Microsoft Fixes 113 Vulnerabilities & 1 Actively Exploited 0-Day in First Patch Released -Jan2026
Microsoft Patch Tuesday 2026 Jan
Continue ReadingVulnerabilities
Critical Unauthenticated RCE Vulnerabilities in Cisco ISE and ISE-PIC
Cisco has disclosed two critical vulnerabilities CVE-2025-20281 and CVE-2025-20282 affecting its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC).
These vulnerabilities allow unauthenticated, remote attackers to execute arbitrary commands on the underlying operating system with root privileges. The first flaw CVE-2025-20281 impacts ISE versions 3.3 and later, while the second CVE-2025-20282 is limited to version 3.4.
Summary
| OEM | Cisco |
| Severity | Critical |
| CVSS Score | 10.0 |
| CVEs | CVE-2025-20281, CVE-2025-20282 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Cisco has disclosed two critical vulnerabilities CVE-2025-20281 and CVE-2025-20282 affecting its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC).
These vulnerabilities allow unauthenticated, remote attackers to execute arbitrary commands on the underlying operating system with root privileges. The first flaw CVE-2025-20281 impacts ISE versions 3.3 and later, while the second CVE-2025-20282 is limited to version 3.4.
Both issues stem from insecure API implementations that fail to validate user input and uploaded files respectively.
Given the critical nature of these bugs both scoring CVSS 9.8 & 10.0 Cisco has issued immediate fixes, with no workarounds available. Organizations using the affected versions are urged to apply the patches without delay.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| API Unauthenticated RCE vulnerability | CVE-2025-20281 | ISE & ISE-PIC | Critical | 3.3 Patch 6, 3.4 Patch 2 |
| Internal API Arbitrary File Execution vulnerability | CVE-2025-20282 | ISE & ISE-PIC | Critical | 3.4 Patch 2 |
Technical Summary
Two independent vulnerabilities allow an attacker to gain full control over affected Cisco ISE systems without authentication:
- CVE-2025-20281: Triggered via crafted requests to a public API, exploiting insufficient input validation to achieve RCE as root.
- CVE-2025-20282: Abuses an internal API that lacks file validation, enabling the upload and execution of malicious files in privileged directories.
These vulnerabilities align with CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-269 (Improper Privilege Management).
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-20281 | Cisco ISE & ISE-PIC 3.3 and later | Insufficient validation in a public API allows remote attackers to send crafted requests, leading to unauthenticated command execution as the root user. | Remote code execution |
| CVE-2025-20282 | Cisco ISE & ISE-PIC 3.4 only | An internal API fails to validate uploaded files. Attackers can upload files to system directories and execute them with root privileges. | Remote code execution |
Remediation:
Cisco has released patches for affected versions of ISE and ISE-PIC. There are no known workarounds, and customers are strongly encouraged to apply the following updates:
| Cisco ISE / ISE-PIC Version | CVE-2025-20281 Fixed In | CVE-2025-20282 Fixed In |
| 3.2 and earlier | Not affected | Not affected |
| 3.3 | 3.3 Patch 6 | Not affected |
| 3.4 | 3.4 Patch 2 | 3.4 Patch 2 |
Conclusion:
These vulnerabilities represent a severe risk to network security infrastructure, particularly because they impact Cisco ISE a cornerstone for identity and access control in many enterprises. The unauthenticated remote nature of the exploits, combined with root-level access and no required user interaction, significantly increases the threat surface.
Although Cisco’s PSIRT has stated that there are no known instances of public exploitation, the ease of exploitation and severity (CVSS 10.0) make these vulnerabilities highly attractive to threat actors. Organizations should immediately apply the available patches and review their system logs for any signs of suspicious activity targeting ISE infrastructure.
References:
Microsoft June 2025 Patch Tuesday – 67 Vulnerabilities Fixed Including 2 Zero-Days
Summary : Microsoft’s June 2025 Patch Tuesday addresses a total of 67 vulnerabilities across its product ecosystem. Critical flaws in WebDAV, SMB, SharePoint and Remote Desktop Services highlight the urgency of installing this month’s updates.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-06-10 |
| No. of Vulnerabilities Patched | 67 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
These include multiple high-risk flaws and two zero-day vulnerabilities one actively exploited and one publicly disclosed affecting core components like Windows WebDAV and the SMB Client.
- 67 Microsoft CVEs addressed
- 3 non-Microsoft CVEs addressed
Breakdown of May 2025 Vulnerabilities
- 25 Remote Code Execution (RCE)
- 17 Information Disclosure
- 14 Elevation of Privilege (EoP)
- 6 Denial of Service (DoS)
- 3 Security Feature Bypass
- 2 Spoofing
- 2 Chromium (Edge) Vulnerabilities
- 1 Windows Secure Boot
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| WebDAV Remote Code Execution (Exploited in the wild) | CVE-2025-33053 | Windows | High | 8.8 |
| SMB Client Elevation of Privilege (Publicly disclosed) | CVE-2025-33073 | Windows | High | 8.8 |
Technical Summary
Two zero-day vulnerabilities in Microsoft’s ecosystem were addressed in June 2025. One of these, CVE-2025-33053, has been exploited in the wild and affects the deprecated but still present WebDAV component in Windows. The other, CVE-2025-33073, was publicly disclosed and affects the Windows SMB client, enabling attackers to elevate privileges.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-33053 | Windows 10,11 and Windows Server | WebDAV RCE triggered when a user clicks a malicious link. Exploited by APT group “Stealth Falcon.” Exploitation complexity is low. | Remote Code Execution |
| CVE-2025-33073 | Windows 10,11 and Windows Server | EoP flaw in SMB Client. Exploitation may occur by connecting to a malicious SMB server. Privilege elevation to SYSTEM is possible. | Elevation of Privilege |
Source: Microsoft and NVD
In addition to the zero-day vulnerabilities, several other critical and high-severity issues were addressed:
- CVE-2025-47162, CVE-2025-47164, CVE-2025-47167: Microsoft Office, Preview Pane-based RCE vulnerabilities, exploitation more likely (CVSS 8.4)
- CVE-2025-47172: Microsoft SharePoint Server, SQL injection-based RCE (CVSS 8.8)
- CVE-2025-29828: Windows Cryptographic Services, memory release issue (CVSS 8.1)
- CVE-2025-32710: Windows Remote Desktop Services, use-after-free vulnerability (CVSS 8.1)
- CVE-2025-29976: Microsoft SharePoint, Local privilege escalation (CVSS 7.8)
- CVE-2025-30393: Microsoft Excel, RCE via malicious Excel file (CVSS 7.8)
- CVE-2025-24063: Windows Kernel, Local privilege escalation, marked “Exploitation More Likely” (CVSS 7.8)
- CVE-2025-32702: Visual Studio, Command injection RCE via malicious project file (CVSS 7.8)
- CVE-2025-26685: Microsoft Defender for Identity, Spoofing via NTLM fallback, exploitable in adjacent networks (CVSS 6.5)
Remediation:
- Apply Patches Promptly: Install the June 2025 security updates immediately to mitigate risks.
General Recommendations:
- Prioritize Zero-Days: Focus on patching the two confirmed zero-day vulnerabilities, especially those allowing Elevation of Privilege and remote code execution.
- Disable Deprecated Services: If not required, disable WebDAV (WebClient service) and SMBv1 to reduce exposure.
- Enforce SMB Signing: Use Group Policy to mandate SMB signing, reducing the risk from CVE-2025-33073.
- Monitor for Exploitation Attempts: Watch for suspicious SMB or WebDAV traffic in logs and endpoint detection systems.
- Enable Auto Updates Where Feasible: For individual endpoints and less tightly controlled systems, enable automatic updates to maintain regular patch schedule.
Conclusion:
Microsoft’s June 2025 Patch Tuesday addresses two important zero-day vulnerabilities, including an actively exploited RCE in WebDAV tracked as CVE-2025-33053.
Organizations should prioritize these patches to mitigate risk from real-world threats. The CVE-2025-33053 vulnerability has also been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, emphasizing its urgency.
References:
Critical 0-Day Vulnerabilities in Qualcomm Adreno GPU Drivers Actively Exploited
Summary
| OEM | Qualcomm |
| Severity | HIGH |
| CVSS Score | 8.6 |
| CVEs | CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
Three actively exploited zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) have been disclosed and patched.
These flaws impact billions of Android devices across vendors such as Samsung, Google, Xiaomi, and OnePlus. Qualcomm released patches to OEMs in May 2025, urging immediate integration to mitigate severe memory corruption and code execution threats.
| Vulnerability Name | CVE ID | Product Affected | CVSS Score | Severity |
| Incorrect Authorization Vulnerability | CVE-2025-21479 | Qualcomm Adreno GPU Driver | 8.6 | High |
| Incorrect Authorization Vulnerability | CVE-2025-21480 | Qualcomm Adreno GPU Driver | 8.6 | High |
| Use-After-Free Vulnerability | CVE-2025-27038 | Qualcomm Adreno GPU Driver | 7.5 | High |
Technical Summary
These vulnerabilities reside within Qualcomm’s Adreno GPU driver, specifically in the Graphics component. The flaws allow attackers to corrupt memory, escalate privileges or execute arbitrary code. Two issues (CVE-2025-21479, CVE-2025-21480) result from incorrect authorization mechanisms in GPU microcode and the third (CVE-2025-27038) is a use-after-free flaw that can be exploited via malicious content rendered through Chrome.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-21479 | Android (Adreno GPU) | Unauthorized command execution during specific GPU microcode sequences causes memory corruption. | Privilege escalation, system compromise. |
| CVE-2025-21480 | Android (Adreno GPU) | Similar unauthorized GPU command flaw allowing memory corruption via improper authorization checks. | Memory corruption, remote code execution. |
| CVE-2025-27038 | Android (Chrome/Adreno) | Use-after-free condition in graphics rendering pipeline (via Chrome) allows attacker control over freed memory space. | Arbitrary code execution. |
Recommendations:
- Apply OEM Patches Immediately: Qualcomm released fixes in May 2025 to all OEMs; users should install the latest firmware updates from their device manufacturers.
- Check for Updates: Go to Settings → System → Software Update and apply the latest security patches as soon as available.
- Apply Security Updates: Users should ensure their Android devices receive the latest security updates.
- Monitor Manufacturer Communications: Stay informed about patch availability specific to your device model via official OEM channels.
Conclusion:
These zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers highlight ongoing security risks in mobile hardware components.
Exploited in limited, targeted attacks potentially by spyware vendors or state-sponsored actors these flaws pose significant threats to Android devices worldwide.
In response to confirmed exploitation, CISA has added all three CVEs (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) to its Known Exploited Vulnerabilities (KEV) catalog, mandating swift action for federal systems.
Timely patching by OEMs and proactive updates by users are critical to mitigating these risks and preventing further exploitation.
References:
Microsoft May 2025 Patch Tuesday Released; Fixed 83 Vulnerabilities, Including 5 Zero-Days
May 2025 Patch Tuesday by Microsoft
Continue Reading
Critical NGINX Ingress Vulnerabilities Expose Kubernetes Clusters to Compromise
Security Advisory
Summary:
The Kubernetes Ingress NGINX Admission Controller has detected 5 significant security vulnerabilities affecting all versions of the ingress-nginx controller prior to v1.12.1 and v1.11.5. Here are the cve ids CVE-2025-1974, CVE-2025-1098, CVE-2025-1097, CVE-2025-24514, and CVE-2025-24513.
| Maintainer | Kubernetes ingress community |
| Severity | Critical |
| CVSS Score | 9.8 |
| No. of Vulnerabilities Patched | 05 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Patch Available | Yes |
| Advisory Version | 1.0 |
Overview
Admission Controllers frequently don’t require authentication and essentially function as web servers, introducing an additional internal network-accessible endpoint in the cluster. This architecture allows attackers to access them directly from any pod in the network, significantly increasing the attack surface.
The most critical of these, CVE-2025-1974, allows attackers on the pod network to remotely execute code and gain full control of the cluster without authentication.
Although there has not been any active exploitation in the wild, this vulnerability poses a serious risk as it could enable attackers to take complete control of a cluster.
The issue was publicly disclosed on March 24, 2025, and security patches have been released.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Admission Controller Remote Code Execution (RCE) Vulnerability | CVE-2025-1974 | Ingress NGINX Admission Controller | Critical | 9.8 |
| Configuration Injection via Unsanitized auth-tls-match-cn annotation | CVE-2025-1097 | High | 8.8 | |
| Configuration Injection via Unsanitized Mirror Annotations | CVE-2025-1098 | High | 8.8 | |
| Unsanitized auth-URL Injection Vulnerability | CVE-2025-24514 | High | 8.8 | |
| Auth Secret File Path Traversal Vulnerability | CVE-2025-24513 | Medium | 4.8 |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-1974 | Ingress NGINX Controller v1.12.0 & v1.11.4 and below versions | The Validating Admission Controller does not properly check incoming annotations, allowing attackers on the Pod network to inject configurations and potentially execute arbitrary code across the entire cluster. | Full Kubernetes cluster compromise |
| CVE-2025-1097 | Improper validation of the auth-tls-match-cn annotation allows malicious annotation values to override controller configurations. | Remote code execution | |
| CVE-2025-1098 | Unsafe input handling in mirror annotations could result in unauthorized configuration manipulation. | Config injection, security bypass | |
| CVE-2025-24514 | Unsanitized input from auth-URL annotations can allow malicious URLs to modify ingress-controller behavior. | Remote code execution | |
| CVE-2025-24513 | A path traversal issue in handling auth secret files could let attackers access sensitive information. | Information disclosure |
Remediation:
- Apply Patches Promptly: Immediately upgrade to ingress-nginx v1.12.1, v1.11.5 or latest versions to mitigate the vulnerabilities.
- Temporarily Disable the Validating Admission Controller: It is mandatory to upgrade. If upgrading is not immediately possible, you can temporarily disable the Validating Admission Controller.
General Recommendations:
- Set strict RBAC rules to control who can change ingress and webhook settings.
- Disable dynamic admission controllers if they aren’t needed.
- Monitor cluster audit logs for unusual ingress creation activities and suspicious annotations.
- Conduct security reviews and scans for clusters that have not recently been updated.
- Regularly check ingredients for weak or unsafe configurations.
Conclusion:
The Kubernetes ingress-nginx vulnerabilities disclosed in March 2025 are among the most severe to date, with CVE-2025-1974 posing a real threat of full cluster compromise. All organizations running affected versions must apply patches or mitigation steps immediately.
The vulnerabilities found are affecting the admission controller component of Ingress NGINX Controller for Kubernetes and highlight the importance of strict configuration validation and access control in Kubernetes environments.
Security researchers from Wiz found that 43% of cloud environments are vulnerable to these vulnerabilities. They uncovered over 6,500 clusters, including Fortune 500 companies, that publicly expose vulnerable Kubernetes ingress controllers’ admission controllers to the public internet—putting them at immediate critical risk.
References:
Critical Security Updates: Microsoft Jan 2025 Patch Tuesday Fixes 8 Zero-Days & 159 Vulnerabilities
Summary
Microsoft has released its January 2025 Patch Tuesday updates, delivering critical fixes. Key products impacted include Windows Telephony Service, Windows Digital Media, and MSMQ, among others.
Key take away:
- Microsoft addressed 159 vulnerabilities across multiple products, including eight zero-day flaws, with three actively exploited in the January 2025 Patch Tuesday updates.
- Key vulnerabilities include privilege escalation flaws in Hyper-V and remote code execution bugs in Microsoft Excel.
- This marks highest number of fixes in a single month since at least 2017.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-01-14 |
| No. of Vulnerabilities Patched | 159 |
| Actively Exploited | yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
Critical updates were issued for Windows Hyper-V, Windows Themes, Microsoft Access, and Windows App Package Installer. The vulnerabilities include elevation of privilege, remote code execution, and spoofing attacks, impacting various systems. The patch targets a range of critical issues across Microsoft products, categorized as follows:
- 58 Remote Code Execution (RCE) Vulnerabilities
- 40 Elevation of Privilege (EoP) Vulnerabilities
- 22 Information Disclosure Vulnerabilities
- 20 Denial of Service (DoS) Vulnerabilities
- 14 Security Feature Bypass
- 5 Spoofing Vulnerabilities
The highlighted vulnerabilities include 8 zero-day flaws, 3 of which are currently being actively exploited.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Elevation of privilege vulnerability | CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 | Windows | High | 7.8 |
| Elevation of Privilege Vulnerability | CVE-2025-21275 | Windows | High | 7.8 |
| Remote Code Execution Vulnerability | CVE-2025-21186,CVE-2025-21366, CVE-2025-21395 | Windows | High | 7.8 |
| Spoofing Vulnerability | CVE-2025-21308 | Windows | Medium | 6.5 |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 | Windows Hyper-V NT Kernel | No information has been released on how elevation of privilege vulnerabilities in Windows Hyper-V NT Kernel Integration VSP, which allow attackers to gain SYSTEM privileges, were exploited in attacks, as they were disclosed anonymously. | Allow attackers to gain SYSTEM privileges |
| CVE-2025-21275 | Windows App Package Installer | Elevation of privilege vulnerability in the Windows App Package Installer, potentially leading to SYSTEM privileges. | Attackers could gain SYSTEM privileges |
| CVE-2025-21186,CVE-2025-21366, CVE-2025-21395 | Microsoft Access | Remote code execution vulnerabilities in Microsoft Access, exploitable via specially crafted Access documents. | Remote Code Execution |
| CVE-2025-21308 | Windows Themes | Spoofing vulnerability in Windows Themes; viewing a specially crafted theme file in Windows Explorer can lead to NTLM credential theft. | NTLM credential theft |
Source: Microsoft
Additional Critical Patches Address High-Severity Vulnerabilities
- Eight of this month’s patches address Virtual Secure Mode components, requiring administrators to follow Microsoft’s guidance for updating virtualization-based security (VBS) issues. (CVE-2025-21280, CVE-2025-21284, CVE-2025-21299, CVE-2025-21321, CVE-2025-21331, CVE-2025-21336, CVE-2025-21340, CVE-2025-21370).
- Windows NTLM V1 Elevation of Privilege Vulnerability (CVE-2025-21311).
- Windows OLE Remote Code Execution Vulnerability (CVE-2025-21298).
Remediation:
- Apply Updates: Immediately install the January 2025 Patch Tuesday updates to address these vulnerabilities.
- Disable NTLM: For CVE-2025-21308, consider disabling NTLM or enabling the “Restrict NTLM: Outgoing NTLM traffic to remote servers” policy to mitigate the risk.
- Exercise Caution with Untrusted Files: Avoid opening or interacting with files from untrusted sources, especially those with extensions associated with Microsoft Access.
Conclusion:
The January 2025 Patch Tuesday release addresses critical vulnerabilities that could allow attackers to gain elevated privileges, execute arbitrary code, or steal credentials. Prompt application of these updates is essential to maintain system security. Additionally, implementing recommended mitigations, such as disabling NTLM, can provide further protection against potential exploits.
References:
https://msrc.microsoft.com/update-guide/releaseNote/2025-Jan
Recent Comments