Critical Microsoft NTLM and NTFS Vulnerabilities Patched in September Update
In the latest patch cycle, Microsoft addressed several critical flaws targeting its Windows authentication and file system technologies. This month’s update included fixes for vulnerabilities with high exploitation likelihood and potential for major system compromise.
NTLM Elevation of Privilege Vulnerability (CVE-2025-54918)
Microsoft patched CVE-2025-54918, a critical elevation of privilege (EoP) vulnerability in the Windows New Technology LAN Manager (NTLM) protocol. The flaw received a CVSS v3 score of 8.8 and was assessed as “Exploitation More Likely,” marking it as a focus for threat actors and defenders alike. NTLM is central to authentication and domain security in Windows environments, and exploitation would allow an attacker to escalate privileges to SYSTEM level. This vulnerability represents the third NTLM EoP patch issued in 2025 and the second consecutive month such a flaw required a critical fix. The ongoing cadence of NTLM vulnerabilities reinforces its attractiveness as a target for adversaries and the importance of keeping authentication stacks updated.
NTFS Remote Code Execution Vulnerability (CVE-2025-54916)
Another impactful flaw, CVE-2025-54916, affects the Windows New Technology File System (NTFS). Rated important with a CVSS v3 score of 7.8 and “Exploitation More Likely,” this remote code execution (RCE) vulnerability can be leveraged by any authenticated attacker to execute code on targeted systems. Unlike the majority of NTFS vulnerabilities (which primarily enable privilege escalation or information disclosure), this represents only the second NTFS RCE patch since 2022, and the previous instance (CVE-2025-24993) was used in active, in-the-wild attacks as a zero-day earlier in 2025. The NTFS vulnerability highlights the persistent need for hardening and rapid patch deployment across enterprise and personal Windows installations.
Privilege Escalation Trends and Threat Landscape
Nearly half of the vulnerabilities addressed in the September 2025 update are privilege escalation flaws. Attackers typically gain lower-level access through phishing or lateral movement before exploiting such flaws to gain system-wide control. This trend, noted as the third occurrence of EoP flaws exceeding RCE flaws in Patch Tuesday this year, underscores a broader shift among sophisticated adversaries: rather than initial compromise, escalation and persistence are paramount of late.
Technical Impact and Recommendations
Organizations relying on Windows for mission-critical tasks must prioritize patching, especially for NTLM and NTFS. Monitoring for unusual authentication behavior and ensuring timely updates to Windows core components are essential to mitigate risk. Defense-in-depth, including network segmentation and endpoint detection, remain key to preventing exploitation—especially when vulnerabilities are actively targeted.
Google Patches Android Zero-Day Flaws Actively Exploited in Attacks
Google released a monthly security update for Android addressing 120 vulnerabilities, including two actively exploited zero-days. These flaws are being used in targeted attacks, highlighting ongoing risks for mobile device security.
CVE-2025-38352: Linux Kernel Privilege Escalation
One key vulnerability, CVE-2025-38352, affects the upstream Linux Kernel component integral to Android’s operating environment. The flaw allows elevation of privilege, enabling attackers to gain higher-level access by compromising kernel processes within the device. Such kernel-level exploits are prized by advanced persistent threat (APT) actors since they provide extensive control, including the ability to bypass security features and access personal and corporate data.
CVE-2025-48543: Android Runtime Privilege Escalation
The second zero-day, CVE-2025-48543, impacts the Android Runtime. By exploiting a flaw here, attackers can escalate privileges from a compromised app or process, potentially allowing for device takeover, exfiltration of sensitive data, or installation of further malicious payloads, often stealthily.
Mitigation and Recommendations
The presence of active exploitation underscores urgency for both end-users and managed Android environments to deploy updates as soon as they are available. Security teams should also monitor device behaviors for signs of root exploits, unauthorized app installations, or unexpected privilege escalations. Google’s practice of monthly updates aims to narrow the window of exposure, but the persistence of zero-days shows adversaries’ continued focus on mobile platforms.
New GhostRedirector Threat Actor Targets Windows Servers with C++ Backdoor and IIS Module
A newly identified threat cluster, dubbed GhostRedirector, has compromised at least 65 Windows servers in Brazil, Thailand, and Vietnam, employing sophisticated backdoor and SEO manipulation techniques. The threat group’s activities highlight evolving technical sophistication among attackers seeking both persistence and financial gain.
Attack Chain and Payloads
The GhostRedirector cluster was observed deploying two core payloads: a passive C++ backdoor named Rungan and an Internet Information Services (IIS) module codenamed Gamshen. Initial access is gained via server vulnerabilities or weak authentication, allowing the attackers to install customized malicious modules.
Rungan C++ Backdoor Technical Analysis
Rungan is engineered for stealth and persistence, capable of accepting commands from remote servers, executing code, and facilitating lateral movement. Its passive nature means it remains dormant until activated, reducing detection probability by security monitoring systems. Written in C++, it uses custom network protocols to avoid traditional packet inspection. Forensic analysis shows its ability to inject payloads into running processes and evade standard antivirus signatures through obfuscation and polymorphism.
Gamshen IIS Module and SEO Fraud-as-a-Service
The Gamshen IIS module takes a novel approach: its primary function is not direct data theft but manipulation of search engine rankings for linked websites. Once installed, Gamshen hijacks incoming HTTP requests, redirects them to targeted sites, and creates artificial traffic patterns. This enables “SEO fraud as-a-service,” helping clients or the threat actor itself amplify the visibility and ranking of chosen sites to orchestrate fraudulent commercial campaigns, disinformation, or reputation management.
Threat Actor Profile and Operational History
GhostRedirector is believed to have been active since August 2024. Its technical capabilities—blending traditional backdoor tactics with cybercrime monetization—show an increasing convergence between APT methodology and financially motivated attacks. Target selection across geographically diverse regions further indicates robust reconnaissance and infrastructure for scaling attacks internationally.
Mitigation Strategies
Windows server administrators should immediately audit IIS modules, monitor for anomalous traffic patterns, and deploy endpoint detection tools capable of identifying in-memory and obfuscated payloads. Hardening authentication protocols, updating vulnerable components, and segmenting exposed systems from critical business assets are vital steps to reduce risk from similar threats.
Adobe Issues September Patch Tuesday Fixes for Nearly Two Dozen Vulnerabilities
As part of its September 2025 Patch Tuesday, Adobe published security updates for nine core products, addressing almost two dozen vulnerabilities with impacts ranging from remote code execution to privilege escalation and configuration tampering.
Severity and Technical Breakdown
The vulnerabilities patched this cycle cover a spectrum of Adobe’s commercial and creative software portfolio. Key flaws include:
- Remote Code Execution (RCE): Exploitable vulnerabilities in several Adobe products could allow attackers to execute arbitrary code on victim machines, potentially establishing persistence or launching further attacks.
- Privilege Escalation: Certain flaws enable local or remote escalation of user permissions, facilitating unauthorized access to sensitive information and administrative functionality.
- Configuration Tampering: Attackers exploiting specific bugs could alter system or application configurations, opening avenues for subsequent compromise or denial-of-service.
- Information Disclosure: Some vulnerabilities may leak confidential data, including user credentials or proprietary assets managed within affected Adobe software suites.
Security Recommendations
Organizations and individuals utilizing Adobe’s platforms should prioritize patching to mitigate risks associated with exposed vulnerabilities. Continuous vulnerability management and application whitelisting can provide significant deterrence against exploits targeting widely used commercial software.