulnerability is in the Windows OS this month, making that your top priority.

In addition, Adobe has released 12 updates resolving 54 CVEs. Adobe ColdFusion was rated highest (Priority 1) and resolves 15 CVEs. Adobe Commerce and Experience Manager Forms were rated Priority 2 and resolved five CVEs and two CVEs respectively. The rest of the Adobe lineup was Priority 3.

Update your browsers! Google Chrome updated this Patch Tuesday resolving two additional CVEs. On April 1, both Mozilla Firefox and Google Chrome updated. Mozilla Firefox resolved eight CVEs, and Chrome resolved thirteen CVEs. Microsoft Edge (Chromium) updated on April 3 in response to the April 1 Chrome update, which means we will have an additional Edge update coming later this week.

Oracle is due to release their quarterly CPU on April 15, so keep an eye out for Oracle updates including Java, which will kick off the domino effect of alternative Java frameworks getting updates through the end of April and into early May.

Microsoft exploited vulnerabilities

Microsoft resolved an Elevation of Privilege vulnerability in Windows Common Log File System Driver (CVE-2025-29824) that could allow an attacker to gain SYSTEM privileges on the affected system. The vulnerability affects all Windows OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritisation warrants treating this vulnerability as Critical.

Third-party vulnerabilities

Adobe released updates for most of the Creative Suite including After Effects, Animate, Bridge, Illustrator, Media Encoder, Photoshop and Premiere Pro.
Google Chrome released an update resolving two CVEs. Expect Edge to be released later this week.
Oracle’s quarterly CPU is scheduled for April 15, 2025. Expect updates for a number of Oracle products, but this release will also kick off the domino effect on all Java frameworks like RedHat OpenJDK, Amazon Corretto, Azul Zulu, Eclipse Adoptium, Adopt OpenJDK and others.

Ivanti security advisory

Ivanti has released one update for April Patch Tuesday resolving a total of six CVEs. The affected products include Ivanti EPM 2022 and EPM 2024. For more details you can view the updates and information provided in the April Security Update on the Ivanti blog.

April update priorities

The Windows OS is your top priority this month, with the only zero-day exploit reported (CVE-2025-29824).
Update all of your browsers! Last week Mozilla, Chrome and Edge received updates, and an additional Chrome update was released on Patch Tuesday. If you have not already, you should consider moving browser updates to a weekly cadence to reduce exposure time, as Chrome and Edge will receive weekly updates, and Firefox typically has two to three updates per month.
Expect Oracle updates on April 15 and additional updates for Java frameworks over the next few weeks.

March 2025 Patch Tuesday

Tue, 11 Mar 2025 21:27:51 Z

Here in the Midwest US, we have a saying about March, “In like a lion, out like a lamb.” This is in reference to the month starting with strong winter weather and letting off as the month progresses. In fact, we just had a blizzard that dropped 9-12 inches of snow across most of the region overnight, but a week later I see grass and sunny skies and have shed the winter coat!

At first glance, March Patch Tuesday looks like a lamb, but this lamb might have the teeth of a lion. The standard lineup of updates resolves 57 CVEs across the Windows OS, Office, .Net and Visual Studio, with a couple of Azure component updates in the mix. Google Chrome updated in the lead up to Patch Tuesday (March 10 update), and Adobe released seven updates, including Adobe Acrobat and Acrobat Reader.

Now let’s talk teeth. There are seven known exploited CVEs for the March lineup.

Microsoft resolved six known exploited CVEs. The zero-day exploits affect the Microsoft Management Console, NTFS, Fast FAT, and the Win32 Kernel Subsystem. All six exploits are rated Important with CVSS scores ranging from 4.6 to 7.8. The good news is all six are resolved by the March Windows OS update, so the majority of the immediate risk is resolved by that one update.
Google resolved one known exploited CVE (CVE-2025-24201), which according to the release notes from Google is an out of bounds write-in GPU on Mac reported by the Apple Security Engineering and Architecture (SEAR) team – so likely only a concern for Mac users. (Based on Microsoft’s release notes, it looks like Edge has not resolved the five CVEs in the March 10 release.)

Microsoft exploited vulnerabilities

Microsoft has resolved a Security Feature Bypass in Microsoft Management Console (CVE-2025-26633). The vulnerability is rated Important and has a CVSSv3.1 score of 7.0. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. An attacker would need to take additional actions to prepare the target environment for exploitation, but the vulnerability allows for a variety of user-targeted tactics to exploit, including instant message, email and web-based attacks scenarios. Risk-based prioritisation warrants treating this vulnerability as Critical.

Microsoft has resolved a Remote Code Execution vulnerability in Windows NTFS (CVE-2025-24993). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritisation warrants treating this vulnerability as Critical.

Microsoft has resolved an Information Disclosure vulnerability in Windows NTFS (CVE-2025-24991). The vulnerability is rated Important and has a CVSSv3.1 score of 5.5. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritisation warrants treating this vulnerability as Critical.

Microsoft has resolved a Remote Code Execution vulnerability in Windows Fast FAT File System Driver (CVE-2025-24985). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritisation warrants treating this vulnerability as Critical.

Microsoft has resolved an Information Disclosure in Windows NTFS (CVE-2025-24984). The vulnerability is rated Important and has a CVSSv3.1 score of 4.6. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritisation warrants treating this vulnerability as Critical.

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Win32 Kernel Subsystem (CVE-2025-24983). The vulnerability is rated Important and has a CVSSv3.1 score of 7.0. The vulnerability affects older Windows editions including Windows 10 and Server 2008 to Server 2016. Microsoft has confirmed that this CVE is exploited in the wild. If exploited, the attacker could gain SYSTEM-level privileges. Risk-based prioritisation warrants treating this vulnerability as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved a Remote Code Execution vulnerability in Microsoft Access (CVE-2025-26630). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects Microsoft Access 2016, Office 2019, Office LTSC 2021 and 2024, and Microsoft 365 Apps for Enterprise. Microsoft has confirmed that this CVE has been publicly disclosed, but the code maturity is set to be unproven. The disclosure could provide attackers with some additional information to formulate an exploit, but the lack of code samples will increase their efforts. Risk-based prioritisation would indicate a slightly higher risk for a disclosure without functional code, but not enough to bump this CVE up to Critical.

Third-party vulnerabilities 

Google Chrome released updates on March 10 resolving five CVEs, including one known exploited CVE (CVE-2025-24201). The exploit is documented as an out of bounds write-in GPU on Mac. The priority is higher for macOS than Windows for this update.
Adobe released seven updates resolving 37 CVEs. The updates affect Adobe Acrobat and Reader, Illustrator, InDesign, Substance 3D Sampler, Painter, Modeller and Designer. All seven updates are rated priority three and can be handled in the course of your monthly update activities.

Ivanti security advisory

Ivanti has released two updates for the March Patch Tuesday resolving a total of two CVEs. The affected products are Ivanti Secure Access Client (ISAC) and Ivanti Neurons for MDM (N-MDM). For more details you can view the updates and information provided in the March Security Update on the Ivanti blog.

March update priorities

The Windows OS update is the top priority update this month resolving six known exploited CVEs.
The March 10 Google Chrome update resolves one known exploited vulnerability on macOS, making the macOS Chrome update a priority.

February 2025 Patch Tuesday

Tue, 11 Feb 2025 22:45:40 Z

February Patch Tuesday is ramping up with releases from Adobe and Microsoft and an expected release from Google. Adobe resolved 45 CVEs across seven updates. The largest and highest priority is Adobe Commerce, which resolves 30 CVEs. Microsoft is coming down off a huge January release and only resolved 56 new CVEs this February. There are two new zero-day exploits and a revised Secure Boot zero-day in the mix, making the Windows OS a top priority this month.

Microsoft exploited vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Ancillary Function Driver for WinSock (CVE-2025-21418). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. An attacker who exploited this vulnerability could gain SYSTEM privileges. Risk-based prioritisation warrants treating this vulnerability as Critical.

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Storage (CVE-2025-21391). The vulnerability is rated Important and has a CVSSv3.1 score of 7.1. The vulnerability affects Windows 10 to 11 and Server 2016 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritisation warrants treating this vulnerability as Critical.

Microsoft has revised the previously resolved Security Feature Bypass in Secure Boot (CVE-2023-24932). The vulnerability is rated Important and has a CVSSv3.1 score of 6.7. The vulnerability was updated to include Windows 11 24H2 and Server 2025 as they are also affected by this known exploited and publicly exploited vulnerability. Additionally, Microsoft has released a more comprehensive update to all affected versions to fully protect against this vulnerability. Risk-based prioritisation warrants treating this vulnerability as Critical.

Microsoft publicly disclosed vulnerabilities

Microsoft has resolved a Spoofing Vulnerability in NTLM Hash Disclosure (CVE-2025-21377). The vulnerability is rated Important and has a CVSSv3.1 score of 6.5. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is publicly disclosed. The temporal metrics indicate Exploit Code Maturity is Functional, further increasing the risk of exploitation. Risk-based prioritisation warrants treating this vulnerability as Critical.

Microsoft has resolved a Security Feature Bypass in Microsoft Surface (CVE-2025-21194). The vulnerability is rated Important and has a CVSSv3.1 score of 7.1. The vulnerability affects Microsoft Surface and Surface Dev Kit systems. Microsoft has confirmed that this vulnerability is publicly disclosed, but the code maturity is unproven.

Third-party vulnerabilities

Adobe released updates for InDesign, Commerce, Substance 3D Stager, InCopy, Illustrator, Substance 3D Designer and Photoshop Elements, resolving a total of 45 CVEs. Six of the updates are Priority 3. Adobe Commerce is set to Priority 1. The Commerce update resolves 30 of the 45 total CVEs Adobe resolved this month and warrants more immediate attention.

Google Chrome is expected to update later today, which will trigger updates for Chromium-based browsers including Microsoft Edge, so be on the lookout for Chrome and Edge updates as we proceed through the week.

Ivanti security advisory

Ivanti has released five product updates resolving 11 CVEs, four of which are Critical. The affected products include Ivanti Cloud Service Application, Ivanti Neurons for MDM, Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Secure Access Client. At the time of release, Ivanti is not aware of any exploitation or public discloses for the 11 resolved CVEs. For more information, see the February Security Advisory page.

February update priorities

Microsoft Windows is the top priority this month, with three known exploited CVEs, two publicly disclosed vulnerabilities resolved and two Critical CVEs.
Browsers are a prime target for attackers to target users. While including browsers in your monthly update process is recommended, it leaves a lot of CVEs exposed in between cycles. It’s recommended to move browsers to a weekly Priority Updates cadence. Mozilla Firefox releases two to three times a month. Google Chrome has been releasing security updates weekly since August 2023. The Chromium-based Microsoft Edge has also been releasing weekly. Updating all browsers on a weekly basis is recommended to keep up with the steady stream of security fixes.

January 2025 Patch Tuesday

Tue, 14 Jan 2025 23:35:11 Z

Microsoft has released updates resolving 159 unique CVEs for January. Among the lineup are three zero-day exploits and five publicly disclosed vulnerabilities. The exploited CVEs are all targeting Windows Hyper-V NT Kernel Integration VSP, making the OS update this month your most urgent priority. The public disclosures impact Windows Themes, Windows App Package Installer and three CVEs for Microsoft Access. There are 10 CVEs rated Critical affecting the components of the Windows OS and Microsoft Excel.

Microsoft exploited vulnerabilities

Microsoft has resolved three Elevation of Privilege vulnerabilities in Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335). All three vulnerabilities are rated Important and each has a CVSSv3.1 score of 7.8. These vulnerabilities affect Microsoft Windows versions 10, 11 and Server 2025. Microsoft is aware of exploitation of these vulnerabilities. Risk-based prioritisation warrants treating these vulnerabilities as Critical.

Microsoft publicly disclosed vulnerabilities

Microsoft has resolved a Spoofing Vulnerability in Windows Themes (CVE-2025-21308). The vulnerability is rated Important and has a CVSSv3.1 score of 6.5. The vulnerability affects Windows 10 and 11 as well as Server 2012 up to Server 2025. The CVE has been publicly disclosed, increasing the risk of exploitation. There are mitigations that could reduce the risk of this vulnerability or future security risks. For more details, refer to the Mitigations section of the CVE page.

Microsoft has resolved an Elevation of Privilege vulnerability in Windows App Package Installer (CVE-2025-21275). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects Microsoft Windows versions 10, 11, and Server 2025. If exploited, an attacker could gain SYSTEM level privileges. The CVE has been publicly disclosed, increasing the risk of exploitation.

Microsoft has resolved three Remote Code Execution vulnerabilities in Microsoft Access (CVE-2025-21186, CVE-2025-21395 and CVE-2025-21366). All three vulnerabilities are rated Important and each has a CVSSv3.1 score of 7.8. The vulnerabilities affect Microsoft Office 2019, Access 2016, Office LTSC 2021 and 2024 and Microsoft 365 Apps. The CVEs have been publicly disclosed, increasing the risk of exploitation.

Third-party vulnerabilities

Oracle’s Quarterly CPU is scheduled to release on January 21, so be prepared for updates for Oracle solutions, including Java. Once the Java release is out, expect all of the Java-based frameworks to update over the next few weeks.

Adobe has released updates for Photoshop, Substance 3D Stager, Illustrator on iPad, Animate and Substance 3D Designer, resolving a total of 14 CVEs. All of the CVEs resolved are rated as Critical, but no exploitation or disclosures have been reported.

Expect Google Chrome’s weekly security update today or tomorrow along with an update for Microsoft Edge shortly after.

Ivanti security advisory

Ivanti has released three product updates resolving 20 CVEs. The affected products include Ivanti Avalanche, Ivanti Application Control Engine and Ivanti Endpoint Manager. Ivanti is not aware of any exploitation or public disclosures for the 20 resolved CVEs. For more information, see the January Patch Tuesday Security Advisory page.

January update priorities:

Microsoft Windows is the top priority this month, with three known exploited CVEs, two publicly disclosed vulnerabilities resolved and eight Critical CVEs.
Microsoft Office is next in priority from a risk-based perspective. The update this month resolved three publicly disclosed CVEs in Access and two Critical CVEs in Excel. The two Excel CVEs could use the Preview Pane as an attack vector, making them ideal targets for threat actors.
Ensure your browsers are all up to date. Mozilla released last week and Google Chrome and Microsoft Edge update weekly with security fixes.

November 2023 Patch Tuesday

Tue, 14 Nov 2023 22:18:09 Z

November 2023 Patch Tuesday has arrived and has a lower overall CVE count than previous months, but includes some urgent fixes that organizations will want to take note of. This month is also the first patch cycle for Server 2012 and 2012 R2 extended support (ESU). On the third-party side, Adobe has released updates and an update from Google Chrome Stable Channel has been updated.

Microsoft updates

Microsoft has resolved 58 new unique CVEs this month, three of which are critical. Three CVEs have confirmed exploits in the wild. There are also some publicly disclosed vulnerabilities that could be considered at higher risk of being exploited. Products affected include Windows OS, Office 365, .Net, ASP.NET, Azure DevOps Server, Visual Studio, Exchange Server and SQL Server.

Microsoft Server 2012 and 2012 R2 officially reached their end-of-life in October. Today, there are updates available for these server editions if an organization has subscribed to Microsoft ESU.

Microsoft zero-day ulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability is Windows DWN Core Library (CVE-2023-36033). The CVE is rated as Important by Microsoft and has a CVSS score of 7.8, but exploits have been detected in the wild.

There is proof-of-concept code samples publicly available, making it easy for additional attackers to utilize. No user interaction is required to exploit the vulnerability, and if exploited, an attacker could gain system-level privileges. The vulnerability affects all Windows 10, 11 and Server editions. Regardless of severity and CVSS rating, this vulnerability is actively being exploited and warrants higher prioritization.

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Cloud Files Mini Filter Driver (CVE-2023-36036). The vulnerability is rated as Important and has a CVSS score of 7.8, but exploits have been detected in the wild. No user interaction is required to exploit the vulnerability, and if exploited, an attacker could gain system-levelprivileges. The vulnerability affects Windows 10, 11, and Server 2008 and newer server OS editions.

Organizations that are still running Server 2008, 2008 R2, 2012 or 2012 R2 should ensure they are subscribing to a Microsoft ESU subscription or take additional precautions to protect these older server editions. Regardless of severity and CVSS rating, this vulnerability is actively being exploited and warrants higher prioritization.

Microsoft has resolved a Security Feature Bypass vulnerability in Windows SmartScreen (CVE-2023-36025). The vulnerability is rated as Important and has a CVSS score of 8.8, but exploits have been detected in the wild. An attacker can convince a user to click on a specially crafted URL and bypass Windows Defender SmartScreen checks.

The vulnerability affects Windows 10, 11, and Server 2008 and newer server OS editions. Organizations that are still running Server 2008, 2008 R2, 2012 or 2012 R2 should ensure they are subscribing to a Microsoft ESU subscription or take additional precautions to protect these older server editions.

Regardless of severity and CVSS rating, this vulnerability is actively being exploited and warrants higher prioritization.

Microsoft publicly disclosed vulnerabilities

Microsoft has resolved a Denial of Server vulnerability in ASP.NET (CVE-2023-36038). The vulnerability is rated as Important and has a CVSS score of 8.2. The vulnerability has been publicly disclosed, which increases the risk that threat actors may be developing or will develop an exploit. Under the right conditions, an attacker who successfully exploits this vulnerability could cause a total loss of availability.

Microsoft has resolved a Security Feature Bypass in Microsoft Office that allows an attacker to bypass the Office Protected View and open in editing mode rather than protected mode (CVE-2023-36413). The vulnerability is rated as Important and has a CVSS score of 6.5. The vulnerability has been publicly disclosed, which increases the risk that threat actors may be developing or will develop an exploit. The vulnerability affects Microsoft Office and 365 Apps editions.

Microsoft has updated a previously published CVEs (CVE-2023-38039 and CVE-2023-38545) affecting HTTP headers and SOCKS5 heap buffer overflow to include an updated version of curl 8.4.0, which addresses the vulnerabilities. Organizations that implemented the mitigations provided on October 19th, 2023 should follow the guidance provided in the following documentation: Remove Windows Defender Application Control (WDAC) policies.

Microsoft Exchange vulnerabilities of note

Some of these exchange vulnerabilities caught some recent headlines in early November because of timing of the disclosures from the researcher not lining up with Microsoft’s release criteria. Some researchers have very hard timeframes, from informing the vendor to releasing details publicly. If the vulnerabilities didn't meet criteria for out-of-band release, then they would fall into the next release cycle. A few of these Exchange CVEs appear to fall into such a case. No exploits or disclosures were reported against the five Exchanges CVEs.

CVE-2023-36035 Microsoft Exchange Server Spoofing Vulnerability
CVE-2023-36039 Microsoft Exchange Server Spoofing Vulnerability
CVE-2023-36050 Microsoft Exchange Server Spoofing Vulnerability
CVE-2023-36439 Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-1730 Microsoft Exchange Server Spoofing Vulnerability (information only change)

Third-party updates

Adobe has released updates for 14 products including Adobe Acrobat and Acrobat Reader. Adobe resolved 76 CVEs across the product updates, including 40 Critical CVEs. No exploits or public disclosures have been reported.

Based on Adobe's priorities, these would all fall into their Priority 3 as most of the products are less likely to be targeted (like ColdFusion, InCopy, etc.) Adobe Acrobat and Acrobat Reader is the most likely to be targeted as it is more widely available on systems. Recommendation would be to prioritize APSB23-54 : Security update available for Adobe Acrobat and Reader for remediation to be safe.

Google Chrome has moved to a weekly release cadence for security updates. Chrome's stable channel has been updated to 119.0.6045.159 for Mac and Linux and 119.0.6045.159/.160 for Windows and includes 4 CVEs. Expect Chromium-based browsers to update shortly.

October 2023 Patch Tuesday

Tue, 10 Oct 2023 22:03:02 Z

There's been a long string of zero-day events through September and into the October Patch Tuesday lineup. Apple had five zero-day vulnerabilities across most of their products culminating in their updates that were released on September 26th (which also included the EoL of Big Sur).

Google and Mozilla continued to be busy with several zero-day vulnerabilities in the open-source library, Libwebp. This also impacted chromium-based browsers like Microsoft Edge, Opera and others. For more details on the lineup of CVEs leading up to October Patch Tuesday, check out our Patch Tuesday Forecast on HelpNetSecurity.

Microsoft has resolved 104 new CVEs this month, three of which are flagged as exploited. The lineup from Microsoft includes Windows, Office 365, SQL Server, Exchange Server and multiple Azure components. Along with the large lineup of fixes, October also marks the end-of-life for Windows Server 2012 and 2012 R2.

Microsoft zero-day vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Skype (CVE-2023-41763) which allows an attacker to send a specially crafted network call to a target Skype for Business server. The network call could cause the parsing of an http request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker. The CVE is rated as important and has a CVSSv3.1 of 5.3, but proof-of-concept code has been disclosed and there are exploits detected in the wild. This CVE should be treated as a higher severity than Important due to the risk of exploit.
Microsoft has resolved an information disclosure vulnerability in WordPad (CVE-2023-36563) which allows the disclosure of NTLM hashes. The CVE is rated as Important and has a CVSSv3.1 of 6.5, but proof-of-concept code has been disclosed and there are exploits detected in the wild. This CVE should be treated as a higher severity than Important due to the risk of exploit.
Microsoft has resolved a Denial of Service vulnerability in the HTTP/2 protocol (CVE-2023-44487) which allows request cancellation that can reset many streams quickly. The vulnerability has been exploited in the wild since August. The vulnerability has been resolved in the Windows OS and in Visual Studio, .Net and ASP.Net. The CVE doesn't have a CVSS calculated, and Microsoft’s severity is only rated as Important, but due to active exploitation this CVE should be treated as a higher severity.

Windows Server 2012\2012 R2 and Windows 11 21H2 end-of-life

This patch Tuesday will include the latest updates for Windows 11 21H2 and Microsoft Server 2012/2012 R2. The later go into Extended Security Support (ESU) starting with a November release, and Microsoft also announced the keys used to enable these updates will be managed as part of Azure Arc. They should be released next week.

End-of-life software poses a risk to an organization. No public updates will be available for these OS versions going forward. For Windows 11 users, this means upgrading to a new Windows 11 branch. For Server 2012\2012 R2 it'shighly recommended to subscribe to ESU or migrate to a newer server edition.

Linux zero-day vulnerabilities

CVE-2023-42115 has a whopping 9.8 CVSS and affects the Exim software solution, a message transfer agent (fancy way of saying email server) that’s very popular on Linux (including web hosters), which wasvulnerable to remote code execution. This vulnerability had been reported for over a year to the original developers but never addressed properly and is now public. There's exploit code available in the wild. It particularly affects servers configured with centralized identity management, including in mixed Windows/Linux environments with Active Directory.
Exim announced on October 2nd that a security update for exim-4.96.1 and 4.97 has been created to mitigate this CVE and two other zero-days (with three other zero-days remaining unpatched). Exim is an important MTA software because it’s bundled with “control panel” web hosters, including in docker images.
CVE-2023-4863 is a 9.1 CVSS heap-based buffer overflow that affects libwebp, which is a library used by countless applications (for example Google Chrome, Firefox or Brave) to render images on screen. It's beenfound to be vulnerable to an exploit, which is already in the wild, and all the applications using it'll be affected — which are essentially any applications that show or process images in the "webp" format (or its derivatives). This is remotely exploitable and requires no interaction to trigger – simply viewing a malicious image is enough to trigger it.

Linux vulnerabilities can have a long tail, from the publishing of the CVE to patches being made available by Linux distributions. To monitor the latest Linux CVEs, check out TuxCare’s detailed CVE Tracker.