SANS Stormcast Wednesday, September 10th, 2025: Microsoft Patch Tuesday;

September 09, 2025

Episode Transcript

Microsoft Patch Tuesday
As part of its September patch Tuesday, Microsoft addressed 177 different vulnerabilities, 86 of which affect Microsoft products. None of the vulnerabilities has been exploited before today. Two of the vulnerabilities were already made public. Microsoft rates 13 of the vulnerabilities are critical.
https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20September%202025/32270
Adobe Patches
Adobe released patches for nine products, including Adobe Commerce, Coldfusion, and Acrobat.
https://helpx.adobe.com/security/security-bulletin.html
SAP Patches
SAP patched vulnerabilities across its product portfolio. Particularly interesting are a few critical vulnerabilities in Netweaver, one of which scored a perfect 10.0 CVSS score.
https://onapsis.com/blog/sap-security-notes-september-2025-patch-day/

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Wednesday September 10th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu graduate certificate program in Purple Team Operations. And today, well, we got a Microsoft patch Tuesday and Microsoft fixed a total of 177 different vulnerabilities. However, out of these vulnerabilities, only 86 affected Microsoft products. Now, what's the difference here? There were a number of Linux vulnerabilities listed in Microsoft's patch feed. And these vulnerabilities really affect, well, the Windows Subsystem for Linux. They do affect some of their cloud products like Azure. And there is a special Linux distribution that they're using in their cloud products. So that's where the difference here really comes from. They don't assign a severity to these vulnerabilities. And these are pretty much open source vulnerabilities we have known about for a while for the most part. There are also in this release a number of Azure vulnerabilities. Now, in the past, there has always been some controversy. Should Microsoft be more open and more public about any vulnerabilities they're fixing in their cloud products? These products, of course, they're nothing for you to patch or to do. You really just get a new version and it should be fixed automatically by Microsoft sort of on the back end. So that's why in the past, Microsoft hasn't always published them. But there are a number of them being published in this release. Of course, the big question with any Microsoft patch Tuesday, any Sarah days being addressed here? And the quick answer is no. There were, however, two vulnerabilities that had already been made public, but they have not been exploited yet, as far as Microsoft is aware. And 13 of these vulnerabilities were rated critical. Now, volumes of interest was a little bit tricky here. There was no real sort of big outstanding sort of worrying vulnerability. A lot of vulnerabilities, as often in office products, like there was a long list in Excel and such. Nothing really new or exciting here. There were two vulnerabilities that related to how Microsoft assigns URLs to different zones. There's like an intranet, an internet zone and the like. And of course, they're treated differently with respect to security policies. And well, they patch two vulnerabilities that could cause URLs to be misassigned to the wrong zone. The next two that I sort of pointed out here that I thought was a little bit odd, but really more based on the description here was a vulnerability in the kernel image system. Microsoft labeled them as remote code execution. But then when you sort of are reading the description, it says an authorized attacker needs to execute code look or is able to execute code locally with these vulnerabilities. The reason this can be used remotely is that, well, this authorized attacker could also be an authorized normal user just opening an image that they downloaded from an online source. And I think that's sort of where the critical category comes from, even though that the CVSS score here is quite a bit below critical. They're sort of in the six to seven range. So no real big sort of must patch now vulnerability here. Just apply them, you know, I would say at your leisure, but really you want to get done before next patch Tuesday, of course. And we do have a number of other vendors that have also released interesting patches today. So what about these other vendors that released patches today? First off Adobe, that's one I always like to cover because of their prominence and popularity of their software. And three products that I always watch when it comes to Adobe were hit here. One Adobe Acrobat Reader. So that's your favorite PDF software. We do have here one arbitrary code execution vulnerability with a severity of critical, but a CVSS score of only 7.8, which is a little bit below what you typically would call critical. Well, a use after free. So basically a standard memory management problem here that could probably be exploited. The second product here that I like to look at is Adobe Commerce or Magento. Well, the only one we have here is a security feature bypass without additional details. Really hard to tell how bad this is, but the CVSS score of 9.1 means we probably should pay attention here and patch this quickly. Finally, good old Code Fusion got a patch and this one fixes an Opry file system right. This type of vulnerability usually can be leveraged to some kind of code execution. You may see just write a file in the right location, then execute that file. So certainly something that's definitely stuff in the patch now kind of category. They also tend to be once the details are made public to be relatively straightforward to exploit these operating file system right vulnerabilities. So the CVSS score of 9.0 gives you another argument here to definitely prioritize this patching this particular vulnerability. And the third vendor I want to include in today's podcast is SAP. SAP released its September patches as well today. And there are two vulnerabilities that are particularly interesting. Now, in the show notes, I'll link to the write-up by Onapsis, not to SAP's original announcement, because for SAP, you can't access any of the vulnerability details without logging in as a customer. And Onapsis does a real great job in explaining some of these vulnerabilities in a little bit more detail. Now, there are two vulnerabilities I want to point out in particular, and that's two vulnerabilities in Netweaver. Netweaver, similar product to like, you know, WebLogic, for example, from Oracle. These products are often subject to deserialization vulnerabilities. And that's exactly what's happening here with Netweaver. CVSS score of 10.0. The second vulnerability here, 9.9 CVSS score, is an insecure file operation vulnerability. It doesn't give you any details here, but possibly yet another sort of file write issue that I just talked about with Adobe Code Fusion. Also, the directory traversal vulnerability doesn't necessarily tell you whether there's any code execution possibility, but the CSS score of 9.6 probably implies that there is something at least close to code execution vulnerability here, in particular since it affects the AppApp platform, which is SAP's own programming language. Well, with that, lots of patching to do for you here. The SAP ones, I think, are the most critical patches today, followed by some of the Adobe ones. As far as the Microsoft patches go, again, just follow your standard patch practice. No need to sort of really accelerate and expedite any of the Microsoft patches. That's it for today. Thanks for listening. Thanks for liking and subscribing. And talk to you again tomorrow. Bye. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show