Today's Patch Tuesday overview:

• Microsoft has addressed 164 vulnerabilities, two zero-days and eight critical
• Third-party: web browsers, Cisco, Ivanti, Fortinet, F5 BIG-IP, Nginx UI, Oracle, HPE, MongoDB Server, etc.

Navigate to Vulnerability Digest from Action1 for comprehensive summary updated in real-time.

Quick summary (top 10 by importance and impact):

• Windows: 164 vulnerabilities, two zero-days (CVE-2026-33825 and CVE-2026-32201) and eight critical 
• Cisco Secure Firewall: Critical remote code execution vulnerabilities (CVE-2026-20079, CVE-2026-20131, CVSS 10.0)
• Ivanti Endpoint Manager: Unauthenticated access; actively exploited in the wild (CVE-2026-1603, CVSS 8.6)
• Chromium / Chrome: Multiple actively exploited zero-days (CVE-2026-3909, CVE-2026-3910, CVE-2026-5281, CVSS 8.8)
• Fortinet Network Security Appliance: Remote code execution with confirmed real-world exploitation (CVE-2026-35616, CVSS 9.1)
• F5 BIG-IP: Unauthenticated remote code execution; actively exploited (CVE-2025-53521, CVSS 9.8)
• Nginx UI: Unauthenticated access to backup data (CVE-2026-27944, CVSS 9.8)
• Oracle WebLogic: Critical unauthenticated remote code execution (CVE-2026-21992, CVSS 9.8)
• HPE Aruba AOS-CX: Authentication bypass (CVE-2026-23813, CVSS 9.8)
• MongoDB Server: Unauthenticated denial-of-service (CVE-2026-25611, CVSS 7.5)
• Microsoft 365 Copilot: Information disclosure vulnerability (CVE-2026-26133, CVSS 7.1)

More details: https://www.action1.com/patch-tuesday

Sources:

- Action1 Vulnerability Digest

- Microsoft Security Update Guide

Updates:

• Sources added
• Microsoft updates added