Overview
Trend Micro has released security updates to address multiple high-impact vulnerabilities in Trend Micro Apex Central (on-premise) for Windows. Apex Central is a web-based management console used by organisations to centrally administer Trend Micro security products across enterprise environments. Successful exploitation could allow an unauthenticated attacker to execute code with SYSTEM privileges or to cause a denial-of-service condition, potentially disrupting security operations and endpoint management.
- CVE-2025-69258: LoadLibraryEX Remote Code Execution Vulnerability (CVSSv3 9.8). Affected versions < 7190.
- CVE-2025-69259: Message Unchecked NULL Return Value Denial of Service Vulnerability (CVSSv3 7.5). Affected versions < 7190.
- CVE-2025-69260: Message Out-of-bounds Read Denial of Service Vulnerability (CVSSv3 7.5). Affected versions < 7190.
Red Hat has published an advisory for a critical host header validation vulnerability in the Undertow HTTP server core. Undertow is a Java web server component used by application platforms including WildFly and JBoss EAP. The flaw occurs when Undertow fails to properly validate the HTTP Host header, which may enable cache poisoning, internal network scanning/SSRF-style impacts, or session hijacking under certain conditions. As exploitation is remote and does not require authentication, internet-facing services built on affected Undertow components may be at elevated risk.
- CVE-2025-12543: Undertow Host Header Validation Vulnerability (CVSSv3 9.6). Affected versions <= 2.4.0.Alpha1
WordPress has release two critical unauthenticated vulnerabilities in the “Frontend Admin by DynamiApps” plugin. This WordPress plugin that enables users to add, edit, and delete content directly from the front end of a website. The first vulnerability may allow unauthenticated attackers to escalate privileges and register as administrators (resulting in full site takeover) if they can access a user registration form containing a Role field. The second vulnerability may allow unauthenticated attackers to delete arbitrary content (posts/pages/products), taxonomy terms, and even user accounts due to missing authorisation checks.
- CVE-2025-14736: Unauthenticated Privilege Escalation Vulnerability (CVSSv3 9.8). Affected versions <= 3.28.25
- CVE-2025-14741: Missing Authorisation Arbitrary Deletion Vulnerability (CVSSv3 9.1). Affected versions <= 3.28.25.
Fortinet has issued patches to fix a critical vulnerability affecting FortiOS and FortiSwitch Manager. If exploited by a remote, unauthenticated attacker, this flaw could enable arbitrary code execution or command injection.
- CVE-2025-25249: Heap-based buffer overflow vulnerability (CVSSv3 7.4). Affected versions: see Fortiguard website link below.
Microsoft has released security updates to address 112 vulnerabilities in Microsoft products, including the following three vulnerabilities:
- CVE-2026-20805: Desktop Window Manager Information Disclosure Vulnerability (CVSSv3 5.5).
- CVE-2026-21265: Secure Boot Certificate Expiration Security Feature Bypass Vulnerability (CVSSv3 6.4).
- CVE-2023-31096: Windows Agere Soft Modem Driver Elevation of Privilege Vulnerability (CVSSv3 7.8).
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Trend Micro - Trend Micro Apex Central
Red Hat - CVE-2025-12543 - Red Hat Customer Portal
WordPress - WordPress Vulnerability Database
Fortinet – Fortiguard website
Microsoft – January 2026 Security Updates
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.