High-severity use-after-free vulnerability in Chrome's V8 JavaScript engine patched

Microsoft released updates for 80 vulnerabilities on September 2025 Patch Tuesday. None of these vulnerabilities were zero-days. The updates address eight critical flaws, including five remote code execution vulnerabilities, one information disclosure, and two elevation of privilege vulnerabilities. The vulnerabilities span various categories: 38 elevation of privilege, 2 security feature bypass, 22 remote code execution, 14 information disclosure, 3 denial of service, and 1 spoofing. One zero-day vulnerability was fixed in Windows SMB Server. The updates also include hardening features for SMB Server to mitigate relay attacks, with recommendations for administrators to enable auditing. The patch includes 38 elevation of privilege vulnerabilities, the highest number among all categories. CVE-2025-54918 is an EoP vulnerability in Windows NT LAN Manager (NTLM) marked as critical. CVE-2025-54111 and CVE-2025-54913 are EoP flaws in Windows UI XAML, allowing privilege escalation via phished credentials or malicious Microsoft Store apps. CVE-2025-55232 is an RCE vulnerability in the Microsoft High Performance Compute (HPC) Pack with a CVSS score of 9.8. CVE-2025-54916 is an RCE vulnerability in Windows NTFS that can be triggered by authenticated users. Microsoft's patch update includes recommendations for preparing for the end-of-life of Windows 10 and mandatory multifactor authentication (MFA) for Azure in October 2025.

SAP has fixed 21 vulnerabilities, including three critical flaws in its NetWeaver software. The most severe, CVE-2025-42944, is an insecure deserialization flaw allowing unauthenticated remote code execution. The second critical flaw, CVE-2025-42922, enables arbitrary file uploads by authenticated users. The third, CVE-2025-42958, allows unauthorized access to sensitive data and administrative functions. The vulnerabilities affect various SAP products, including ERP, CRM, SRM, and SCM, which are widely used in large enterprise networks. The flaws could lead to full system compromise and unauthorized data manipulation. SAP products are frequently targeted by threat actors due to their handling of mission-critical data. A high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916) could allow an attacker with high privilege access to delete the content of arbitrary database tables. A critical security defect in SAP S/4HANA (CVE-2025-42957) has come under active exploitation in the wild.

Google has released September 2025 security updates for Android, addressing 111 vulnerabilities, including two zero-day flaws actively exploited in targeted attacks. The updates include fixes for privilege escalation, remote code execution, information disclosure, and denial-of-service vulnerabilities. The two zero-days are in the Linux Kernel and Android Runtime components. The updates are part of Google's monthly security patches, with two patch levels released to provide flexibility for Android partners. This update also addresses critical vulnerabilities in Qualcomm components and includes fixes for MediaTek-powered devices. The September 2025 Pixel security updates resolve 23 vulnerabilities specific to Pixel devices, and Wear OS, Pixel Watch, and Automotive OS updates include fixes for all vulnerabilities described in the Android bulletin.

Apple has released emergency updates to fix a zero-day vulnerability (CVE-2025-43300) in the Image I/O framework. The flaw, an out-of-bounds write issue, was exploited in "extremely sophisticated" targeted attacks against specific individuals. The vulnerability affects multiple iOS, iPadOS, and macOS versions and devices. Apple has not attributed the discovery to a specific researcher or provided details about the attacks. The flaw allows attackers to exploit the vulnerability by supplying malicious input, potentially leading to remote code execution. Affected devices include various iPhone, iPad, and Mac models running specific versions of iOS, iPadOS, and macOS. The flaw was discovered internally by Apple and addressed with improved bounds checking. The vulnerability has been exploited as part of highly targeted attacks. Users are advised to install the updates promptly to mitigate potential ongoing attacks. CERT-FR has reported at least four instances of Apple threat notifications alerting users about mercenary spyware attacks since the beginning of the year. The attacks target individuals based on their status or function, including journalists, lawyers, activists, politicians, and senior officials. Apple has sent threat notifications to users in over 150 countries since 2021. Apple has backported fixes for the vulnerability to older versions of iOS, iPadOS, and macOS, including iOS 16.7.12, iPadOS 16.7.12, iOS 15.8.5, and iPadOS 15.8.5. The updates also address multiple other security flaws in various Apple products. The flaw was chained with a WhatsApp zero-click vulnerability (CVE-2025-55177) in targeted attacks. The attacks were described as "extremely sophisticated" by Apple and WhatsApp. Samsung also patched a remote code execution vulnerability chained with the CVE-2025-55177 WhatsApp flaw in zero-day attacks targeting its Android devices.

Microsoft released emergency out-of-band updates to fix a bug in the August 2025 Windows security updates that was causing recovery and reset operations to fail, as well as severe streaming issues with NDI software. The issue affected Windows 10 and older versions of Windows 11. The bug also caused Windows upgrades to fail with 0x8007007F errors on some Windows 11 and Windows Server systems. Additionally, the updates triggered unexpected UAC prompts and app installation issues for non-admin users. The affected updates included KB5063875, KB5063709, and KB5063877. The emergency fixes were released as KB5066189, KB5066188, KB5066187, KB5065426, and KB5065429. These updates are available via Windows Update and the Microsoft Update Catalog. Microsoft also resolved a bug that triggered Windows update failures when installed from a network share using the Windows Update Standalone Installer (WUSA). The September 2025 Windows security update reduces the scope for requiring UAC prompts for MSI repairs and enables IT admins to disable UAC prompts for specific apps by adding them to an allowlist.