Post-Patch Tuesday Roundup: September 2025

Preeti Nandal

Cyber Security Assessor

Welcome to the Softcat Patch Tuesday roundup for September 2025, where we offer insight into the major patches released this month. In this edition, we will focus on the patches by Microsoft, Adobe, Cisco, SAP, and Vmware, Citrix, Ivanti and ICS.

Quite a few zero-day exploits have been identified, and many of these are known to have been actively exploited in the wild.

Microsoft

In their September Patch Tuesday release, Microsoft has addressed 86 vulnerabilities, with 13 of those rated as Critical and 2 being zero-day vulnerabilities. The patches cover a broad array of applications and services, including Windows Hyper-V, SQL Server, Windows Kernel, Windows NTLM, Windows PowerShell, Windows TCP/IP, Windows NTFS, and more. Additionally, there have been 4 Edge/Chromium based vulnerabilities identified, although 1 advisory have been issued.

This month's vulnerabilities chiefly revolve around Remote Code Execution (RCE), Elevation of Privilege (EoP), and Denial of service(DoS). Outlined below are some of the more critical/important vulnerabilities detailed in this month’s Patch Tuesday:

Zero Day Vulnerability:

1. CVE-2025-55234 – This is an Elevation of Privilege vulnerability in Windows SMB Server that can allow an attacker to gain elevated privileges by performing a relay attack. It is rated as Important, and has a CVSS score of 8.8. The attack method involves exploiting improperly validated authentication contexts in SMB sessions, particularly when SMB signing and Extended Protection for Authentication (EPA) are not correctly configured. This enables man-in-the-middle relay attacks by forwarding captured credentials, potentially leading to unauthorised access and privilege escalation.

2. CVE-2024-21907 – This is an Improper Handling of Exceptional Conditions vulnerability in Newtonsoft.Json that can allow an attacker to trigger a denial of service (DoS) by sending crafted JSON data that causes a StackOverflow exception. It is rated as High severity, and has a CVSS score of 7.5. The attack method involves passing deeply nested JSON input to the JsonConvert.DeserialiseObject method, which overwhelms the system’s stack and leads to process termination. This is particularly dangerous in IIS-hosted applications, where it can cause application pool shutdown

Critical

3. CVE-2025-54918 – This is an Elevation of Privilege vulnerability in Windows NTLM that can allow an attacker to gain SYSTEM-level privileges over a network. It is rated as Critical, and has a CVSS score of 8.8. The vulnerability stems from improper authentication handling in NTLM, which allows an attacker with low privileges and network access to escalate their rights. The attack does not require user interaction and has low complexity, making it particularly dangerous in enterprise environments.

4. CVE-2025-55226 – This is an Elevation of Privilege vulnerability in Windows Kernel that can allow an attacker to gain SYSTEM-level privileges by exploiting a flaw in kernel memory handling. It is rated as Critical, and has a CVSS score of 7.8. The vulnerability arises from improper validation of memory objects in the Windows Kernel, which could be triggered by a locally authenticated attacker to execute code with elevated privileges.

5. CVE-2025-55228 – This is an Elevation of Privilege vulnerability in Windows Kernel that can allow an attacker to gain SYSTEM-level privileges by exploiting a flaw in kernel object handling. It is rated as Critical, and has a CVSS score of 7.8. Concurrent execution using shared resource with improper synchronisation ('race condition') in Windows Win32K – GRFX. An attacker must win a race condition to exploit the vulnerability.

6. CVE-2025-55236 – This is an Elevation of Privilege vulnerability in Windows Kernel that can allow an attacker to gain SYSTEM-level privileges by exploiting a flaw in kernel memory management. It is rated as Critical, and has a CVSS score of 7.8. The vulnerability is triggered by a locally authenticated attacker who manipulates kernel memory objects that is the Time-of-check time-of-use (toctou) race condition in Graphics Kernel allows an authorised attacker to execute code locally.

7. CVE-2025-53799 – This is an Elevation of Privilege vulnerability in Windows Kernel that can allow an attacker to gain SYSTEM-level privileges by exploiting a flaw in kernel object handling. It is rated as Critical, and has a CVSS score of 7.8. Use of uninitialised resource in Windows Imaging Component allows an unauthorised attacker to disclose information locally.

Important

8. CVE-2025-54916 – This is an Elevation of Privilege vulnerability in Windows Kernel that can allow an attacker to gain SYSTEM-level privileges on the affected machine. It is rated as Important, with a CVSS score of 7.8. Since this is known to have been exploited in the wild, users should look to patch this vulnerability as soon as possible to prevent potential exploitation. Stack-based buffer overflow in Windows NTFS allows an authorised attacker to execute code locally.

CVE-2025-54098 – This is an Elevation of Privilege vulnerability in Windows Hyper-V caused by improper access control, which can allow an authorised attacker to elevate privileges locally to SYSTEM level. It is rated as Important, with a CVSS score of 7.8. Since this is known to have been exploited in the wild, users should look to patch this vulnerability as soon as possible to prevent potential exploitation. The attacker must already have local access and low-level privileges on the system to exploit this vulnerability.

Adobe

Adobe has released nine patches this month, addressing 23 vulnerabilities. The applications in question are:

Adobe Substance 3D Viewer

Adobe Experience Manager

Adobe Dreamweaver

Adobe 3D Substance Modeler

Adobe ColdFusion

All of these vulnerabilities are rated as a priority 3 or below by Adobe, meaning they relate to a product that has historically not been a target for attackers.

Cisco

Cisco has so far released 43 advisories for 50 vulnerabilities in September, with the impact ratings ranging from Medium to Critical. The Critical vulnerabilities relate to Cisco Software RADIUS and Cisco IOS and IOS Xesoftware smartInstall.

Citrix

Citrix has released two security bulletin this month. This is an update for Xenserver-which may allow privileged code in a guest VM to compromise or crash the host and Netscalar ADC and Gateway- with memory overflow vulnerabilities

Ivanti

Ivanti has addressed two updates for September Patch Tuesday update : Policy Secure and Ivanti EPM with vulnerabilities like - Insufficient filename validation in Ivanti Endpoint allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.

The Ivanti Connect Secure: Missing Authorisation in Ivanti Connect Secure allows a remote authenticated attacker with read-only admin privileges to configure restricted settings.

SAP

SAP has released 21 new security notes and 4 updates to September security notes. 8 of these CVEs are rated High or Critical. The products affected by the High or Critical rated CVEs are:

SAP Netweaver
SAP Business One
SAP Landscape Transformation Replication Server
AP S/4HANA (Private Cloud or On-Premise)
SAP Commerce Cloud and SAP Datahub
SAP Business Planning and Consolidation
SAP HCM
SAP BusinessObjects Business Intelligence Platform
SAP Supplier Relationship Management
SAP Fiori App
SAP Commerce Cloud

VMware

VMware has released a patch for a vulnerability in the VMware Tools product:

Tanzu -22 Critical and 10 High on 6 products – Tanzu Kubernetes runtime, Application service, Grid integrated edition, platform-Core and SM.

Industrial Control Systems

Any customers utilising industrial control systems (ICS) should be aware of security advisories regarding

ICSA-25-252-01 Rockwell Automation ThinManager
ICSA-25-252-02 ABB Cylon Aspect BMS/BAS
ICSA-25-252-03 Rockwell Automation Stratix IOS
ICSA-25-252-04 Rockwell Automation FactoryTalk Optix
ICSA-25-252-05 Rockwell Automation FactoryTalk Activation Manager
ICSA-25-252-06 Rockwell Automation CompactLogix® 5480
ICSA-25-252-07 Rockwell Automation ControlLogix 5580
ICSA-25-252-08 Rockwell Automation Analytics LogixAI
ICSA-25-252-09 Rockwell Automation 1783-NATR
ICSA-24-296-01 Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products (Update A)
ICSA-25-058-01 Schneider Electric Communication Modules for Modicon M580 and Quantum controllers (Update B)
ICSA-25-219-07 EG4 Electronics EG4 Inverters (Update B)
ICSA-25-233-01 Mitsubishi Electric Corporation MELSEC iQ-F Series CPU Module (Update A)
ICSA-25-226-31 Rockwell Automation 1756-ENT2R, 1756-EN4TR, 1756-EN4TRXT (Update A)
ICSA-25-247-01 Honeywell OneWireless Wireless Device Manager (WDM)
ICSA-25-217-01 Mitsubishi Electric Iconics Digital Solutions Multiple Products (Update A)
ICSA-25-105-07 Delta Electronics COMMGR (Update A)
ICSA-25-205-03 Honeywell Experion PKS (Update A)
ICSA-25-191-10 End-of-Train and Head-of-Train Remote Linking Protocol (Update B)
ICSA-25-245-01 Delta Electronics EIP Builder
ICSA-25-245-02 Fuji Electric FRENIC-Loader 4
ICSA-25-245-03 SunPower PVS6
ICSA-25-182-06 Hitachi Energy Relion 670/650 and SAM600-IO Series (Update A)
ICSA-25-240-01 Mitsubishi Electric MELSEC iQ-F Series CPU Module
ICSA-25-240-02 Mitsubishi Electric MELSEC iQ-F Series CPU Module
ICSA-25-240-03 Schneider Electric Saitel DR & Saitel DP Remote Terminal Unit
ICSA-25-240-04 Delta Electronics CNCSoft-G2
ICSA-25-240-05 Delta Electronics COMMGR
ICSA-25-240-06 GE Vernova CIMPLICITY
ICSA-24-135-04 Mitsubishi Electric Multiple FA Engineering Software Products (Update D)
ICSA-25-140-04 Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products (Update B)
ICSA-25-184-01 Hitachi Energy Relion 670/650 and SAM600-IO series (Update A)
ICSA-25-238-01 INVT VT-Designer and HMITool
ICSA-25-238-03 Schneider Electric Modicon M340 Controller and Communication Modules
ICSA-25-140-03 Danfoss AK-SM 8xxA Series (Update A)

As always, users are recommended to apply the latest security updates as soon as possible to protect their systems from potential threats.