#patchnow

CISA has officially flagged five vulnerabilities in Hikvision, Rockwell Automation, and Apple products as actively exploited in the wild, mandating urgent remediation across federal agencies.

Source: CISA

Read the full report on -

Read the full report on -

Read the full report on -

Read the full report on -

TL;DR: CISA just added CVE-2025-10585 (a V8 type-confusion bug in Chromium) to the KEV catalog. The fix landed in Chrome 140.0.7339.185+ and later patch trains. If you ship Electron apps (which bundle Chromium), treat this as a ship-stopping risk: rebase to a build that includes the fix, hard-block outdated engines at runtime, and force auto-updates.

1) What KEV means + the new CVE-2025-10585 entry

KEV (Known Exploited Vulnerabilities) is CISA’s “actively exploited” list. When a CVE is added, patching isn’t optional—it’s urgent.

On Sept 23, 2025, CVE-2025-10585 (V8 type-confusion) hit KEV. The Chrome team shipped the fix in 140.0.7339.185/.186 and continued patching in 140.0.7339.207/.208.

Translation: any embedded Chromium below 140.0.7339.185 remains exposed to CVE-2025-10585.

Why it’s dangerous: Type-confusion bugs in V8 often enable remote code execution via crafted pages or embedded content—exactly the kind Electron apps render in BrowserWindows.

2) Why Electron teams must act now

Many desktop apps (Slack-style, IDEs, internal tools) bundle Chromium via Electron. Until Electron consumes a Chromium build ≥140.0.7339.185, your shipped app is behind the browser on security. Follow Electron’s upgrade guidance ASAP and do not ship new builds with an affected engine.

Action items for Electron maintainers:

Rebase to a fixed Electron/Chromium train as soon as it’s available.

Harden now (see code below): enforce auto-update, runtime engine checks, strict BrowserWindow defaults (nodeIntegration: false, contextIsolation: true), and Content Security Policy.

Operationally: invalidate old installers, block outdated app versions at startup, and add CI gates that fail if your engine is below the fixed build.

Free Website Vulnerability Scanner — Homepage

Screenshot of the free tools webpage where you can access security assessment tools.

3) Rollout plan checklist (practical + code)

A. Force auto-updates (electron-updater)

# install npm i -S electron-updater

// main.ts import { app, dialog } from 'electron' import { autoUpdater } from 'electron-updater' app.whenReady().then(() => { autoUpdater.autoDownload = true autoUpdater.autoInstallOnAppQuit = true autoUpdater.on('update-available', () => console.log('Update available…')) autoUpdater.on('update-downloaded', () => { dialog.showMessageBox({ type: 'info', buttons: ['Restart now'], title: 'Security update ready', message: 'A critical security update (fixes CVE-2025-10585) is ready.' }).then(() => autoUpdater.quitAndInstall()) }) autoUpdater.checkForUpdates().catch(console.error) })

Add to package.json (example) for publishing:

{ "build": { "publish": [{ "provider": "github" }], "win": { "target": "nsis" }, "mac": { "category": "public.app-category.developer-tools" } } }

B. Invalidate old installers (server-side 410)

Nginx snippet (example) to make old installers un-downloadable:

location ~* /downloads/myapp-([0-9]+\.[0-9]+\.[0-9]+)\.(exe|dmg|AppImage)$ { if ($1 ~* "^(0|1|2|3[0-9]\.|[0-9]{1,2}\.)") { # toy example, adapt your semver return 410; # Gone } try_files $uri =404; }

C. Runtime hard-block outdated Chromium

Detect the embedded Chromium at runtime and exit if below 140.0.7339.185 (the minimum fixed build for CVE-2025-10585).

// versionGate.ts import { app, dialog } from 'electron' function parse(build: string) { return build.split('.').map(n => parseInt(n, 10)) } function gte(a: string, b: string) { const A = parse(a), B = parse(b) for (let i = 0; i < Math.max(A.length, B.length); i++) { const x = A[i] || 0, y = B[i] || 0 if (x > y) return true if (x < y) return false } return true } export function enforceChromiumMin(min = '140.0.7339.185') { const chrome = process.versions.chrome // e.g., "140.0.7339.133" if (!chrome || !gte(chrome, min)) { dialog.showErrorBox( 'Update required', `This build bundles Chromium ${chrome || 'unknown'}, below ${min} (CVE-2025-10585). Please update.` ) app.quit() } }

// main.ts import { app, BrowserWindow } from 'electron' import { enforceChromiumMin } from './versionGate' app.whenReady().then(() => { enforceChromiumMin('140.0.7339.185') const win = new BrowserWindow({ webPreferences: { contextIsolation: true, nodeIntegration: false, sandbox: true } }) win.loadURL('https://app.example.local/') })

D. Lock down renderers (defense-in-depth)

// preload.ts import { contextBridge } from 'electron' contextBridge.exposeInMainWorld('api', { // expose only the minimal surface })

<!-- index.html --> <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; connect-src https://api.example.com;">

E. Block old app versions at launch (server-signaled “kill switch”)

// killSwitch.ts import https from 'https' export async function mustUpgrade(current: string): Promise<boolean> { // Your backend returns { minVersion: "1.24.3" } const data = await fetchJSON('https://updates.example.com/min.json') return !semverGte(current, data.minVersion) } function semverGte(a: string, b: string) { const pa = a.split('.').map(Number), pb = b.split('.').map(Number) for (let i = 0; i < 3; i++) { if (pa[i] !== pb[i]) return pa[i] > pb[i] } return true } function fetchJSON(url: string) { return new Promise<any>((resolve, reject) => { https.get(url, res => { const chunks: Buffer[] = [] res.on('data', c => chunks.push(c)) res.on('end', () => resolve(JSON.parse(Buffer.concat(chunks).toString('utf8')))) }).on('error', reject) }) }

4) Verification: prove your engine is fixed (≥ 140.0.7339.185)

A. CI gate that fails if Chromium < fixed build

# .github/workflows/engine-guard.yml name: engine-guard on: [push, pull_request] jobs: guard: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: { node-version: 22 } - run: npm ci - run: node -e "const v=require('child_process').execSync('node -p process.versions.chrome').toString().trim(); function p(s){return s.split('.').map(Number)}; const a=p(v), b=p('140.0.7339.185'); let ok=true; for(let i=0;i<4;i++){ if((a[i]||0)>(b[i]||0)){ok=true;break} if((a[i]||0)<(b[i]||0)){ok=false;break}} if(!ok){console.error('Chromium '+v+' < 140.0.7339.185 (CVE-2025-10585)'); process.exit(1)} else {console.log('OK Chromium '+v)}"

Tip: this works in Electron CI if you run scripts with Electron’s Node (e.g., electron -e or process.versions.chrome surfaced via a tiny Node script in your repo). If you build on CI, you can also parse the Electron release metadata your build uses.

B. SCA “diff” to confirm you hopped trains

Simple check to assert your Electron bump actually advanced Chromium:

# scripts/verify-chromium.sh set -euo pipefail CURRENT=$(node -p "process.versions.chrome||''") REQUIRED="140.0.7339.185" node - <<'JS' function gte(a,b){a=a.split('.').map(Number);b=b.split('.').map(Number);for(let i=0;i<4;i++){if((a[i]||0)>(b[i]||0))return true;if((a[i]||0)<(b[i]||0))return false}return true} const cur=process.env.CURRENT, req=process.env.REQUIRED if(!cur) { console.error('No embedded Chromium detected'); process.exit(2) } if(!gte(cur, req)) { console.error(`FAIL: Chromium ${cur} < ${req} (CVE-2025-10585)`); process.exit(1) } console.log(`PASS: Chromium ${cur} >= ${req}`) JS

Run it post-build; fail the pipeline if not on a fixed engine.

5) Extra hardening (because defense-in-depth)

Disable Node in renderers (nodeIntegration: false), enable isolation (contextIsolation: true), use sandbox: true.

Only load trusted content (file:// or your own HTTPS origin).

CSP everywhere.

Protocol filters: validate custom:// and file:// handlers.

Update cadence: align your Electron train with Chromium’s stable channel. Don’t lag multiple minors behind—especially with KEV-listed bugs like CVE-2025-10585.

Sample Scan Report — Check Website Vulnerability

Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

Helpful follow-ups from our blog (internal reading)

Android Security Bulletin September 2025: Patch Fleet Now — triage & rollout tactics you can reuse for desktop engines.

CISA KEV Adds CVE-2025-5086: What You Must Do — our quick KEV playbook for leadership.

PCI DSS 4.0: Your Post-March 31 Remediation Plan — compliance-friendly change control for high-velocity patching.

Need help closing gaps fast?

Risk Assessment Services — map CVE-2025-10585 exposure across products and pipelines: 👉 https://www.pentesttesting.com/risk-assessment-services/

Remediation Services — from upgrade plans to hardening and CI gates: 👉 https://www.pentesttesting.com/remediation-services/

Free Website Vulnerability Scanner — quick external checks before every release: 👉 https://free.pentesttesting.com/

Pentest Testing Corp. (home) — who we are & how we work: 👉 https://www.pentesttesting.com/

Questions? [email protected]

Final checklist for your release notes

Mention CVE-2025-10585 explicitly.

State the Chromium build you ship (e.g., Chromium 140.0.7339.208).

Add the runtime gate + auto-update notes.

Hackers are actively targeting SysAid IT management systems using two critical vulnerabilities that let them steal sensitive data and seize control. CISA has issued an urgent warning to patch immediately.

Source: BleepingComputer | CISA

Chinese threat actors are attacking unpatched SharePoint servers using authentication bypass and RCE exploits, deploying stealthy web shells to steal sensitive keys and maintain access. Microsoft urges immediate patching and defensive measures.

Source: Microsoft