September’s Patch Tuesday won’t require Microsoft users to rapidly repair rancid software, but SAP users need to move fast to address extremely dangerous bugs.
Microsoft did find two bugs worthy of urgent attention. CVE-2025-55234 allows relay attacks and escalation of privileges against SMB Server. Admins can ameliorate these by using Server signing and the Extended Protection for Authentication (EPA) but it’s better to patch and be safe than sorry.
The second, CVE-2024-21907, isn’t too much of an issue unless you’re running a version of Newtonsoft.Json prior to the 13.0.1 build. This flaw emerged last year, so if you’re vulnerable you may already face a problem with denial-of-service attacks exploiting the errors in its use of libraries.
Microsoft’s fixed-flaw manifesto includes the 9.8-rated CVE-2025-55232 which can cause serious problems for users of Microsoft’s High Performance Compute package, allowing code execution over the network. Redmond warns admins to watch for dodgy traffic on TCP port 5999 as that’s a sign this issue is under attack.
That’s one of eight critical flaws. Office’s Preview pane is still causing problems – this time with CVE-2025-54910. Maybe turn it off for the moment if possible.
Redmond issued eight important patches for Excel. Six fixes for Defender Firewall address elevation of privilege attacks. Five fixes patch up Hyper-V. Users of Redmond’s Routing and Remote Access Service (RRAS) have ten fixes to consider.
SAP scores 10/10 in the worst possible way
SAP NetWeaver customers need to get busy as the vendor’s latest update addresses four critical vulnerabilities in the application, one of them scoring a perfect 10 on the CVSS scale.
That perfectly poisonous problem involves deserialization (CVE-2025-42944) that means an unauthenticated attacker can abuse authentication privileges in the RMI-P4 module used to distribute Java objects. The slightly less serious CVE-2025-42922 – only a CVSS 9.9 flaw – allows file uploads that would, to quote the vendor “full compromise of confidentiality, integrity and availability of the system.”
NetWeaver has two more critical issues: CVE-2023-27500 allows anyone to overwrite system files in the control system for SAPRSBRO. IBM i-series users should beware of CVE-2025-42958, which can give access to admin-level read/write privileges.
SAP spotted and squashed another 21 vulnerabilities.
Adobe and Android angst
Adobe also issues patches on the second Tuesday of the month, and this time delivered 22 fixes.
Only one is a priority case that addresses s critical problem in versions of ColdFusion released from 2021 to 2025. The fix addresses a file system overwriting bug.
Adobe also delivered critical fixes for Adobe Commerce and Magento versions 2.4.4 – 2.4.7 (and these can be very bad indeed), plus a critical and moderate flaw found in Acrobat and Reader.
Substance 3D Modeler and 3D Viewer have several critical issues that allow code execution in inappropriate contexts.
Premiere Pro gets one critical code execution flaw patched, and there’s a similarly serious cross-site request forgery bug in Dreamweaver 21.5 and below.
Experience Manager was Adobe’s worst offender, earning seven fixes, one of them worthy of attention as it allows bypass of security protections.
Android doesn’t go with the herd and releases its patches as soon as possible. This month it sent out its biggest patch bundle of the year – 120 fixes with two of them already being used in the wild. Non-Pixel owners will have to wait until their OEM issues an update for these.
Finally Cisco dropped a quick high-severity patch for its Secure Firewall Adaptive Security Appliance (ASA) software that would allow a denial-of-service attack. ®
