Microsoft, Adobe, SAP Issue Critical September 2025 Patch Tuesday Updates

The September 2025 Patch Tuesday brought significant security updates from major software providers, addressing numerous vulnerabilities across widely used platforms. Microsoft, Adobe, and SAP each rolled out critical fixes aimed at strengthening defenses against potential cyber threats, though none of the identified issues are currently under active exploitation.

Microsoft addressed over 80 vulnerabilities in its latest security release. One notable patch, CVE-2025-54918, resolves a privilege escalation flaw in Windows NTLM. Microsoft emphasized that attackers could exploit this with low complexity, requiring minimal system knowledge to succeed repeatedly.

Security experts highlighted several other concerns. Satnam Narang of Tenable pointed to CVE-2025-54916, a stack-based buffer overflow in Windows NTFS that could allow remote code execution. Although not yet exploited, he warned that NTFS remains a high-value target due to its central role in Windows operations.

Kev Breen from Immersive Labs clarified that despite its “remote code execution” label, this particular vulnerability isn’t network-based. Instead, it depends on local code execution or social engineering, such as convincing a user to open a malicious file.

Another critical issue, CVE-2025-55232, affects Microsoft’s High Performance Compute Pack. This flaw could let unauthenticated attackers execute code remotely with no user interaction. Dustin Childs of Trend Micro’s Zero Day Initiative noted its potential to spread like a worm across systems with HPC installed. Microsoft recommends updating to HPC Pack 2019 Update 3 or isolating clusters behind strict firewall rules.

For organizations with mobile workforces, CVE-2025-54912 poses a serious risk. This BitLocker vulnerability could let attackers bypass encryption through physical access to a device. Jacob Ashdown of Immersive stressed the urgency of patching, especially for devices that could be lost or stolen, as sensitive data and system integrity may be compromised.

Adobe’s September updates cover 22 vulnerabilities across products including Acrobat, Reader, ColdFusion, and Commerce. While none are actively exploited, Adobe flagged ColdFusion and Commerce updates as particularly urgent. A critical path traversal flaw in ColdFusion (CVE-2025-54261) could allow arbitrary file writes. Adobe Commerce users received a hotfix for CVE-2025-54236, an input validation issue that may bypass security features.

Sansec warned that although no exploits have been observed, the Adobe Commerce patch was accidentally leaked, raising the risk of imitation attacks. Dubbed SessionReaper, the vulnerability could enable account takeover and remote code execution under specific conditions.

SAP also released a substantial set of patches, including several critical flaws in NetWeaver. CVE-2025-42944 could allow unauthenticated remote command execution, while CVE-2025-42922 might let non-admin users upload and execute malicious files. CVE-2025-42958, resulting from missing authentication checks, could permit unauthorized access to sensitive data and administrative functions.

Although none of these SAP vulnerabilities are currently exploited, NetWeaver remains a attractive target. Recent zero-day attacks leveraging a related flaw highlight the importance of prompt patching.

Staying informed about these updates is essential for maintaining organizational security. Regular patching remains one of the most effective ways to protect against emerging threats.

(Source: HelpNet Security)