#security-patch

#security-patch

The issue sits in the management interface's HTTP handling and can be triggered without logging in. "This vulnerability is due to improper validation of user-supplied input in HTTP requests," Cisco explains in its advisory. "An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device." Given how often those interfaces are reachable over internal networks or VPNs, it's not hard to see why attackers have noticed.

Cloudflare has fixed a flaw in its web application firewall (WAF) that allowed attackers to bypass security rules and directly access origin servers, which could lead to data theft or full server takeover. FearsOff security researchers reported the bug in October through Cloudflare's bug bounty program, and the CDN says it has patched the vulnerability in its ACME (Automatic Certificate Management Environment) validation logic with no action required from its customers.

The update includes the November 2025 security patch level. The changelog mentions faster app launches from the Home screen, customizable widget names, the ability to resize the clock in Flux themes, widgets being draggable onto other widgets to stack them, automatic straightening being available when cropping and rotating portrait and architectural images in Photos, videos can be set as ringtones, improved virus scanning speed,

The vulnerability has been identified in ASP.NET Core versions 10.0, 9.0, 8.0, and the Kestrel package for 2.x. An attacker who is already authorized can bypass a security feature by exploiting inconsistent parsing of HTTP requests and responses. Microsoft states there are no known mitigating factors for the HTTP request/response smuggling scenario and strongly recommends patching to the listed fixed versions to prevent the security bypass.

Xiaomi recently rolled out the Android 16-based HyperOS 3 stable update for the Xiaomi 15T and 15T Pro's global units, and now it's the non-T model that's getting upgraded to HyperOS 3. The HyperOS 3 stable update for the global Xiaomi 15 is currently rolling out in some European countries for Mi Pilot members, but the rollout should expand to more regions soon.

SAP issued a patch for the 9.9-rated flaw in August. It is tracked as CVE-2025-42957, and it affects both private cloud and on-premises versions. According to SecurityBridge Threat Research Labs, which originally spotted and disclosed the vulnerability to SAP, the team "verified actual abuse of this vulnerability." It doesn't appear to be widespread (yet), but the consequences of this flaw are especially severe.

Google's May 2025 Pixel Update addresses critical vulnerabilities, including one actively exploited, and enhances functionality across devices with numerous bug fixes and improvements.