Android Security Update: September 2025 Patch Fixes 120 Vulnerabilities, Including Two Zero-Day Attacks
Google has delivered its September 2025 security fixes for Android, addressing 120 vulnerabilities, of which two zero-day weaknesses were confirmed to be exploited in targeted attacks. These flaws expose devices to privilege escalation threats and remote code execution, prompting the issuance of dual patch levels to accelerate deployment across the Android ecosystem.
Impact of Exploited Vulnerabilities
The two actively exploited vulnerabilities—CVE-2025-38352 (Linux Kernel, CVSS: 7.4) and CVE-2025-48543 (Android Runtime)—enable local escalation of privilege on compromised devices without requiring user interaction or supplementary privileges. Google did not disclose full exploit details but noted evidence of limited, targeted exploitation, possibly linked to sophisticated spyware campaigns targeting high-value victims.
Technical Details on Patched Issues
CVE-2025-38352 leverages a kernel privilege escalation vector, enabling threat actors to execute arbitrary code at elevated privileges by exploiting the Linux kernel within Android. The second zero-day, CVE-2025-48543, similarly allows privilege escalation via the Android Runtime. Alongside these critical vulnerabilities, the update resolves a broad spectrum of flaws—including remote code execution, information disclosure, and denial-of-service issues—across Android’s Framework and System components.
Security Patch Levels and Vendor Guidance
To facilitate rapid deployment, Google introduced two patch levels: 2025-09-01 and 2025-09-05. The first covers core platform vulnerabilities shared across devices, while the second addresses device-specific and third-party issues. Android vendors are urged to implement the most recent patch level to minimize exposure windows and improve ecosystem-wide resilience against active threats.
Continued Threats and Response
This batch of fixes follows Google’s urgent updates last month for Qualcomm chip vulnerabilities (CVE-2025-21479, CVSS: 8.6, and CVE-2025-27038, CVSS: 7.5), both actively exploited in the wild. These repeated zero-day disclosures reinforce the necessity for swift and comprehensive patch management by device manufacturers and end users to thwart targeted cyberattacks against mobile infrastructure.
SAP S/4HANA Code Injection Flaw (CVE-2025-42957) Actively Exploited for System Takeover
Security researchers have reported active exploitation of a critical code injection vulnerability (CVE-2025-42957) in the SAP S/4HANA enterprise resource planning suite. Attacks leveraging this flaw grant adversaries complete control over affected deployments, highlighting urgent patching needs for organizations using SAP S/4HANA to manage core business processes.
Vulnerability Assessment and Attack Vector
The flaw, tracked under CVE-2025-42957, resides in code input handling within SAP S/4HANA. Successful exploitation enables attackers to inject and execute arbitrary code, bypassing native authentication and privilege controls. Once compromised, threat actors gain unrestricted access at the application layer, allowing data theft, lateral movement, business logic modification, and potentially destructive sabotage.
Exploitation in the Wild
Security monitoring has identified multiple real-world incidents where adversaries utilized this vulnerability to orchestrate targeted system takeovers. The precision of these attacks suggests that skilled actors, possibly with prior reconnaissance, are leveraging custom payloads to achieve persistence and establish covert access in enterprise environments.
Mitigation Recommendations
SAP has released patches addressing CVE-2025-42957 and recommends immediate deployment across all S/4HANA instances. Organizations with unpatched or customized deployments are at greatest risk, especially those hosting sensitive operations data or critical business logic. In addition to patching, network segmentation, access monitoring, and a review of user privilege allocations are highly advised.
Sitecore Enterprise CMS Zero-Day Exploited for Malware Delivery
A zero-day vulnerability affecting Sitecore, a widely deployed enterprise content management system (CMS), has been exploited in recent attacks to facilitate malware distribution. The flaw’s active abuse places web-facing Sitecore deployments at high risk, with attackers using the vulnerability as a launchpad for wider enterprise compromise.
Nature of the Vulnerability
The identified zero-day resides in Sitecore’s input handling, allowing for unauthorized code execution when attackers transmit specially crafted payloads to vulnerable servers. Once successful, attackers can deploy malware directly into the server environment, often camouflaged within legitimate Sitecore assets to evade detection by perimeter defenses.
Attack Campaigns and Threat Actor Techniques
Researchers have observed malware operators weaponizing the Sitecore flaw to drop remote access tools (RATs), backdoors, and loader scripts. These campaigns frequently utilize chained exploits – combining the zero-day with credential theft and lateral movement tactics to escalate privileges and propagate payloads to downstream systems.
Defensive Strategies
Sitecore administrators are advised to apply latest vendor patches and review perimeter protections for indicators of compromise associated with recently observed attack signatures. Additionally, web application firewalls (WAF), endpoint monitoring, and regular codebase integrity scans can help reduce the risk of successful exploitation.
Massive DDoS Attack Peaks at 11.5 Tbps, Sets Industry Record
Cloudflare has blocked the largest distributed denial-of-service (DDoS) attack ever recorded, peaking at 11.5 terabits per second and consisting primarily of UDP flood traffic sourced via Google Cloud infrastructure. The incident, part of a series of weeks-long assault waves, underscores escalating risks associated with cloud-enabled DDoS campaigns.
Technical Characterization of the Attack
The attack featured volumetric UDP flood packets, targeting public-facing endpoints with brute-force traffic capable of overwhelming traditional mitigation controls. Cloudflare’s AI-driven traffic filtering infrastructure identified and neutralized the malicious traffic using adaptive threat intelligence and on-demand scaling.
DDoS Trends in Cloud Environments
Recent months have seen a marked increase in cloud-hosted DDoS vectors, leveraging the virtually unlimited bandwidth and compute resources available to attackers. The sophistication of these attacks—blending botnet traffic with reflected amplification—exposes soft spots in legacy mitigation architectures, prompting calls for integrated stability monitoring and automated cloud resource throttling.
Recommendations for Resilient Defense
Industry experts advise organizations to implement layered DDoS protection, incorporate live threat intelligence, and coordinate with upstream providers for traffic diversion and rate-limiting. Regular stress testing and playbook reviews are essential to ensure system resilience under extreme load conditions.
Palo Alto Networks: Drift-Linked Supply Chain Attack Exposes Sensitive Salesforce Data
Palo Alto Networks confirms exposure of customer support case data and Salesforce OAuth tokens following a supply chain compromise by actors linked to the Drift malware campaign. The ongoing investigation spotlights the systemic risks of shared cloud service dependencies and OAuth-based authentication mechanisms.
Mechanics of the Supply Chain Breach
Attackers successfully compromised OAuth tokens within a third-party integration, allowing unauthorized access to Salesforce support case records. The Drift malware crew, known for targeting cloud SaaS providers, exploited weaknesses in token lifecycle management and cross-service authentication frameworks to exfiltrate customer metadata and communications.
Implications for SaaS Providers and Customers
This incident demonstrates the dangers of ecosystem-wide trust relationships, where a breach in one platform cascades to expose assets within others. Sensitive customer information, technical support details, and user credentials are at risk when OAuth tokens are hijacked without robust validation or scope limitation.
Mitigation and Response Measures
Palo Alto Networks and Salesforce have revoked affected tokens and are reviewing integration audit logs for further compromise. Security teams are urged to apply strict access controls to OAuth tokens, monitor for anomalous API activity, and segment sensitive support data where practical.