Patch Tuesday Roundup: 60+ Vendors Release Critical Security Updates
#Vulnerabilities

Patch Tuesday Roundup: 60+ Vendors Release Critical Security Updates

Security Reporter
3 min read

Major software vendors including Microsoft, Adobe, SAP, Intel, and Google have released security patches addressing dozens of vulnerabilities, with several actively exploited zero-days and critical flaws requiring immediate attention.

Over 60 software vendors have released security fixes across operating systems, cloud platforms, and network infrastructure as part of this month's Patch Tuesday updates, addressing critical vulnerabilities that could enable remote code execution, privilege escalation, and database compromise.

Microsoft's 59-Fix Bundle Includes 6 Zero-Days

Microsoft issued fixes for 59 flaws in its latest security update, including six actively exploited zero-days affecting various Windows components. These vulnerabilities could be abused to bypass security features, escalate privileges, and trigger denial-of-service conditions.

While Microsoft hasn't disclosed specific details about the zero-day exploits, the inclusion of actively exploited flaws underscores the ongoing threat landscape facing Windows users and enterprises.

Adobe Patches Creative Suite Products

Adobe released updates for multiple creative applications including Audition, After Effects, InDesign Desktop, Substance 3D, Bridge, Lightroom Classic, and DNG SDK. The company stated it's not aware of any in-the-wild exploitation of these vulnerabilities, though users are still advised to apply patches promptly.

SAP Critical Vulnerabilities Demand Immediate Action

SAP shipped fixes for two critical-severity vulnerabilities that pose significant risks to enterprise systems:

  • CVE-2026-0488 (CVSS 9.9): A code injection bug in SAP CRM and SAP S/4HANA that could allow authenticated attackers to execute arbitrary SQL statements, potentially leading to complete database compromise.
  • CVE-2026-0509 (CVSS 9.6): A missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform that could permit low-privileged users to perform background Remote Function Calls without required S_RFC authorization.

Onapsis, a security firm specializing in enterprise applications, noted that patching CVE-2026-0509 requires implementing a kernel update and setting a profile parameter. They also warned that adjustments to user roles and UCON settings might be necessary to avoid disrupting business processes.

Intel TDX Security Analysis Reveals Multiple Flaws

Intel and Google revealed they collaborated to examine the security of Intel Trust Domain Extensions (TDX) 1.5, uncovering five vulnerabilities in the module:

  • CVE-2025-32007
  • CVE-2025-27940
  • CVE-2025-30513
  • CVE-2025-27572
  • CVE-2025-32467

Additionally, the security review identified nearly three dozen weaknesses, bugs, and improvement suggestions. Google explained that "Intel TDX 1.5 introduces new features and functionality that bring confidential computing significantly closer to feature parity with traditional virtualization solutions," but noted that "these features have increased the complexity of a highly privileged software component in the TCB [Trusted Computing Base]."

Comprehensive Vendor Patch List

The following vendors have also released security updates in recent weeks:

Enterprise Software & Cloud:

  • ABB
  • Amazon Web Services
  • SAP
  • VMware (Broadcom)
  • Cisco
  • Citrix
  • Commvault
  • ConnectWise
  • Dassault Systèmes
  • Dell
  • F5
  • Fortinet
  • Hikvision
  • HP Enterprise (including Aruba Networking and Juniper Networks)
  • IBM
  • Ivanti
  • Lenovo
  • MediaTek
  • MongoDB
  • NVIDIA
  • Phoenix Contact
  • QNAP
  • Qualcomm
  • Rockwell Automation
  • Samsung
  • Schneider Electric
  • ServiceNow
  • Siemens
  • SolarWinds
  • Splunk
  • Supermicro
  • Synology
  • TP-Link
  • WatchGuard
  • Zoho ManageEngine
  • Zoom
  • Zyxel

Operating Systems & Distributions:

  • AlmaLinux
  • Alpine Linux
  • Amazon Linux
  • Arch Linux
  • Debian
  • Gentoo
  • Oracle Linux
  • Mageia
  • Red Hat
  • Rocky Linux
  • SUSE
  • Ubuntu

Development Tools & Platforms:

  • Drupal
  • GitLab
  • Grafana
  • n8n
  • Spring Framework

Hardware Manufacturers:

  • AMD
  • Apple
  • ASUS
  • AutomationDirect
  • AVEVA
  • Canon
  • Check Point
  • D-Link
  • dormakaba
  • FUJIFILM
  • Fujitsu
  • Gigabyte
  • Hitachi Energy
  • Intel
  • Mitsubishi Electric
  • Moxa
  • Mozilla Firefox and Thunderbird
  • Ricoh
  • TP-Link

Urgent Action Required

Security professionals recommend prioritizing patches for:

  1. Microsoft Windows - Due to the six actively exploited zero-days
  2. SAP Systems - Critical vulnerabilities with CVSS scores of 9.9 and 9.6
  3. Intel TDX - Five identified vulnerabilities in confidential computing infrastructure
  4. Any Internet-facing applications - Especially those from Cisco, Fortinet, and other networking vendors

Organizations should implement a structured patch management process, testing updates in non-production environments before deployment, and maintaining regular backup procedures to mitigate potential issues from patch deployment.

The scale of this month's updates reflects the ongoing arms race between software vendors and threat actors, with critical infrastructure and enterprise systems remaining prime targets for exploitation.

#Patch Tuesday#Microsoft#Intel TDX#SAP#Zero_Day

Comments

Loading comments...
Back to Home