Overview

Microsoft

Today is Microsoft’s September 2025 Patch Tuesday, which includes security updates for 81 flaws, including two publicly disclosed zero-day vulnerabilities.

This Patch Tuesday also fixes nine “Critical” vulnerabilities, five of which are remote code execution vulnerabilities, 1 is information disclosure, and 2 are elevation of privileges.

The number of bugs in each vulnerability category is listed below:

  • 41 Elevation of Privilege Vulnerabilities
  • 2 Security Feature Bypass Vulnerabilities
  • 22 Remote Code Execution Vulnerabilities
  • 16 Information Disclosure Vulnerabilities
  • 3 Denial of Service Vulnerabilities
  • 1 Spoofing Vulnerabilities

The 2 publicly disclosed zero-day vulnerabilities are:

  • CVE-2025-55234 – Windows SMB Elevation of Privilege Vulnerability (CVSS:3.1 – 8.8)
    Microsoft fixed an elevation of privileges flaw in SMB Server that is exploited through relay attacks.Microsoft says that Windows already includes settings to harden the SMB Server against relay attacks, including enabling SMB Server Signing and SMB Server Extended Protection for Authentication (EPA).

    However, enabling these features could cause compatibility issues with older devices and implementations.

    Microsoft recommends that admins enable auditing on SMB servers to determine if they will encounter any issues when those hardening features are fully enforced.

  • CVE-2024-21907 – VulnCheck: CVE-2024-21907 Improper Handling of Exceptional Conditions in Newtonsoft.Json (CVSS:3.1 – 7.5)
    Microsoft has fixed a previously known vulnerability in Newtonsoft.Json that is included as part of Microsoft SQL Server.”CVE-2024-21907 addresses a mishandling of exceptional conditions vulnerability in Newtonsoft.Json before version 13.0.1,” explains Microsoft.

    “The documented SQL Server updates incorporate updates in Newtonsoft.Json which address this vulnerability.”

Even though the above are publicly disclosed zero-days, there is no evidence of exploitation in the wild.

Adobe

Adobe has also released multiple updates for their products, addressing two particular vulnerabilities they have rated as ‘Critical’

  • CVE-2025-54261Coldfusion Path Traversal (CVSS3.1 – 9.0)
    This vulnerability has been described as a path traversal issue that can lead to an arbitrary file system write. It impacts ColdFusion 2021, 2023, and 2025 on all platforms. While Adobe is not aware of any exploitation in the wild, they have assigned this flaw a priority rating of “1” which indicates it should be patched as soon as possible.
  • CVE-2025-54236 – AdobeCommerse and Magento Open Source (CVSS3.1 – 9.1)
    The second critical vulnerbality can be exploited by an unauthenticated attacker to bypass a security feature. Adobe is not aware of any exploitation in the wild.

 

Affected Devices

Microsoft

Windows 10: Cumulative update versions prior to KB5065429 for Windows 10 22H2 and Windows 10 21H2

Windows 11: Cumulative update versions prior to KB5065426 and KB5065431 for Windows 11 24H2 and Windows 11 23H2

Microsoft Update Guide

Adobe

ColdFusion 2025: Update 3 and earlier versions

ColdFusion 2023: Update 15 and earlier versions

Coldfusion 2021: Update 21 and earlier versions

ColdFusion Update and Hardening Guide

Adobe Commerce:
2.4.9-alpha2 and earlier
2.4.8-p2 and earlier
2.4.7-p7 and earlier
2.4.6-p12 and earlier
2.4.5-p14 and earlier
2.4.4-p15 and earlier

Adobe Commerce B2B:
1.5.3-alpha2 and earlier
1.5.2-p2 and earlier
1.4.2-p7 and earlier
1.3.4-p14 and earlier
1.3.3-p15 and earlier

Magento Open Source:
2.4.9-alpha2 and earlier
2.4.8-p2 and earlier
2.4.7-p7 and earlier
2.4.6-p12 and earlier
2.4.5-p14 and earlier

Adobe Commerce and Magento Update Guide

 

 

Recommended Remediations

ctrl:cyber strongly recommends the following actions to mitigate risk of exploitation:

  • Apply Security Updates: Download and apply the latest security patches from Microsoft for all affected systems to mitigate the risk of exploitation. More information on available security patches can be found in the Microsoft Update Guide.
  • Apply Adobe Security Updates: Download and apply the latest security patches from Adobe, and apply any recommended configuration changes to harden security against exploitation. The full bulletin that includes patches for less severe vulnerabilities can be found here: Adobe Security Bulletin

Source: National Vulnerability Database
Source: The Bleeping Computer
Source: Adobe Security Bulletin