#security-patches

#security-patches

This month, over half (55%) of all Patch Tuesday CVEs were privilege escalation bugs, and of those, six were rated exploitation more likely across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon. We know these bugs are typically used by threat actors as part of post-compromise activity, once they get onto systems through other means (social engineering, exploitation of another vulnerability).

An attacker could exploit the flaw via crafted UPnP SOAP requests to execute OS commands on a vulnerable device. It is important to note that WAN access is disabled by default on these devices, and the attack can be carried out remotely only if both WAN access and the vulnerable UPnP function have been enabled.

In a post on X, Realme India's official account confirmed that the Realme 16 Pro and 16 Pro+ will now receive four years of Android OS updates and six years of security patches. At launch, the company had promised three years of Android updates and four years of security support.

This week's Java roundup for October 20th, 2025, features news highlighting: Oracle's Critical Patch Update (CPU) for October 2025; BellSoft CPU patches for Liberica JDK; the GA release of Grails 7.0; point releases for Micronaut, Hazelcast, LangChain4j and OpenXava; and the November 2025 beta release of Open Liberty.

October 2, 2025, marks the end of general support for VMware's version 7. After that, Broadcom won't release any new security patches or fixes, and you won't be able to log vendor support tickets for these versions. You'll still have access to previously published updates under the self-service policy (although this could change in time, but there won't be anything new coming.

Adobe's June 2025 updates address 254 CVEs across multiple products, prioritizing those in Commerce and introducing a substantial fix for Experience Manager, despite no known exploits.