The September 2025 Security Up... Note

The September 2025 Security Update Review

Adobe has released nine security bulletins for September, addressing 22 unique CVEs across various products like Acrobat Reader, After Effects, and Premiere Pro. Only the ColdFusion update is rated Priority 1, though no exploitation is detected. The Commerce update fixes a single Critical bug, also without noted exploitation. Acrobat receives a patch for one Critical and one Moderate bug. After Effects includes fixes for three Important bugs. Premiere Pro gets a patch for a potential code execution vulnerability. Substance 3D Viewer and Modeler each have three code execution bugs addressed. Experience Manager has the most fixes with seven, one of which is Critical. Dreamweaver's patch corrects a Cross-Site Request Forgery bug. None of Adobe's September vulnerabilities were publicly known or actively exploited at release. Microsoft released 80 new CVEs for September, covering Windows, Office, Azure, and more, with eight rated Critical and the rest Important. This volume places Microsoft significantly ahead of last year's patch releases. One publicly known bug exists, but none are under active attack. A critical vulnerability in Microsoft HPC Pack allows remote code execution without user interaction. Microsoft Office continues to have code execution vulnerabilities through its Preview Pane. A Windows NTLM Elevation of Privilege vulnerability allows escalation to SYSTEM with low exploit complexity.
CdXz5zHNQW_QWIp701lml.png