High-Severity Use-After-Free Vulnerability in Chrome's V8 Engine Patched

A remote code execution vulnerability in Samsung's libimagecodec.quram.so library, tracked as CVE-2025-21043, was actively exploited in zero-day attacks targeting Samsung Android devices running Android 13, 14, 15, or 16. The flaw, reported by Meta and WhatsApp, allows attackers to execute arbitrary code remotely due to an out-of-bounds write weakness. The CVSS score for the vulnerability is 8.8. Samsung has released a patch for the vulnerability in the September 2025 Security Maintenance Release (SMR). The exploit may affect other instant messengers using the vulnerable library. Users are advised to update their devices to the latest security patch.

The Akira ransomware group has been actively exploiting vulnerabilities and misconfigurations in SonicWall SSL VPN devices to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting organizations globally, including those in Australia. The attacks leverage a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings to bypass access controls and facilitate ransomware deployment. The threat actors use a combination of brute-forcing credentials, exploiting default configurations, and leveraging the Virtual Office Portal to configure multi-factor authentication (MFA) with valid accounts. These tactics allow them to bypass security measures and gain unauthorized access to networks. SonicWall has confirmed that recent SSLVPN activity is related to CVE-2024-40766, not a zero-day vulnerability. The affected firewall versions include specific models of Gen 5, Gen 6, and Gen 7 devices. Organizations are advised to update to firmware version 7.3.0 or later, rotate passwords, enforce MFA, mitigate the SSLVPN Default Groups risk, and restrict Virtual Office Portal access to trusted/internal networks to mitigate risks.

Adobe has patched a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms, dubbed SessionReaper. This flaw, with a CVSS score of 9.1, could allow unauthenticated attackers to take control of customer accounts via the Commerce REST API. The patch was released on September 9, 2025, following an emergency notification to selected customers on September 4, 2025. Adobe Commerce on Cloud customers were already protected by a WAF rule deployed as an interim measure. The vulnerability is considered one of the most severe in the platform's history, with potential for widespread exploitation. Administrators are advised to apply the patch immediately, as it disables certain internal Magento functionalities that may affect custom or external code. The affected versions include Adobe Commerce 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, and 2.4.4-p15 and earlier. The affected versions also include Adobe Commerce B2B 1.5.3-alpha2 and earlier, 1.5.2-p2 and earlier, 1.4.2-p7 and earlier, 1.3.4-p14 and earlier, and 1.3.3-p15 and earlier. The affected versions include Magento Open Source 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, and 2.4.5-p14 and earlier. The Custom Attributes Serializable module versions 0.1.0 to 0.4.0 are also affected.

Google released September 2025 Android security updates addressing 111 vulnerabilities, including two zero-day flaws actively exploited in targeted attacks. The vulnerabilities allow privilege escalation without user interaction. The patches include fixes for remote code execution, information disclosure, and denial-of-service issues across various components. The updates are part of Google's monthly security bulletin, with two patch levels released to provide flexibility for Android partners. The vulnerabilities were discovered by Benoît Sevens of Google's Threat Analysis Group (TAG).

Microsoft's August 2025 Windows security updates cause failures in reset and recovery operations, streaming issues, and app installation problems on Windows 10 and older versions of Windows 11. The issue affects multiple system recovery and reset features, including 'Reset my PC' and the 'Fix problems using Windows Update' tool. The bug impacts specific Windows versions and updates, and Microsoft has released out-of-band updates to address the issues. The affected updates include KB5063875 for Windows 11 23H2 and 22H2, KB5063709 for Windows 10 22H2 and LTSC 2021 versions, and KB5063877 for Windows 10 LTSC 2019 versions. The issue also affects remote resets using the RemoteWipe CSP. Microsoft has confirmed the bug and is working on a resolution. They have previously addressed similar issues with Known Issue Rollback (KIR) fixes. Additionally, the August 2025 Windows security updates cause severe lag and stuttering issues with NDI streaming software on some Windows 10 and Windows 11 systems. Microsoft has released the KB5065426 and KB5065429 updates to fix these streaming issues. The August 2025 security updates also trigger unexpected User Account Control (UAC) prompts and app installation issues for non-admin users across all supported Windows versions. The issue is caused by a security patch addressing the CVE-2025-50173 Windows Installer privilege escalation vulnerability. The September 2025 Windows security update addresses this issue by reducing the scope for requiring UAC prompts for MSI repairs and enabling IT admins to disable UAC prompts for specific apps by adding them to an allowlist.