Patch Tuesday

Quick rundown of this month’s biggest vulnerabilities and signs of exploit to keep an eye on as you patch. CVE-2025-59489 Arbitrary code execution in Unity runtimeImpacts Unity 2017.1+ across Windows, macOS, and Android. Attackers can execute arbitrary code before app defenses load — this includes apps built on Unity like kiosks, training tools, or VR software.Signs of exploit:Unity-based apps crashing or failing to launch unexpectedly Unknown .dll or .so files appearing in Unity directories Logs showing suspicious launch arguments (e.g., -xrsdk-pre-init-library)CVE-2024-53139 Windows Hello security feature bypass vulnerabilityAn attacker with local admin privileges can tamper with stored biometric data and impersonate another user if Enhanced Sign-in Security isn’t turned on.Signs of exploit:New or altered biometric enrollments with no authorized change Unexpected biometric sign-ins in authentication logs Systems using Windows Hello without Enhanced Sign-in Security enabledCVE-2024-53

Here are some of the more interesting Patch Tuesday vulns we found this month, and what to monitor for!Vulnerabilities in Windows UI XAML CVE-2025-54111 and CVE-2025-54913 (CVSS 7.8) Use-after-free in DatePickerFlyout & MapControlSettings → local priv-esc. Affects Microsoft Phone Link.What to monitor for: XAML-related crashes (Windows.UI.Xaml.dll, ShellExperienceHost.exe) and rapid UWP flyout abuse.Windows Hyper-V Elevation of Privilege Vulnerability  CVE-2025-54098 (CVSS 7.8/10) Improper access control → SYSTEM on Hyper-V hosts/workstations. Patch or disable Hyper-V if not needed.What to monitor: Service creation, token manipulation, new virtual switches, or new Hyper-V enablement.Windows NTFS Remote Code Execution VulnerabilityCVE-2025-54916 (CVSS 7.8/10) Stack overflow in NTFS request handling → potential RCE via crafted file ops/SMB.What to monitor for: NTFS-related crashes, SMB traffic spikes, unusual file activity or lateral movement after file ops.Listen to Automox’s Patch T

Without setting up an Advanced Policy, is there a way to exclude a patch from being auto pushed in a Patch Policy? It appears the April 2025 patch is causing all sorts of issues with all our older endpoints that aren’t on Win 11 24H2 and want to remove that from trying to update on systems until we can test May’s patches or upgrade them all to 24H2 before the April/May Patch gets applied. 

March already and our third Patch Tuesday of the year with 57 new vulnerabilities!We think you should pay special attention to: Chromium Vulnerabilities March’s release includes several vulnerabilities in Chromium-based browsers like Microsoft Edge. These issues, including use-after-free vulnerabilities in browser profiles, allow attackers to bypass browser sandboxing, exfiltrate data, or spoof identities. Microsoft Management Console Remote Code Execution Vulnerability CVE 2024-26633 is an RCE vulnerability in the MMC. An attacker can exploit this weakness by tricking a user into opening a malicious MMC file, typically distributed through phishing emails or compromised USB drives. Windows NTFS Remote Code Execution Vulnerability CVE 2024-24993 targets an information disclosure vulnerability within Windows NTFS. An attacker can potentially exploit this issue by prompting users to mount a specially crafted VHD.You can read a more in depth analysis here or listen to our Patch Tuesday pod

89 vulnerabilities released, and 1 Zero-Day for this Patch Tuesday! You can tune into our Patch Tuesday podcast or read our analysis here. We recommend you pay special attention to: NTLM Hash Disclosure Spoofing Vulnerability This vulnerability is confirmed and exploitation has been detected. The only current remediation is an official fix. Prioritize patching this vulnerability to prevent unauthorized access. Microsoft Defender for Endpoint Remote Code Execution Vulnerability An attacker could exploit this by sending a malicious link via email or instant messaging. Once clicked, the attack unfolds without requiring further interaction from you. In addition to immediate patching, it is recommended to enhance your email filters and educate users about the dangers of unsolicited links. Windows Task Scheduler Elevation of Privilege Vulnerability To mitigate this vulnerability, patching is your most effective strategy. Microsoft has acknowledged the existence of functional exploit code for

Patching related, but not Automox specific.Still testing Windows 11 in our environment before starting to upgrade Windows 10 endpoints and we are running out of time. The only issue we have been having is Windows 11 machines don’t seem to want to play nice with WSUS. At best I can get maybe one monthly CU to apply via WSUS, but then, never again. Any other type of update will apply, just never the monthly CU. I even replaced the WSUS server...same problem.These same machines will patch with Ivanti SC and Automox, just not WSUS. I’ve tried everything I can think of...anyone having the same issue? Anyone have a potential solution?

We are running into issues within our environment with inconsistencies in Automox detecting patches for Windows Server 2022.  We use WSUS and have not had issues approving the updates through WSUS and having servers recognize updates on the servers themselves, but within Automox there is no evidence of any patches available to install. We have had issues with it showing patches available when the Groups are pointed to WSUS as well as directly out to Windows Update. Curious if anyone else has had issues with Server 2022 Patches through Automox. 

I’ve noticed some hosts, especially most of our Windows 11 Enterprise endpoints, will run into an error when trying to apply the monthly Microsoft Cumulative update. The error is a bit unusual, and I haven’t been able to find much on it while researching. The error doesn’t seem to be tied to any Windows Update service/connectivity issues. What is also weirder, is that these Windows 11 hosts report successfully installing this update the first night they try to update, but then the days after get this error. I’ve seen this error on some Windows 10 hosts, but mainly on Windows 11. It seems to point to the update not being compatible with something on the operating system in some weird way. Anyone else seen this before? InstallMSUpdates : Download failed with ResultCode 4 and HResult -2145124318At C:\Program Files (x86)\Automox\execDir135760191\execcmd584584594.ps1:1826 char:21At C:\Program Files (x86)\Automox\execDir135760191\execcmd584584594.ps1:1826 char:21+                     Install

This month's Patch Tuesday brings 61 vulnerabilities with 1 critical! (89 less CVE’s than last month!)Two particularly alarming CVEs to watch out for: CVE 2024-30033 Windows Search Service Elevation of Privilege Vulnerability [Important] Allows attackers to gain elevated privileges due to a flaw in Windows Search Service. This flaw exists due to improper handling of permissions by the service, which could be exploited to perform unauthorized actions on the system. CVE 2024-30018 Windows Kernel Elevation of Privilege Vulnerability [Important] This issue arises from specific flaws in how the kernel operates, which can be exploited to gain higher levels of access than originally allowed And make sure you've patched the Chrome use-after-free Zero-Day (CVE 2024-4671) that was released on Friday! Listen to the Automox Patch Tuesday podcast or read the blog for more on Patch Tuesday.

We use Tenable.io for vulnerability scanning and it has flagged a number of Windows endpoints that have old versions of Teams installed. I was puzzled by this as Automox patches Teams, and it turns out that because we’re using the machine wide installer, the Teams application is being installed into the user’s Appdata directory. This will only get updated if the user logs in but we don’t regularly log in with some accounts.I’ve read suggested fixes including:Create a GPO that deletes old accounts from the machines. This is problematic for us IT admins. Remove the machine wide installer so that Teams is not automatically installed when a user first logs in.Has anyone found a way to resolve this using Automox? I’d be interested to learn how others have resolved this. TIA

This month's release comes with a notable increase in the number of Common Vulnerabilities and Exposures (CVEs) addressed, marking it as one of the most significant Patch Tuesdays in the past year and a half. Be sure to give the Patch [Fix] Tuesday podcast a listen! Also available on your favorite podcast platform! If you have any thoughts or experiences to share, drop them here for our hosts to see! 

Are there any plans to support ARM ubuntu builds? We’d like to start using them on AWS, but lack of Automox support is the only thing stopping us.

Listen to our podcast on this month's release with mitigation tips and custom automations for remediation. Or read here! Releases we think you should pay extra attention to: CVE-2024-21401: Microsoft Entra Jira Single-Sign-On Plugin Elevation of Privilege Vulnerability [Important] This elevation of privilege vulnerability could allow an unauthenticated attacker to manipulate the plugin's configuration, leading to unauthorized access. CVE-2024-21351: Windows SmartScreen Security Feature Bypass Vulnerability [Moderate] It's been revealed that an attacker could potentially bypass this check to execute untrusted files without prompting the user — a clear-cut reminder of the vital role SmartScreen and similar protective measures play in maintaining system integrity.

What’s everyone doing in regards to the issue with KB5034441? Not feasible in a large environment to change the recovery partition size, and Microsoft is reportedly working on a fix, but no timeline. We have 599 impacted assets with only 70 updated. Majority of those are attempting to patch and users getting Automox restart prompts daily.I’m going to ignore for now, but was curious what others were doing to deal with this.

This month we're looking at 49 vulnerabilities with 2 critical!We believe you should pay special attention to: CVE-2024-20674 - Windows Kerberos Security Feature Bypass Vulnerability [Critical] CVE-2024-20666 - BitLocker Security Feature Bypass Vulnerability [Important] Listen to our Patch Tuesday podcast or read through our analysis of the two vulnerabilities above.Here’s a sneak peek at the latest podcast episode!

Hi Team,In our environment, we have requirement to install patch for Linux server and PCs. Do we have Linux Update categorization like security, critical? If so, what is the recommendation to patch? Can you pls let me know if we can patch the 3rd party S/w updates for Linux OS? If yes, can you please provide the list of S/w that we can install on it? Also, let us know which policy is best to use in this scenario?Can we use single policy for installing patch for both regular and 3rd Party updates? Thanks,Shoaib

Hi,We are managing Windows OS, macOS & Linux OS so, can we use a single policy to install updates for all 3 OS?What is the best practice to use either single policy and assigning Win OS, macOS & Linux OS groups or separate policy for Win OS, macOS & Linux OS is required? Also, which policy is the best to install updates for windows, macOS & Linux OS?Thanks,Shoaib 

Hi Team,We have a request to install only patches that are related to Security, Critical and Defender Updates and we have to exclude Updates like Feature Updates, Upgrades, Tools Updates for Windows OS.Can you please recommend which Policy and how the settings should be configured if we need to exclude Feature Updates, Upgrades, Tools Updates and patch only Security Update, critical and Defender Updates for Windows OS?Also, let me know if we have certain KB that are specifically used to install excluded Updates?Thanks,Shoaib

Hi Team,In our environment, we have requirement to install only Security, Critical Updates & 3rd party Updates for macOS. Can you please let us know how we can make sure we are specifically installing only Security, Critical and 3rd party S/W updates? Do we require separate policy for installing 3rd party updates or by using single Policy we can install all 3 categories. Below is the list of updates that we want to exclude from patching:Feature Packs Tools Update Rollups UpgradesAlso, let us know which policy is best to use in this scenario.Thanks,Shoaib

What we found interesting:1. CVE-2023-35618 - Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityThis vulnerability is a security flaw that can potentially allow an attacker to escape the browser's sandbox. The sandbox is a security mechanism that isolates running programs, limiting their access to system resources and preventing them from causing damage.2. CVE-2023-35628 - Windows MSHTML Platform Remote Code Execution VulnerabilityOne of the major threats with this vulnerability is the fact that it doesn't require any user interaction to be exploited. 3. macOS Sonoma 14.1.2 - Memory Corruption VulnerabilityThe macOS Sonoma 14.1.2 update addressed a significant memory corruption vulnerability within WebKit, which was reported to have been exploited against older versions of iOS. The Automox team talks through this Patch Tuesday in our podcast. Or if you haven't hopped on the podcast train yet, read more in our blog post. 

Hi Team,In our environment, we have requirement to install only Security, Critical Updates & 3rd party Updates for Windows. Can you please let us know how we can make sure we are specifically installing only Security, Critical and 3rd party S/W updates? Below is the below list of updates that we want to exclude from patching:Feature Packs Tools Update Rollups UpgradesAlso, let us know which policy is best to use in this scenario.Thanks,Shoaib

Hi Team,Does Automox supports 3rd party S/w updates for Linux? if yes, can you please provide list of Supported 3rd party Software for Linux OS? I have found an article where it means any third-party package that is part of Device Package manager is supported not others? if so, can you please elaborate in detail?  

Boom! And just like that, November's Patch Tuesday has rolled around again. While this Patch Tuesday is less of a heavy hitter than last month's, we still have one Zero-Day and 75 vulnerabilities.Be sure to check out our first-ever Patch [FIX] Tuesday podcast (available here, or wherever you get your podcasts) for mitigation tips from Jason Kikta and Tom Bowyer!  

Hi Team,We have two patching group for PC name Pilot PC and Prod. Just wanted to know what the best practice is install the updated-on Pilot and Prod PC’s?Need to know how frequently we are patching Pilot and Prod group with Data and time.Thanks,Shoaib 

Hi Team,Wanted to know why port 80 has been used for *.digicert.com and *.digicertcdn. Also, why do we need to open inbound port for *.digicert.com?Thanks,Shoaib