InfoSecBulletin Cybersecurity for mankind
Microsoft released its October 2023 Patch Tuesday updates, fixing a total of 103 software flaws. Two of these flaws were actively exploited in the wild.
Out of the 103 flaws, 13 are classified as Critical and 90 as Important. This is in addition to the 18 security vulnerabilities that were fixed in the Chromium-based Edge browser since the second Tuesday of September.
CVE-2025-2492
ASUS warns of critical auth bypass flaw in routers
16,000+ Fortinet devices compromised with symlink backdoor, Mostly in Asia
Patch now! Critical Erlang/OTP SSH Vuln Allows UCE
CISA warns of increasing risk tied to Oracle legacy Cloud leak
CVE-2025-20236
Cisco Patches Unauthenticated RCE Flaw in Webex App
Apple released emergency security updates for 2 zero-day vulns
Oracle Released Patched for 378 flaws for April 2025
CVE-2025-24054
Hackers Exploiting NTLM Spoofing Windows Vuln the in Wild
Bengaluru firm got ransomware attack, Hacker demanded $70,000
MITRE warns: U.S. Govt. Funding for MITRE’s CVE Ends Today
ALSO READ:
Microsoft 365 admins warned about new Google anti-spam rules
The two vulnerabilities that been weaponized as zero-days are as follows –
CVE-2023-36563 (CVSS score: 6.5) – An information disclosure vulnerability in Microsoft WordPad that could result in the leak of NTLM hashes
CVE-2023-41763 (CVSS score: 5.3) – A privilege escalation vulnerability in Skype for Business that could lead to exposure of sensitive information such as IP addresses or port numbers (or both), enabling threat actors to gain access to internal networks
An attacker would need to log into the system and then run a specific application to exploit this vulnerability and take control of an affected system, according to Microsoft’s advisory for CVE-2023-36563. “Additionally, an attacker could trick a local user into opening a harmful file.”
Also, there are numerous vulnerabilities in Microsoft Message Queuing (MSMQ) and Layer 2 Tunneling Protocol that may result in remote code execution and denial-of-service (DoS).
A security update fixes a serious bug in Windows IIS Server (CVE-2023-36434, CVSS score: 9.8). This bug could enable an attacker to pretend to be another user and log in using a brute-force attack.
The tech giant released an update for CVE-2023-44487, also known as the HTTP/2 Rapid Reset attack. It has been exploited by unknown actors as a zero-day for DDoS attacks.
The DDoS attack may affect the availability of the service, but it does not result in customer data compromise. So far, there is no evidence of customer data being compromised.
Microsoft announced that VBScript (Visual Basic Script), which is commonly used for malware distribution, is being deprecated. In future Windows releases, VBScript will be available as a feature on demand before being completely removed from the operating system.
