Microsoft, Adobe, SAP deliver critical fixes for September 2025 Patch Tuesday
On September 2025 Patch Tuesday, Microsoft has released patches for 80+ vulnerabilities in its various software products, but the good news is that none of them are actively exploited.
Among the critical and important vulnerabilities patched by Microsoft this time around are:
CVE-2025-54918, a remotely exploitable Windows NTLM elevation of privilege vulnerability. “The attack complexity is Low because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component,” Microsoft noted.
Satnam Narang, senior staff research engineer at Tenable, has singled out CVE-2025-54916 – a stack-based buffer overflow in Windows NTFS that may lead to remote code execution – as worthy of a quick patch.
In March 2025, Microsoft fixed three NTFS vulnerabilities that were exploited in the wild as zero-days. “While this one does not appear to have been exploited, it is still certainly worth keeping an eye on since NTFS is the primary file system used by Windows,” he told Help Net Security.
Kev Breen, Senior Director Threat Research at Immersive, noted that while the title of this CVE says ‘Remote Code Execution,’ this exploit is not remotely exploitable over the network, but instead needs an attacker to either have the ability to run code on the host or to convince a user to run a file that would trigger the exploit.
“This is commonly seen in social engineering attacks, where they send the user a file to open as an attachment or a link to a file to download and run,” he added.
CVE-2025-55232, a vulnerability in the Microsoft High Performance Compute (HPC) Pack, is used to turn a set of Windows Server machines into a coordinated cluster.
The flaw could allow remote, unauthenticated attackers to achieve code execution on affected systems without any user interaction, which – according to Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative – makes it potentially wormable between systems with the HPC pack installed.
Users are advised to update/migrate to HPC Pack 2019 Update 3 (Build 6.3.8328) and apply the “quick fix” (Build 6.3.8352). If they can’t, they should mitigate the risk of exploitation by running HPC Pack clusters “in a trusted network secured by firewall rules especially for the TCP port 5999.”
Jacob Ashdown, Cyber Security Engineer at Immersive, advises organizations with remote employees or employees who travel frequently to close CVE-2025-54912, sooner rather than later.
CVE-2025-54912 affects BitLocker, the disk encryption tool built into the Windows OS, and could allow attackers to bypass BitLocker protections through physical access to a device.
“This flaw allows an attacker to gain unauthorized access to encrypted data on the system drive with no user interaction or prior privileges required. Microsoft notes the attack complexity is low, although no public exploit code currently exists,” he commented.
“If exploited, this flaw could expose sensitive files, credentials, or allow tampering with system integrity. This poses a particular risk for organizations where devices may be lost or stolen, as attackers with hands-on access could potentially bypass encryption and extract sensitive data.”
It’s also good to mention that two of the flaws fixed this Tuesday were previously disclosed, and the security bulletin for the latter – CVE-2025-55234, an elevation of privilege flaw in Windows SMB Server – notes that the solution for it is hardening SMB Server against relay attacks.
In effect, the “fix” is the audit capabilities Microsoft has released in the September 2025 security updates for Windows and Windows servers, which admins should use to check whether they those hardening measures are in place and, if they are not, to implement them.
Adobe fixes
Adobe has released fixes for 22 CVE-numbered vulnerabilities in Acrobat and Reader, After Effects, Premiere Pro, Substance 3D Viewer, Experience Manager, Dreamweaver, Adobe 3D Substance Modeler, ColdFusion, and Commerce (and Magento Open Source).
None of the fixed vulnerabilities are under active exploitation, but Adobe deems the ColdFusion and Commerce / Magento updates more important to implement quickly than the others.
ColdFusion users received a fix for a critical path traversal flaw (CVE-2025-54261) that could lead to to arbitrary file system write and a recommendation to use the latest MySQL java connector (“for security reasons”).
Adobe Commerce (formerly Magento Commerce) and Magento Open Source users should implement a hotfix for CVE-2025-54236, an improper input validation vulnerability that may allow attackers to bypass a security feature.
Security company Sansec says that the release of the fix was privately announced to selected Commerce customers last week.
So far, neither Adobe or Sansec have seen evidence of the vulnerability being exploited by attackers, but that could happen sooner than expected, since the Adobe patch was accidentally leaked last week.
“The bug, dubbed SessionReaper (…), allows customer account takeover and unauthenticated remote code execution under certain conditions. Sansec was able to simulate the attack and so may less benign parties,” the Sansec Forensics Team warned.
SAP fixes
The German software corporation, which is the world’s largest vendor of enterprise resource planning (ERP) software, also releases patches for its various offerings on the second Tuesday of every month.
On this month’s “SAP Security Patch Day”, the company has fixed a bucketload of flaws in its various offerings, including several critical vulnerabilities in SAP NetWeaver (the integration platform that lets SAP and non-SAP systems work together smoothly):
- CVE-2025-42944, which may allow remote, unauthenticated attackers to execute OS commands on vulnerable systems by submitting a malicious payload to an open port
- CVE-2025-42922, which may allow an attacker authenticated as a non-administrative user to exploit the flaw to upload an arbitrary (malicious) file and execute it.
CVE-2025-42958, stemming from a missing authentication check, may allow high privileged unauthorized users to read, modify, or delete sensitive information, and access administrative or privileged functionalities.
While there’s no mention of any of these being leveraged by attackers, SAP Netweaver is obviously an attractive target. A SAP Netweaver vulnerability (CVE-2025-31324) has recently been exploited in zero-day attacks by suspected initial access broker, and an exploit chaining it and another previously exploited flaw has recently been publicly released.
