There’s a crispness in the air – at least here in North America – and with it comes the latest security patches from Adobe and Microsoft. Take a break from your scheduled activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.

Adobe Patches for September 2025

For September, Adobe released nine bulletins addressing 22 unique CVEs in Adobe Acrobat Reader, After Effects, Premiere Pro, Commerce, Substance 3D Viewer, Experience Manager, Dreamweaver, Adobe 3D Substance Modeler, and ColdFusion. Of these, the ColdFusion update is the only Priority 1 patch, although Adobe notes no exploitation has been detected. The patch for Commerce addresses a single, Critical-rated bug that is rated a priority 2. Again, no exploitation is noted. Also of note is the update for Acrobat, which fixes one Critical and one Moderate-rated bugs.

 The patch for After Effects fixes three Important-rated bug fixes three Important-rated bugs. There’s a single bug in Premiere Pro that could lead to code execution. The fix for Substance 3D Viewer addresses three separate code execution bugs. That’s the same for the patch for Substance 3D Modeler. The fix for Experience Manager is the largest patch this month, with seven fixes. However, only one of these is rated Critical. The bug is Dreamweaver corrects a single Cross-Site Request Forgery (CSRF) bug.

 None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Besides the patches for ColdFusion and Commerce, all updates are listed as deployment priority 3.

Microsoft Patches for September 2025

This month, Microsoft released 80 new CVEs in Windows and Windows Components, Office and Office Components, Microsoft Edge (Chromium-based), Azure, Hyper-V, SQL Server, Defender Firewall Service, and Xbox (yup – Xbox!). Of the patches released today, eight are rated Critical, and the rest are rated Important in severity. This puts Microsoft about 100 CVEs ahead of where they were last year in terms of volume. We’ll see if this level of patches remains high throughout the rest of the year.

Microsoft lists one bug as being publicly known at the time of release, but nothing is noted as being under active attack. Let’s take a closer look at some of the more interesting updates for this month, starting with a bug rated as a CVSS 9.8:

-    CVE-2025-53766 - GDI+ Remote Code Execution Vulnerability
As mentioned, this bug is a CVSS 9.8 as it allows for code execution just by browsing to a malicious webpage. An attacker could also embed a specially crafted metafile into a document and have the target open the file. A worst-case scenario would be an attacker uploading something through an ad network that is served up to users. Ad blockers are just to remove annoyances; they also protect for malicious ads. They’re rare, but they have occurred in the past. Since GDI+ touches so many different components (and users tend to click on anything), test and deploy this one quickly.

-    CVE-2025-55232 - Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability
This is the highest severity bug by CVSS (9.8) for this month, and it certainly earns it. A remote, unauthenticated attacker could gain code execution on affected systems without user interaction, which makes this potentially wormable between systems with the HPC pack installed. Microsoft recommends ensuring HPC Pack clusters are only deployed in secure enclaves. They also recommend blocking TCP port 5999. If you use HPC Pack clusters, definitely put this on the top of your patching list.

-   CVE-2025-54910- Microsoft Office Remote Code Execution Vulnerability
This is now the eighth month in a row where at least one Office component allowed code execution through the Preview Pane. It would be nice is Microsoft could consolidate some of these fixes rather than dragging them out month after month, but I doubt that will happen. I’m getting very close to recommending disabling the Preview Pane for a bit while Microsoft sorts this out.

-    CVE-2025-54918 - Windows NTLM Elevation of Privilege Vulnerability
This privilege escalation allows an authenticated threat actor to escalate to SYSTEM on affected systems over the network. While not a scope change, going from a standard Windows user to SYSTEM is handy. Microsoft also notes that exploit complexity is low, so expect to see threat actors target this one. Definitely test and deploy this update quickly.

Here’s the full list of CVEs released by Microsoft for September 2025:

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.

Looking at the remaining Critical patches, there are several in the Graphics Component and Graphics Kernel, but these require an authenticated user and could be considered privilege escalations as much as code execution bugs. There’s also a Critical-rated info leak in the Windows Imaging Component, but considered this only leaks random portions or memory, it’s not clear why this is rated Critical.

Moving on to other code execution bugs, there are quite a few open-and-own bugs in Office components, mostly Excel. There’s the monthly RRAS bugs. There’s a frightening looking bug in SMB Client, but it requires authentication. That’s also true for the NTFS bug. The bug in SharePoint requires Site Owner permissions, but any user who has the ability to create a site on SharePoint has these privileges. The final code execution bug is in the Windows Graphics Component and requires user interaction. All in all, it’s a petty light month for code execution bugs.

That same thing can’t be said about Elevation of Privilege (EoP) bugs, which make up almost half of this month’s release. Fortunately, most of these bugs lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code. There are six bugs in the Defender Firewall Service that allow an attacker to escalate from executing code at Medium Integrity to Local Service. The bug in Azure Arc is interesting as it could allow threat actors to add VM Extensions on affected servers. The bug in Azure Connected Machine Agent only leads to SYSTEM, but you’ll need to update the system to the latest version of Azure Connected Machine Agent by hand. The vulnerability in Microsoft AutoUpdate (MAU) for Mac has an unlikely attack scenario but could lead to root on impacted systems. The bug in Virtual Hard Disk could cause a system to crash. That’s also true for the bug in Windows UI XAML Phone DatePickerFlyout, but this could also be leveraged for an AppContainer escape. One of the kernel bugs could also be leveraged for an AppContainer escape as well.

The bug in MultiPoint Services allows an attacker to delete a file, which as we’ve seen, can be used for privilege escalation. The bug in Xbox also allows for a targeted file delete, but it’s unclear if you could turn this into an EoP. For the bug in SMB, I would consider this to be a Spoofing bug since you gain the privileges of the compromised user. There are extra steps available for hardening against relay attacks, and if you haven’t already, you should do those as well. Similar to last month, the patch for SQL Server will take extra handling to ensure you have the correct versions installed. The bug in PowerShell is quite interesting, and (again) some might consider it a Spoofing attack. The bug allows an attacker to hijack a PowerShell Direct session b between the admin user on host and a guest VM. This allows an authenticated user to impersonate the admin host user and take any actions to control guest-side operations. Neat.

The September release contains over a dozen information disclosure updates, and as expected, most of these bugs only result in info leaks consisting of unspecified memory contents or memory addresses. This is useful info to have when exploiting components on a system, but otherwise not quite exciting. Other than the Critical-rated bugs already mentioned, the only exception to this is the bug in SQL Server, which could disclose the ever ephemeral “sensitive information”.  ¯\_(ツ)_/¯

There are two Security Feature Bypass (SFB) bugs in this month’s release, and both impact the MapUrlToZone component. As the name infers, these bugs allow URLs to be mapped to the incorrect security zone.

There’s not much information available about the spoofing bug in Office Plus. If you aren’t familiar with it (I wasn’t), Office Plus is a product launched by the Microsoft China team in 2022. It mainly provides users with Office templates, such as PowerPoint templates, through the web version. Based on this, I’m guessing attackers could spoof legitimate users to gain access to Office Plus resources.

There are only three patches for Denial-of-Service (DoS) bugs in this release. As usual, Microsoft provides no actionable information about these bugs. Instead, they simply state that an attacker could deny service over a network to that component.

No new advisories are being released this month.

Looking Ahead

The next Patch Tuesday of 2025 will be on October 14, and I’ll be back then with my analysis and thoughts about the release. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!