NIST Updates Security and Privacy Control Catalog for Enhanced Patching

First reported

02.09.2025 16:01

Last updated

📰 1 unique sources, 1 articles

Summary

Hide ▲

The National Institute of Standards and Technology (NIST) has updated its Security and Privacy Control catalog to improve patch management and software update protocols. The changes aim to address vulnerabilities in the software supply chain and reduce the risk of data breaches. The updates are part of a broader effort to enhance cybersecurity measures across federal and private sectors. The revised catalog includes new guidelines for software vendors and organizations to better manage and prioritize patches. The updates are in response to an executive order issued in June, which mandated revisions to the catalog by September 2. The new commenting system allowed for real-time feedback and revisions.

Timeline

02.09.2025 16:01 📰 1 articles · ⏱ 14d ago

NIST updates Security and Privacy Control catalog for improved patch management
In September 2025, NIST revised its Security and Privacy Control catalog to enhance patch management and software update protocols. The updates include new guidelines for managing and prioritizing patches, aiming to reduce the attack window and improve software security. The changes were made in response to an executive order issued in June 2025 and were completed using a new real-time commenting system.
Show sources

NIST Enhances Security Controls for Improved Patching — www.darkreading.com — 02.09.2025 16:01
Open in new tab

Information Snippets

The Security and Privacy Control catalog was originally published in 2020 and covers various security and privacy safeguards.
First reported: 02.09.2025 16:01

📰 1 source, 1 article
Show sources
- NIST Enhances Security Controls for Improved Patching — www.darkreading.com — 02.09.2025 16:01
The latest update focuses on mitigating risks associated with software updates and patch releases.
First reported: 02.09.2025 16:01

📰 1 source, 1 article
Show sources
- NIST Enhances Security Controls for Improved Patching — www.darkreading.com — 02.09.2025 16:01
The updates aim to reduce the attack window and improve the security of software systems.
First reported: 02.09.2025 16:01

📰 1 source, 1 article
Show sources
- NIST Enhances Security Controls for Improved Patching — www.darkreading.com — 02.09.2025 16:01
The revisions include new guidelines for least-privilege access, flaw-remediation testing, customer agreements, and update coordination.
First reported: 02.09.2025 16:01

📰 1 source, 1 article
Show sources
- NIST Enhances Security Controls for Improved Patching — www.darkreading.com — 02.09.2025 16:01
The changes were made in response to an executive order issued in June 2025.
First reported: 02.09.2025 16:01

📰 1 source, 1 article
Show sources
- NIST Enhances Security Controls for Improved Patching — www.darkreading.com — 02.09.2025 16:01
The new commenting system allowed for real-time feedback and revisions to the catalog.
First reported: 02.09.2025 16:01

📰 1 source, 1 article
Show sources
- NIST Enhances Security Controls for Improved Patching — www.darkreading.com — 02.09.2025 16:01

Similar Happenings

Microsoft September 2025 Patch Tuesday fixes 81 vulnerabilities, including two zero-days

Microsoft released updates for 80 vulnerabilities on September 2025 Patch Tuesday. None of these vulnerabilities were zero-days. The updates address eight critical flaws, including five remote code execution vulnerabilities, one information disclosure, and two elevation of privilege vulnerabilities. The vulnerabilities span various categories: 38 elevation of privilege, 2 security feature bypass, 22 remote code execution, 14 information disclosure, 3 denial of service, and 1 spoofing. One zero-day vulnerability was fixed in Windows SMB Server. The updates also include hardening features for SMB Server to mitigate relay attacks, with recommendations for administrators to enable auditing. The patch includes 38 elevation of privilege vulnerabilities, the highest number among all categories. CVE-2025-54918 is an EoP vulnerability in Windows NT LAN Manager (NTLM) marked as critical. CVE-2025-54111 and CVE-2025-54913 are EoP flaws in Windows UI XAML, allowing privilege escalation via phished credentials or malicious Microsoft Store apps. CVE-2025-55232 is an RCE vulnerability in the Microsoft High Performance Compute (HPC) Pack with a CVSS score of 9.8. CVE-2025-54916 is an RCE vulnerability in Windows NTFS that can be triggered by authenticated users. Microsoft's patch update includes recommendations for preparing for the end-of-life of Windows 10 and mandatory multifactor authentication (MFA) for Azure in October 2025.

Open in new tab

Critical SAP NetWeaver vulnerabilities patched, including remote code execution flaw

SAP has fixed 21 vulnerabilities, including three critical flaws in its NetWeaver software. The most severe, CVE-2025-42944, is an insecure deserialization flaw allowing unauthenticated remote code execution. The second critical flaw, CVE-2025-42922, enables arbitrary file uploads by authenticated users. The third, CVE-2025-42958, allows unauthorized access to sensitive data and administrative functions. The vulnerabilities affect various SAP products, including ERP, CRM, SRM, and SCM, which are widely used in large enterprise networks. The flaws could lead to full system compromise and unauthorized data manipulation. SAP products are frequently targeted by threat actors due to their handling of mission-critical data. A high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916) could allow an attacker with high privilege access to delete the content of arbitrary database tables. A critical security defect in SAP S/4HANA (CVE-2025-42957) has come under active exploitation in the wild.