My Profile Photo

Jason Lazerus

“Beware the quiet man. For while others speak, he watches. And while others act, he plans. And when they finally rest… he strikes.” - Anonymous

on security weekly recap

Weekly Security Recap — 2025-10-26

title: Weekly Security Recap — 2025-10-26
date: 2025-10-26
categories: [security, recap]
tags: [security, weekly, recap]
summary: This week highlights significant vulnerabilities addressed in Microsoft's extensive patch update, along with notable incidents from the Pwn2Own competition.

Overview

This week in cybersecurity saw a significant focus on vulnerabilities as Microsoft rolled out a substantial patch update addressing multiple critical issues. Additionally, the Pwn2Own Ireland competition showcased the ongoing threat of zero-day exploits, with researchers earning substantial rewards for their findings.

Sources for this section:

Major incidents

Microsoft October Patch Update

Microsoft’s October Patch Tuesday released updates for over 80 vulnerabilities, including actively exploited zero-days and critical privilege escalation flaws. This update marks the end of Windows 10 updates.

Sources for this section:

Windows Server WSUS Vulnerability

An emergency out-of-band update was issued for a critical vulnerability in the Windows Server Update Service (WSUS) that had a public proof-of-concept exploit available. This vulnerability poses a significant risk to systems using WSUS for updates.

Sources for this section:

Pwn2Own Ireland 2025

The Pwn2Own Ireland event concluded with hackers exploiting 73 zero-day vulnerabilities, collectively earning $1,024,750 in rewards. This event underscores the persistent risk posed by zero-day vulnerabilities in various software.

Sources for this section:

Critical Vulnerabilities in Vaerys-Dawn DiscordSailv2

Two critical vulnerabilities (CVE-2018-25092 and CVE-2018-25093) were identified in Vaerys-Dawn DiscordSailv2 versions up to 2.10.2, affecting access control mechanisms. Users are advised to upgrade to version 2.10.3 to mitigate these risks.

Sources for this section:

Vulnerability in Magnesium-PHP

CVE-2017-20187 was discovered in Magnesium-PHP up to version 0.3.0, allowing for potential email injection attacks. Users should upgrade to version 0.3.1 to resolve this issue.

Sources for this section:

Defensive highlights

Microsoft Security Updates

Microsoft’s October Patch Tuesday included critical updates addressing multiple vulnerabilities, including zero-days. Administrators should prioritize these updates to secure their environments.

Sources for this section:

ColdBox Elixir Vulnerability Fix

A vulnerability (CVE-2021-4430) affecting Ortus Solutions ColdBox Elixir 3.1.6 has been patched in version 3.1.7, addressing information disclosure risks. Users are encouraged to update promptly.

Sources for this section: