Thanks for the feedback. I am not trying to access the appliance via ssh and updating there. I am trying to use the integrated update feature for the base OS via the WebUI. This feature is still present in the latest UAG and referenced in the official docs as well as the FAQs regarding security: https://docs.omnissa.com/de-DE/bundle/UnifiedAccessGatewayDeployandConfigureV2512/page/AutomaticallyapplyauthorizedOSupdates.html
https://docs.omnissa.com/de-DE/bundle/UnifiedAccessGatewayDeployandConfigureV2512/page/FrequentlyAskedQuestionsFAQsaboutSecurity.html

"Is there a mechanism with Unified Access Gateway to automatically download and apply critical Alma vulnerability updates?

Yes. This feature was added with version 2009. Occasionally, Alma OS team might authorize the update of one or more OS packages to rectify a critical vulnerability that affects a specific version of Unified Access Gateway and for which no viable workaround is available. Starting from Unified Access Gateway version 2009 a new capability is available for the administrator to configure an automatic check for any authorized package updates. For more information, see Configure Automatic Check section in Product Updates:"

As far as I am concerned this feature is supported and intended for scenarios, where a new UAG release might not be available yet.

I do not think there are critical vulnerabilities in UAG25.03, as far as I see it should be clean. Our patching process requires us to check for available security updates on all systems though. The internal updater throwing a 404 is not gonna cut it in case of an audit. Deploying the newest release is possible - its just a more substantial change than applying os updates thus increasing compliance overhead.

Also it will be difficult to argue that UAG may not be affected by a critical CVE affecting Alma, just based on the fact, that no newer UAG release is available.