September 2025 Patch Tuesday Brings Critical Vulnerability Fixes from Microsoft, Adobe, and SAP
The latest Patch Tuesday in September 2025 has seen Microsoft, Adobe, and SAP issue urgent updates addressing over 80 vulnerabilities, including several critical and important flaws targeting corporate and consumer software ecosystems. None of the disclosed vulnerabilities are known to be actively exploited at the time of release, but several have characteristics that warrant immediate action from security teams.
Key Microsoft Vulnerabilities: NTLM Privilege Escalation and NTFS Remote Code Execution
Among the vulnerabilities addressed by Microsoft, CVE-2025-54918 stands out as a remotely exploitable elevation of privilege issue within Windows NTLM (New Technology LAN Manager). This flaw, assessed as “Exploitation More Likely,” allows attackers to escalate privileges to SYSTEM level. The attack complexity is rated low, requiring little prior knowledge and presenting repeatable success rates when targeting the vulnerable NTLM component.
Another significant update is for CVE-2025-54916, a stack-based buffer overflow in Windows NTFS (New Technology File System) which can lead to remote code execution. This vulnerability is noteworthy because NTFS serves as the primary file system for Windows environments. Successful exploitation would allow an authenticated attacker to achieve code execution on the target machine. This is the second major NTFS remote code execution vulnerability patched in 2025, following a similar zero-day addressed in March. While this flaw is not network-exploitable, it can be triggered if an attacker convinces a user to execute a malicious file or if code is run locally on the host.
Patch Distribution and Timeline
In total, more than 80 CVEs were addressed, with eight rated critical. Nearly half of the vulnerabilities patched this month are privilege escalation flaws that require an attacker to already have access to a target system, underscoring the importance of layered defenses and routine access reviews.
Industry Response and Recommendations
Security researchers have emphasized the importance of prioritizing the NTLM and NTFS vulnerabilities due to their potential impact and likelihood of exploitation. Enterprise and consumer users are strongly urged to apply the September 2025 updates immediately and ensure that system monitoring is in place to detect any attempted exploitation related to these CVEs.
Zero-Day Threats Target Android and Apple Devices; Zero-Click Exploit Chains Reported
Security experts have observed a surge in zero-day exploitation campaigns targeting both Android and Apple devices in September 2025. Google and Apple have both issued critical patches to mitigate the impact of these active threat vectors, which have been leveraged in targeted attacks, including sophisticated mobile spyware operations.
Google Addresses Privilege Escalation in the Linux Kernel and Android Runtime
Google’s September Android update cycle closed 120 security issues, with two gaining particular urgency due to ongoing exploitation. CVE-2025-38352, a privilege escalation flaw in the core Linux kernel, has been used in attacks against Android devices. In parallel, CVE-2025-48543 targets the Android Runtime for privilege escalation, broadening the attack surface across multiple device models and brands. Timely patch deployment is crucial, as these vulnerabilities can give attackers control over system resources and data.
Apple and WhatsApp Exploit Chain Uncovered in Spyware Campaign
Apple has patched its seventh zero-day vulnerability of the year, cataloged as CVE-2025-43300, which was utilized alongside a WhatsApp vulnerability (CVE-2025-55177) in a recent exploit chain. This coordinated attack has enabled the delivery of advanced spyware, affecting iOS, iPadOS, and macOS environments over the past three months. Delays in patching leave devices susceptible to remote surveillance and data theft, making immediate updates imperative for users.
Mitigation Strategies and Broader Mobile Threat Landscape
The continued discovery of zero-days geared toward privilege escalation and remote code execution on both Android and Apple platforms highlights the evolving nature of mobile threat activity. Users are encouraged to keep devices updated, restrict unnecessary app permissions, and monitor for unusual activity indicative of compromise. Organizations should consider mobile threat defense solutions to detect and respond to these advanced attack techniques.
GhostRedirector Campaign Compromises Windows Servers in Global SEO Fraud Scheme
A newly identified threat actor, dubbed GhostRedirector, has conducted a widespread attack campaign compromising at least 65 Windows servers across Brazil, Thailand, and Vietnam. The operation employs custom-developed backdoors and web server modules aimed at covert command execution and search engine optimization (SEO) manipulation.
Technical Details: Rungan Backdoor and Gamshen IIS Module
The campaign deploys two primary malware components. The first, Rungan, is a C++ backdoor that establishes a persistent foothold and enables attackers to execute arbitrary commands on compromised servers. The second, Gamshen, is a native Internet Information Services (IIS) module that facilitates SEO fraud as-a-service by artificially boosting the search engine ranking of target websites.
Analysis indicates that the GhostRedirector group has been active since at least August 2024, utilizing tailored malware without significant public detection prior to the current disclosures. Compromised servers are repurposed as infrastructure for search ranking manipulation, redirecting traffic and impacting digital marketing integrity.
Targeting and Response
Windows servers in developing markets have been the primary victims, likely due to resource constraints and lower patching rates. Security professionals are advised to monitor server logs for anomalous module activity, conduct thorough file integrity scans, and audit IIS configurations to detect illicit modules.
Generative AI Accelerates Evolution of Phishing and Social Engineering Attacks
Recent trends show that generative artificial intelligence (genAI) technology is significantly enhancing the realism, scale, and success of phishing and social engineering attacks. Attackers now routinely employ genAI-based tools to craft convincing email threads and manipulate victims more effectively than with traditional scripted phishing lures.
Phishing Tactics Powered by AI
Instead of isolated fraudulent emails, genAI enables threat actors to construct entire email conversations that simulate legitimate business correspondence. These threads may include multiple messages, follow-up responses, and dynamically generated content tailored to the recipient’s context, increasing the likelihood of successful credential or financial theft.
Increased Complexity and Defense Implications
The rise of genAI in phishing campaigns is forcing organizations to reevaluate detection capabilities, as existing rule-based defense systems may struggle to flag these sophisticated scams. Multi-factor authentication, targeted user education, and advanced threat detection technologies are essential to counter this new wave of AI-driven social engineering.