September 2025 Stormcast: Microsoft, Adobe, and SAP Security Updates

In this September 10, 2025 edition of the Stormcast from Sans Internet Storm Center, Johannes Ullrich, recording from Jacksonville, Florida, discusses the latest security updates from Microsoft and other providers.

The main topic covered is Microsoft's Patch Tuesday, where Microsoft fixed a total of 177 vulnerabilities. However, only 86 of these vulnerabilities directly affect Microsoft products. The difference is explained by the presence of Linux vulnerabilities listed in Microsoft's patch stream, which affect the Windows Subsystem for Linux and certain Linux distributions used in their cloud products like Azure. These Linux vulnerabilities are generally known open-source vulnerabilities.

Microsoft also released patches for several Azure vulnerabilities, raising the question of Microsoft's transparency regarding vulnerabilities in its cloud products. Unlike traditional products, users do not have to apply these patches themselves, as Microsoft manages them in the background. Out of the 177 vulnerabilities, 13 were classified as critical, but none are particularly alarming. Two vulnerabilities concern how Microsoft assigns URLs to different security zones, and two others concern the kernel image system, although their description is somewhat ambiguous.

Beyond Microsoft, other providers have also released important patches. Adobe fixed vulnerabilities in Adobe Acrobat Reader, Adobe Commerce (Magento), and ColdFusion. A critical vulnerability in Adobe Acrobat Reader allows arbitrary code execution, while ColdFusion fixed an arbitrary file write vulnerability, often exploitable for code execution.

SAP also released its September patches, with two notable vulnerabilities in NetWeaver, a platform similar to Oracle's WebLogic. These vulnerabilities include deserialization and an unsecured file operation, both with high CVSS scores, indicating significant severity.

In conclusion, the SAP patches are the most critical, followed by those from Adobe. The Microsoft patches, although numerous, do not require emergency measures and can be applied according to standard patching practices.

For more details, watch the full video at the following address: https://www.youtube.com/watch?v=3bGemsdJLM4