#emergency-patch

#emergency-patch

Tech Live Connect processed fraudulent charges using real customer data, including names and addresses, to make the charges appear legitimate and maintain a low chargeback ratio.

"The phone's very cracked, so, at this point, the photos contained in it are more valuable than the ability to use the phone itself. They're the main data that I care about and haven't backed up."

[In] ShowDoc version before 2.8.7, an unrestricted and unauthenticated file upload issue is found and [an] attacker is able to upload a web shell and execute arbitrary code on server.

But are things getting worse? According to Register readers, and the company's own release health dashboard, the answer has to be yes. It isn't just you. The frequency of emergency out-of-band releases for the company's operating systems has been rapidly increasing to the point where, for every Patch Tuesday update, there'll likely be at least one out-of-band patch to fix whatever got broken.

"These incidents involve the intentional use of deceptive or illegal practices to fraudulently obtain money, assets, or information from individuals or institutions, and include actions carried out over cyber channels."

This month, over half (55%) of all Patch Tuesday CVEs were privilege escalation bugs, and of those, six were rated exploitation more likely across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon. We know these bugs are typically used by threat actors as part of post-compromise activity, once they get onto systems through other means (social engineering, exploitation of another vulnerability).

Uncle Sam's cyber defenders have given federal agencies just three days to patch a maximum-severity Dell bug that's been under active exploitation since at least mid-2024. CISA this week added the flaw, tracked as CVE-2026-22769, to its Known Exploited Vulnerabilities catalog, ordering civilian agencies to secure affected systems by February 21 - giving them just three days to get fixes in place.

Microsoft has released emergency out-of-band security updates to fix an actively exploited zero-day vulnerability in Microsoft Office. The flaw allows threat actors to bypass built-in Office security protections after tricking users into opening malicious files, typically delivered through phishing or social engineering. The vulnerability "... in Microsoft Office allows an unauthorized attacker to bypass a security feature locally," Microsoft said in its advisory.

First in line is CVE-2025-40551 (CVSS score of 9.8), a critical flaw described as an untrusted data deserialization issue that could lead to remote code execution (RCE) without authentication. According to Horizon3.ai, which discovered and reported the defect, CVE-2025-40551 exists in AjaxProxy functionality, where requests destined for other functions are improperly sanitized, and a blocklist function can be bypassed by including allowed terms early in a JSON payload.

Ivanti on Tuesday announced patches for over a dozen vulnerabilities in Endpoint Manager (EPM), including issues that were first disclosed in October 2025. In a new advisory, the company warns of a high-severity bug and a medium-severity flaw resolved in EPM, both of which could be exploited remotely. Tracked as CVE-2026-1603, the high-severity weakness is described as an authentication bypass leading to the exposure of credential data.