security flaws Archives

Winsage

January 11, 2026

Windows 10 Users Are Being Targeted With New Upgrade Offer

A surge of attacks targeting Windows 10 machines highlights the need for users to upgrade to Windows 11 Pro, which is currently available at a discount of approximately 94% off its standard price. Windows 10 is becoming increasingly vulnerable as it approaches its end of support, leaving users exposed to cyber threats. The U.S. Cybersecurity and Infrastructure Security Agency warns that unsupported systems are often exploited by cybercriminals. Windows 10 remains widely used, making it a significant target for attackers, as evidenced by over billion in reported cybercrime losses in 2023. Windows 11 Pro offers enhanced security features, including BitLocker drive encryption, Credential Guard, and Smart App Control, along with a security-first design that requires compatible hardware. Current promotions allow users to purchase a Windows 11 Pro license for under 0, providing a one-time purchase option that includes updates until Microsoft ends support for Windows 11. Users are advised to check compatibility before upgrading and to back up important files. For those unable to upgrade, alternatives include purchasing Extended Security Updates or investing in new hardware that meets Windows 11 specifications.

Tech Optimizer

December 11, 2025

Hackers Are Targeting Windows 10 Users. Make Sure to Do This One Thing to Stay Safe

Microsoft has set the end of support for Windows 10 to October 14, 2025, after which users will not receive security updates or technical assistance. Windows 10 machines will continue to function, but users will face risks due to unaddressed security vulnerabilities. Microsoft has introduced the Extended Security Updates (ESU) program, extending support for eligible consumer editions until October 13, 2026, with specific enrollment criteria. Windows 11 installations surpassed Windows 10 in June 2025, with Windows 11 holding a 53.7% market share compared to Windows 10's 42.7%. Users can continue using Windows 10 by employing third-party security solutions, including antivirus programs and VPNs, to mitigate risks in the absence of Microsoft’s support.

Winsage

December 11, 2025

Microsoft’s Latest ‘Patch Tuesday’ Update Fixes These Three Zero-Days

Microsoft's December Patch Tuesday update addresses three critical zero-day vulnerabilities and a total of 56 bugs, including: - 28 elevation-of-privilege vulnerabilities - 19 remote-code-execution vulnerabilities - 4 information-disclosure vulnerabilities - 3 denial-of-service vulnerabilities - 2 spoofing vulnerabilities Three remote code execution flaws are classified as "critical." One zero-day vulnerability, CVE-2025-62221, allows attackers to gain SYSTEM privileges through the Windows Cloud Files Mini Filter Driver. The other two vulnerabilities fixed are: - CVE-2025-64671: A remote code execution vulnerability in GitHub Copilot for Jetbrains, exploitable via Cross Prompt Injection. - CVE-2025-54100: A PowerShell remote code execution vulnerability that can execute scripts from a webpage using Invoke-WebRequest. CVE-2025-62221 is attributed to MSTIC and MSRC, CVE-2025-64671 was disclosed by Ari Marzuk, and CVE-2025-54100 was identified by multiple security researchers.

Tech Optimizer

November 20, 2025

Fortinet admits it found another worrying zero-day being exploited in attacks

Fortinet has released a critical patch for a high-severity vulnerability, CVE-2025-58034, in its FortiWeb web application firewall (WAF), which is actively being exploited with around 2,000 recorded attack attempts. The vulnerable FortiWeb versions include 7.0.0 to 7.0.11, 7.2.0 to 7.2.11, 7.4.0 to 7.4.10, 7.6.0 to 7.6.5, and 8.0.0 to 8.0.1. This vulnerability enables OS command injection attacks, posing significant risks to organizations. FortiWeb is designed to filter malicious traffic for websites and APIs. Historical exploitation of similar vulnerabilities has been linked to cyber-espionage and ransomware incidents, including an attack by the Chinese state-sponsored group Volt Typhoon against a Dutch Ministry of Defence network in February 2025.

Winsage

November 12, 2025

Microsoft Fixes 63 Security Flaws, Including a Windows Kernel Zero-Day Under Active Attack

On November 12, 2025, Microsoft released patches for 63 vulnerabilities, including four classified as Critical and 59 as Important. Notably, CVE-2025-62215, a privilege escalation flaw in the Windows Kernel with a CVSS score of 7.0, is actively exploited. This vulnerability allows an authorized attacker to elevate privileges locally through a race condition. Additionally, Microsoft patched two heap-based buffer overflow vulnerabilities (CVE-2025-60724 and CVE-2025-62220) with CVSS scores of 9.8 and 8.8, respectively, which could lead to remote code execution. Another significant vulnerability is CVE-2025-60704, a privilege escalation flaw in Windows Kerberos with a CVSS score of 7.5, enabling attackers to impersonate users and control a domain. Other vendors, including Adobe, Amazon Web Services, and Apple, also released security updates addressing various vulnerabilities.

Tech Optimizer

November 4, 2025

3,000+ YouTube videos deliver malware disguised as free software

YouTube has been identified as a platform for a sophisticated malware distribution network known as the Ghost Network, which has been active since 2021 and surged in activity in 2025. This network uses over 3,000 videos disguised as software cracks and game hacks to spread information-stealing malware, targeting users searching for free software or cheat tools. Cybercriminals utilize compromised accounts and social engineering tactics to create a false sense of security, with videos featuring positive comments from fake accounts. The malware includes programs like Lumma Stealer, Rhadamanthys, StealC, and RedLine, which harvest sensitive information. Two significant campaigns were highlighted: one involved the Rhadamanthys infostealer through a channel with nearly 10,000 subscribers, and the other offered cracked software via a channel with around 129,000 subscribers, with one video gaining over 291,000 views. Users are advised to avoid cracked software, use strong antivirus protection, never disable antivirus software, be cautious with links, use password managers and two-factor authentication, keep systems updated, and utilize trusted data removal services to protect against these threats.

Winsage

November 3, 2025

Microsoft: Patch for WSUS flaw disabled Windows Server hotpatching

An out-of-band security update, KB5070881, has disrupted the hotpatching feature for some Windows Server 2025 devices. This update was released alongside reports of the CVE-2025-59287 remote code execution vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has instructed U.S. government agencies to strengthen their systems against this vulnerability. Microsoft has acknowledged that the OOB update caused some Hotpatch-enrolled Windows Server 2025 systems to lose their enrollment status and has ceased distributing the update to these devices. Those who installed the update will not receive Hotpatch updates in November and December but will get standard monthly security updates. Administrators can install the KB5070893 security update to address the CVE-2025-59287 flaw without disrupting hotpatching. Microsoft has also disabled the display of synchronization error details in its WSUS error reporting system and resolved various issues affecting Windows 11.

Tech Optimizer

November 1, 2025

Bitdefender Antivirus Protection & Internet Security Pricing 2025

Bitdefender offers a 30-day trial for users to evaluate its antivirus software before purchasing. The company has ten personal plans and four business packages, with five core plans being most relevant for users. Subscriptions are available annually or biennially and can cover up to 20 devices. The plans include: 1. Ultimate Security Plus Extended (5 to 25 devices) 2. Ultimate Security Plus Standard (5 to 25 devices) 3. Ultimate Security (5 to 25 devices) 4. Premium Security (5 to 25 devices) 5. Total Security (5 to 25 devices) 6. Antivirus for Mac (1 to 3 devices) 7. Antivirus Plus (1 to 3 devices) Pricing for the plans typically ranges from .99 to .99 annually. For small businesses, the Ultimate Small Business Security plan supports 2 devices per member and is available in bundles for three, six, ten, or 25 members, priced from .99 to .99 annually. Bitdefender also provides a product called Bitdefender BOX for IoT device protection, with an initial cost of .99 for one year. The company was founded in 2001, has over 1,800 employees, and serves clients in more than 150 countries. It offers a 30-day money-back guarantee for subscriptions. Bitdefender has been recognized for its comprehensive virus detection and competitive pricing.

Winsage

October 28, 2025

CISA orders feds to patch actively exploited Windows Server WSUS flaw

The Cybersecurity and Infrastructure Security Agency (CISA) has mandated U.S. government agencies to address a critical vulnerability in Windows Server Update Services (WSUS), identified as CVE-2025-59287, which allows for remote code execution (RCE) on affected servers. Microsoft has released out-of-band security updates for this vulnerability, and IT administrators are urged to implement these updates immediately. For those unable to do so, CISA recommends disabling the WSUS Server role on vulnerable systems. Active exploitation attempts targeting WSUS instances have been detected, and CISA has also added a second vulnerability affecting Adobe Commerce to its Known Exploited Vulnerabilities catalog. U.S. Federal Civilian Executive Branch agencies are required to patch their systems by November 14th, 2023, under the Binding Operational Directive 22-01. CISA emphasizes the need for organizations to address these vulnerabilities to mitigate risks of unauthorized remote code execution.

AppWizard

October 25, 2025

OWASP Mobile Top 10 for Android – How AutoSecT Detects Each Risk?

Mobile applications account for 70% of global interactions, with over 6.8 billion smartphone users. In 2023, 40% of data breaches are linked to vulnerabilities in mobile applications. The OWASP Mobile Top 10 outlines critical security risks for mobile apps, including: 1. Improper Credential Usage: Mishandling of passwords and session tokens. 2. Inadequate Supply Chain Security: Risks from unverified third-party components. 3. Insecure Authentication/Authorization: Failures in verifying user identities. 4. Insufficient Input/Output Validation: Lack of checks on incoming and outgoing data. 5. Insecure Communication: Unprotected data during transmission. 6. Inadequate Privacy Controls: Poor safeguards for personal data. 7. Insufficient Binary Protections: Lack of defenses against reverse engineering. 8. Security Misconfiguration: Improperly secured application settings. 9. Insecure Data Storage: Weak protection of sensitive information on devices. 10. Insufficient Cryptography: Use of weak or improperly implemented encryption. AutoSecT, an AI-driven mobile app security testing platform, detects these risks through various methods, including static code analysis, software composition analysis, and dynamic testing. It helps developers identify and mitigate vulnerabilities effectively.