High-severity vulnerability in Microsoft Exchange disclosed

Microsoft released updates for 80 vulnerabilities on September 2025 Patch Tuesday. None of these vulnerabilities were zero-days. The updates address eight critical flaws, including five remote code execution vulnerabilities, one information disclosure, and two elevation of privilege vulnerabilities. The vulnerabilities span various categories: 38 elevation of privilege, 2 security feature bypass, 22 remote code execution, 14 information disclosure, 3 denial of service, and 1 spoofing. One zero-day vulnerability was fixed in Windows SMB Server. The updates also include hardening features for SMB Server to mitigate relay attacks, with recommendations for administrators to enable auditing. The patch includes 38 elevation of privilege vulnerabilities, the highest number among all categories. CVE-2025-54918 is an EoP vulnerability in Windows NT LAN Manager (NTLM) marked as critical. CVE-2025-54111 and CVE-2025-54913 are EoP flaws in Windows UI XAML, allowing privilege escalation via phished credentials or malicious Microsoft Store apps. CVE-2025-55232 is an RCE vulnerability in the Microsoft High Performance Compute (HPC) Pack with a CVSS score of 9.8. CVE-2025-54916 is an RCE vulnerability in Windows NTFS that can be triggered by authenticated users. Microsoft's patch update includes recommendations for preparing for the end-of-life of Windows 10 and mandatory multifactor authentication (MFA) for Azure in October 2025.

A critical command injection vulnerability in SAP S/4HANA (CVE-2025-42957) is being actively exploited in the wild. The flaw, with a CVSS score of 9.9, allows attackers with low-privileged user access to execute arbitrary ABAP code, bypass authorization checks, and fully compromise the SAP environment. This can lead to data theft, fraud, or ransomware installation. The vulnerability affects both on-premise and Private Cloud editions of SAP S/4HANA, as well as several other SAP products and versions. SecurityBridge Threat Research Labs discovered the vulnerability and reported it to SAP on June 27, 2025. The vendor fixed the vulnerability on August 11, 2025, but several systems have not applied the available security updates and are now being targeted by hackers. Exploitation activity surged dramatically after the patch was released. Organizations are advised to apply patches immediately, monitor logs for suspicious activity, and implement additional security measures.

An exploit chain has been identified in the Sitecore Experience Platform, combining cache poisoning and remote code execution vulnerabilities. The chain leverages four new flaws (CVE-2025-53693, CVE-2025-53691, CVE-2025-53694, CVE-2025-53690) to achieve unauthorized access and code execution. The exploit chain involves HTML cache poisoning through unsafe reflections and insecure deserialization, potentially leading to full compromise of Sitecore instances. The vulnerabilities were disclosed by watchTowr Labs and patches were released by Sitecore in June and July 2025. Additionally, a new zero-day vulnerability (CVE-2025-53690) was exploited by threat actors to deliver malware and perform extensive internal reconnaissance. The attackers targeted the '/sitecore/blocked.aspx' endpoint to achieve remote code execution and executed reconnaissance commands including whoami, hostname, tasklist, ipconfig /all, and netstat -ano. The vulnerability is a ViewState deserialization flaw under active exploitation in the wild, affecting several Sitecore products including Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud. The attack leveraged a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. CISA has ordered immediate patching of the vulnerability by September 25, 2025. The wider impact of the vulnerability has not yet surfaced, but it is expected to do so.

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group, are conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. These actors exploit vulnerabilities in routers and other edge network devices used by telecommunications providers, ISPs, and other infrastructure operators. The campaign targets telecommunications, transportation, lodging, government, and military networks. The actors employ tactics to evade detection and maintain persistent access, posing a significant threat to national and economic security. The advisory provides actionable guidance to help organizations strengthen their defenses and protect critical systems. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world and how defenders can protect their own environments. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory notes that the actors have had considerable success exploiting publicly known vulnerabilities, including Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS, and Cisco IOS XE vulnerabilities. The advisory suspects that the APT actors may target other devices, including Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls. The actors use multiple tactics to maintain persistence, including modifying Access Control Lists (ACLs), opening standard and non-standard ports, enabling SSH servers, and creating tunnels over protocols. The actors target protocols and infrastructure involved in authentication, such as Terminal Access Controller Access Control System Plus (TACACS+), to facilitate lateral movement across network devices. The advisory provides extensive recommendations for mitigating these threats, including monitoring network device configuration changes, auditing network services and tunnels, and checking logs for integrity. The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to gaining long-term access for potential disruption. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, dating back to May 2020. The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020. The domains were registered using Proton Mail email addresses and fake personas. The domains point to high-density and low-density IP addresses, with the earliest activity traced back to October 2021. The domains are linked to Chinese cyber espionage campaigns, with potential overlaps between Salt Typhoon and UNC4841.

Microsoft's August 2025 Patch Tuesday update addresses 111 vulnerabilities, with 44 elevation-of-privilege (EoP) flaws, 35 remote code execution (RCE) vulnerabilities, 18 information disclosure issues, 8 spoofing vulnerabilities, and 4 denial-of-service defects. The update includes fixes for critical vulnerabilities in Azure OpenAI, Windows Kerberos, Windows Hyper-V, Microsoft SQL Server, SharePoint, and Microsoft's AI technologies. The update does not include any actively exploited vulnerabilities, marking the second consecutive month without such issues. However, several vulnerabilities are considered high-priority due to their potential impact and ease of exploitation. Additionally, the update addresses 16 vulnerabilities in Microsoft's Chromium-based Edge browser and fixes for vulnerabilities in various third-party software and services. The August 2025 Windows security updates are causing reset and recovery operations to fail on Windows 10 and older versions of Windows 11.