Patch Tuesday September 2025

Patch Tuesday September 2025 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

Microsoft Vulnerabilities

This September Patch Tuesday brings 81 vulnerabilities fixed by Microsoft, which is more than last month. Eight of them are rated as critical. Notably, two zero-days with publicly available proof-of-concept exploits are included. Below are the most important critical updates to be aware of.

CVE-2025-55234 – Windows SMB Elevation of Privilege Vulnerability

The first zero-day vulnerability, CVE-2025-55234, is a serious flaw in the Windows Server Message Block (SMB) protocol related to authentication relay attacks. It arises from improper authentication (CWE-287), allowing attackers to intercept and relay legitimate credentials between services.

The issue exists because SMB sessions can be established without properly validating the authentication context when SMB signing and Extended Protection for Authentication are not correctly configured. This makes it possible to launch man-in-the-middle relay attacks by forwarding captured authentication data to gain unauthorized access.

Affected Systems

• Windows Server (all supported versions)
• Windows Client (Windows 10, 11)

Attack Details

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Required

The vulnerability has a CVSS base score of 8.8 (High), with a temporal score of 7.7 based on current mitigating factors.

Exploitation Status

• In the Wild: Not currently observed
• Public Disclosure: Yes
• Microsoft Exploitation Assessment: More Likely, based on past SMB relay attack patterns

Risk Scenarios
This vulnerability becomes significantly more dangerous when combined with other techniques:

1. Initial Access: Can be paired with phishing to lure users into connecting to a malicious SMB server.
2. Lateral Movement: Captured credentials may be reused across the network, especially in admin-heavy environments.
3. Privilege Escalation: Relaying authentication from privileged accounts like domain admins can grant high-level access.
4. NTLM Relay: It strengthens existing NTLM relay attacks by bypassing some current mitigations.
5. Multi-Stage Attack Chain: Could be used in a broader campaign: phishing, SMB relay, credential theft, lateral movement, and data exfiltration.

Potential Impact

• Enterprise Environments: Most mid-to-large organizations using Active Directory and Windows Server
• Critical Sectors: Government, healthcare, financial institutions, and others with widespread Windows infrastructure
• SMBs: Often vulnerable due to limited resources for proper SMB hardening

This is a familiar yet still highly effective technique. Its persistence is due to several factors:

• SMB remains deeply embedded in enterprise environments
• Many organizations struggle to enforce hardening without disrupting legacy workflows
• Relay attacks are often successful, leveraging real credentials to bypass authentication
• High privilege escalation potential in admin-heavy systems

While Microsoft released this CVE primarily to support auditing, it highlights that authentication relay remains a real concern in 2025. Organizations with complex infrastructures must balance security and operational needs when applying SMB hardening. The 8.8 CVSS score reflects the severity, although the requirement for user interaction and network access narrows the attack window.

CVE-2024-21907 – Newtonsoft.Json Exceptional Conditions Vulnerability

This zero-day is tied to an older CVE, CVE-2024-21907, which affects Newtonsoft.Json (also known as Json.NET), one of the most widely used JSON serialization libraries in the .NET ecosystem. The issue lies in how the library handles exceptional conditions during deserialization, specifically in the JsonConvert.DeserializeObject method.

The vulnerability is caused by recursive processing of crafted JSON data, which can trigger unbounded stack consumption and lead to a StackOverflowException. The parser does not properly check for depth or handle recursion when dealing with certain malicious JSON structures. As a result, it processes deeply nested payloads without restriction, exhausting the call stack.

Affected Systems:

SQL Server instances that include vulnerable Newtonsoft.Json components

Attack Details:

• Attack Vector: Network-based (likely AV:N)
• Attack Complexity: Low (likely AC:L)
• Privileges Required: None (likely PR:N)

CVSS Overview:
No formal CVSS score is provided, but based on similar cases, the base score is likely around 7.5 (High), with the main impact being on availability due to denial-of-service.

Exploitation Status:

• Not currently exploited in the wild
• Publicly disclosed
• Rated as “Exploitation Less Likely” in the CVE report

Despite its simplicity, this vulnerability can play a serious role in complex attack scenarios:

1. API-focused DoS Attacks: An attacker could crash critical API endpoints that use Newtonsoft.Json for parsing.
2. Microservice Disruption: In distributed systems, taking down one vulnerable service can cause failures in dependent services.
3. Amplified with Rate Limiting Bypass: When combined with rate limiting bypass techniques, the denial-of-service impact could be significantly greater.
4. Used with Authentication Bypass: If paired with an auth bypass flaw, attackers could hit internal APIs that perform sensitive operations.
5. Cover for Other Attacks: The denial-of-service effect could distract from other ongoing exploits.

Newtonsoft.Json is used in millions of applications globally. With over 40 million NuGet downloads, its adoption is massive. That makes this a high-risk issue even if it’s currently rated as less likely to be exploited.

A few key points that make this vulnerability especially serious:

1. Newtonsoft.Json is nearly universal in the .NET world.
2. The exploit is easy to craft, requiring only a deeply nested JSON payload.
3. The result is complete service disruption, since a StackOverflowException crashes the process.
4. Detection is difficult. Most WAFs and API gateways won’t catch this kind of payload.

The risk is made worse by the fact that many organizations may not know they’re using vulnerable versions, especially when Newtonsoft.Json is brought in as a transitive dependency. The SQL Server angle adds further complexity, since database teams don’t typically monitor for issues related to JSON parsing.

Critical Windows Graphics and Imaging Vulnerabilities

Microsoft’s September 2025 security updates include six vulnerabilities affecting Windows graphics and imaging components. These range from information disclosure to remote code execution and impact areas such as the Windows Imaging Component, Graphics Kernel, and Hyper-V. While some of these issues share similar attack vectors, they differ in root causes, exploitation methods, and potential outcomes.

CVE-2025-53799: Windows Imaging Component Information Disclosure

• Type: Information disclosure
• Cause: Use of uninitialized resource (CWE-908)
• Attack Vector: Local, requires user interaction
• Severity: CVSS 5.5 (Critical)
• Impact: Allows reading small portions of heap memory
• Exploitation: Unlikely

Highlights:

• The only vulnerability in this group limited to information disclosure
• Requires a user to open a malicious file
• No effect on integrity or availability
• Lower CVSS score compared to the others

CVE-2025-53800: Windows Graphics Component Elevation of Privilege

• Type: Privilege escalation
• Cause: Incorrect initialization of resource (CWE-1419)
• Attack Vector: Local, no user interaction
• Severity: CVSS 7.8 (Critical)
• Impact: Attacker can gain SYSTEM privileges
• Exploitation: Less likely

Highlights:

• No user interaction needed
• Focused solely on privilege escalation
• Lower complexity compared to race condition vulnerabilities
• Requires low initial privileges

CVE-2025-55224: Windows Hyper-V Remote Code Execution

• Type: Remote code execution
• Causes: Race condition (CWE-362), use-after-free (CWE-416)
• Attack Vector: Local, no user interaction
• Severity: CVSS 7.8 (Critical)
• Impact: Code execution with scope change from guest to host
• Exploitation: Less likely

Highlights:

• Involves escaping the virtualization boundary in Hyper-V
• Combines two complex vulnerability types
• High complexity due to timing-dependent race condition
• Allows guest-to-host code execution

CVE-2025-55226: Graphics Kernel Remote Code Execution

• Type: Remote code execution
• Cause: Race condition (CWE-362)
• Attack Vector: Local, requires user interaction
• Severity: CVSS 6.7 (Critical)
• Impact: Code execution with user privileges
• Exploitation: Less likely

Highlights:

• Only relies on a race condition
• Requires user interaction
• No scope change
• Higher attack complexity

CVE-2025-55228: Windows Graphics Component Remote Code Execution

• Type: Remote code execution
• Causes: Race condition (CWE-362), use-after-free (CWE-416)
• Attack Vector: Local, no user interaction
• Severity: CVSS 7.8 (Critical)
• Impact: Code execution with scope change
• Exploitation: Less likely

Highlights:

• Similar profile to CVE-2025-55224
• Affects the Win32K-GRFX component
• Can be triggered directly or through social engineering

CVE-2025-55236: Graphics Kernel Remote Code Execution

• Type: Remote code execution
• Causes: TOCTOU race condition (CWE-367), type confusion (CWE-843)
• Attack Vector: Local, requires user interaction
• Severity: CVSS 7.3 (Critical)
• Impact: Code execution with user privileges
• Exploitation: Less likely

Highlights:

• The only vulnerability involving type confusion
• Uses a time-of-check to time-of-use flaw
• Lower complexity than other race condition issues
• Requires user interaction

Key Differences Across These Vulnerabilities

1. Impact Types
   Information disclosure: CVE-2025-53799
   Privilege escalation: CVE-2025-53800
   Remote code execution: all others
2. Root Causes
   Uninitialized resource: CVE-2025-53799
   Incorrect initialization: CVE-2025-53800
   Race conditions: CVE-2025-55224, CVE-2025-55226, CVE-2025-55228, CVE-2025-55236
   Use-after-free: CVE-2025-55224, CVE-2025-55228
   Type confusion: CVE-2025-55236
3. Attack Complexity
   Low: CVE-2025-53799, CVE-2025-53800, CVE-2025-55236
   High: CVE-2025-55224, CVE-2025-55226, CVE-2025-55228
4. User Interaction
   Required: CVE-2025-53799, CVE-2025-55226, CVE-2025-55236
   Not required: CVE-2025-53800, CVE-2025-55224, CVE-2025-55228
5. Scope Change
   Yes: CVE-2025-55224, CVE-2025-55228
   No: All others
6. Severity (CVSS Scores)
   Lowest: 5.5 (CVE-2025-53799)
   Highest: 7.8 (CVE-2025-53800, CVE-2025-55224, CVE-2025-55228)
7. Affected Components
   Windows Imaging Component
   Windows Graphics Component
   Graphics Kernel
   Hyper-V

Common Themes

Although varied in nature, these vulnerabilities share several patterns:

• All are local in nature, even if classified as remote code execution
• None are currently exploited in the wild
• All are rated as “Exploitation Less Likely” or “Unlikely”
• Most involve memory corruption or race conditions
• Fixes are available for all of them
• Each could have serious effects on confidentiality, integrity, or availability
• Several require users to open a specially crafted file

This group of vulnerabilities highlights ongoing issues with memory safety and concurrency in Windows graphics components. Race conditions, in particular, stand out as a recurring problem in this month’s security updates.

CVE-2025-54918 – Windows NTLM Elevation of Privilege Vulnerability

CVE-2025-54918 is a critical vulnerability in the Windows NT LAN Manager (NTLM) authentication protocol. It stems from improper handling of authentication mechanisms (CWE-287), which allows attackers to elevate privileges over a network. Unlike typical Windows vulnerabilities that affect components such as file handlers or graphics subsystems, this one directly targets the authentication layer.

The issue likely involves weak validation of authentication tokens, poor management of credential exchange, or flaws in the challenge-response logic used by NTLM.

Affected Systems:

• All supported versions of Windows Server
• Windows client operating systems
• Active Directory domains

Attack Details:

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low

Severity:
The vulnerability carries a CVSS base score of 8.8 and a temporal score of 7.7.

Exploitation Status:

• Not currently exploited in the wild
• No public disclosure before patch release
• Microsoft classifies it as “Exploitation More Likely”

Why This Vulnerability Matters

This flaw presents serious risks in complex attack scenarios:

1. Initial Access Chaining
   Can be combined with other vulnerabilities to gain low-privilege access, then escalate to SYSTEM level.
2. Lateral Movement
   Allows attackers to move across the network with elevated privileges once one system is compromised.
3. Domain-Level Threats
   In Active Directory environments, this could lead to domain-wide compromise if domain controllers are targeted.
4. Ransomware Deployment
   Gaining SYSTEM-level access opens the door for wide-scale ransomware attacks.
5. Data Exfiltration
   High confidentiality impact means it could be used in targeted data theft operations.
6. Persistence
   With elevated privileges, attackers could install backdoors or create long-term persistence on compromised systems.

Widespread Exposure

This vulnerability potentially affects any organization using Windows authentication, particularly those relying on Active Directory. Given the widespread use of Windows infrastructure, millions of systems are at risk.

Key Concerns

1. Authentication Bypass
   Flaws in authentication can compromise an entire system’s security model, making them especially dangerous.
2. Remote Exploitation
   Since it can be triggered over a network, the attack surface is broader than for local-only vulnerabilities.
3. No User Interaction
   It can be exploited automatically, without needing to trick a user into taking any action.
4. SYSTEM-Level Access
   Successful exploitation results in the highest level of local privileges on Windows.
5. Low Complexity, High Impact
   Easy to exploit, yet capable of affecting confidentiality, integrity, and availability all at once.

Microsoft’s assessment that exploitation is more likely suggests that functional exploits could emerge soon, even if none have been observed yet. Given the low complexity, critical impact, and network exposure, organizations should treat this as a priority and apply the patch without delay.

CVE-2025-54910 – Microsoft Office Remote Code Execution Vulnerability

CVE-2025-54910 is a critical vulnerability in Microsoft Office caused by a heap-based buffer overflow (CWE-122). It occurs when the application writes data outside the bounds of a memory buffer, leading to memory corruption and the potential for arbitrary code execution. This flaw is tied to improper boundary checking when Office processes certain file content or structures.

The vulnerability can be triggered without any user interaction, including through passive actions like previewing a document. This makes it especially dangerous in environments where Office documents are regularly received and viewed via email.

Affected Products:

• Microsoft Office (all supported versions)
• Microsoft Office LTSC for Mac 2021 and 2024 (updates pending)
• Systems using the Outlook Preview Pane
• Office on both Windows and macOS

Technical Details:

• Attack Vector: Local
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• CVSS Base Score: 8.4
• Temporal Score: 7.3

Exploitation Status:

• Not observed in the wild
• No prior public disclosure
• Microsoft rates exploitation as “Less Likely”

Attack Scenarios

While exploitation may be considered less likely, the potential attack paths are significant:

1. Email-Based Attacks
   Malicious Office documents sent via email could execute code as soon as they are previewed in Outlook, without opening the attachment.
2. Drive-By Downloads
   Combined with browser vulnerabilities, attackers could deliver Office files that trigger on download.
3. Supply Chain Compromise
   Malicious templates or documents could be spread through compromised legitimate distribution channels.
4. Privilege Escalation Chains
   Though this executes with user-level privileges, it could be combined with other vulnerabilities to gain higher access.
5. Information Theft
   Attackers could install spyware or tools for data exfiltration.
6. Ransomware Deployment
   This vulnerability could serve as the entry point for launching ransomware campaigns.

Why It Matters

Microsoft Office is one of the most widely deployed software suites in the world. That alone makes this vulnerability highly impactful. But several other factors add to the concern:

1. No User Interaction Required
   Attacks can be carried out via the Preview Pane, bypassing the usual recommendation to avoid opening suspicious files.
2. High Exploit Reliability
   Heap buffer overflows in Office can often be exploited reliably, even in managed environments.
3. Cross-Platform Reach
   Affects both Windows and macOS, increasing the number of potential targets.
4. Massive Install Base
   Billions of devices run Microsoft Office, making the potential attack surface extremely large.
5. Flexible Delivery Methods
   Email, USB drives, websites, and shared cloud folders can all be used to deliver malicious files.

The fact that this vulnerability requires no privileges, no user interaction, and has low complexity makes it a high-priority concern, regardless of the current “Exploitation Less Likely” status. The Preview Pane exposure in Outlook is particularly dangerous, as it can bypass both technical defenses and user training.

Organizations should apply available patches as soon as possible. In the meantime, disabling the Preview Pane feature in Outlook can serve as a temporary mitigation for high-risk systems.

Google Chrome

Google has released Chrome version 139, addressing a critical out-of-bounds write vulnerability in the V8 JavaScript engine, tracked as CVE-2025-9132.

The flaw can be exploited remotely through specially crafted HTML pages. It was discovered by Google’s Big Sleep AI agent, developed by Google DeepMind and Project Zero. While technical details about the vulnerability have not been disclosed, Google previously noted that Big Sleep is designed to detect vulnerabilities already known and likely to be used by attackers.

Fixes for CVE-2025-9132 are included in Chrome versions 139.0.7258.138 and .139 for Windows and macOS, and version 139.0.7258.138 for Linux. The update is expected to roll out to all users soon.

Mozilla Firefox

Mozilla has released updates for Firefox, Thunderbird, and Firefox ESR, addressing nine vulnerabilities, five of which are classified as high severity.

The high-severity issues include a memory corruption bug in the GMP process that could allow sandbox escape (CVE-2025-9179), a same-origin policy bypass in the graphics component (CVE-2025-9180), and several memory safety issues with potential for remote code execution (CVE-2025-9187, CVE-2025-9184, and CVE-2025-9185). Other fixed flaws include a medium-severity uninitialized memory issue, along with low-severity spoofing and denial-of-service bugs.

The vulnerabilities were addressed in Firefox 142, multiple versions of Thunderbird (142, 140.2, 128.14), Firefox ESR 140.2, 128.14, and 115.27, as well as Firefox and Focus for iOS 142.

Mozilla has not indicated that any of these vulnerabilities have been exploited in the wild. Users are advised to update as soon as possible.

Android

Google has issued its September 2025 Android security update, fixing 120 vulnerabilities. Two of them were reportedly exploited in targeted attacks.

One is CVE-2025-38352, a Linux kernel vulnerability (CVSS: 7.4) that allows privilege escalation. The other, CVE-2025-48543, affects the Android Runtime component. Both allow local privilege escalation without needing additional execution permissions or user interaction.

Google has not shared how the vulnerabilities were used in real-world attacks, nor whether they were exploited together, but confirmed signs of limited, targeted exploitation. The Linux kernel issue was discovered by Google’s Threat Analysis Group (TAG), suggesting potential links to spyware activity.

The update also includes patches for remote code execution, privilege escalation, information disclosure, and denial-of-service flaws in the Framework and System components.

As usual, two patch levels were released—2025-09-01 and 2025-09-05—to help Android partners address common vulnerabilities across all devices.

WhatsApp

WhatsApp has patched a zero-click vulnerability in its iOS and macOS apps that was used in targeted attacks.

The issue, tracked as CVE-2025-55177, affected WhatsApp for iOS before version 2.25.21.73, WhatsApp Business for iOS version 2.25.21.78, and WhatsApp for Mac version 2.25.21.78. It involved incomplete authorization of linked device synchronization messages, which allowed an attacker to trigger content processing from an arbitrary URL on the target device.

It is believed that this vulnerability, when combined with an OS-level flaw on Apple platforms (CVE-2025-43300), enabled sophisticated attacks on specific individuals. Neither WhatsApp nor Apple has disclosed further details. However, Amnesty International reported that WhatsApp recently notified some users that they had been targeted by advanced spyware attacks in the past 90 days. In those alerts, WhatsApp recommended a factory reset and advised keeping devices and operating systems up to date.

CVE-2025-55177, discovered by the WhatsApp Security Team, was used as a delivery vector. Attackers did not need to be in the victim’s contact list. Once WhatsApp processed a malicious image via a linked device message, the Apple vulnerability in the ImageIO framework (CVE-2025-43300) was triggered, leading to full device compromise.

Apple described the attack as highly sophisticated and aimed at a limited set of users. The combined use of these two vulnerabilities formed a complete exploit chain capable of stealthy device takeover through WhatsApp.

Security researchers note that the complexity of the chain and the choice of targets point to spyware operations on the level of NSO Group, Candiru, or Cytrox.

Separately, another potential vulnerability affecting WhatsApp is under review. On August 23, 2025, researcher Tal Beery reported a flaw that could let attackers retrieve device information and online status for any WhatsApp user. This issue has not yet been assigned a CVE and is still being evaluated by Meta.

Passwordstate

Click Studios has issued an urgent warning to users of its enterprise password manager, Passwordstate, about a serious authentication bypass vulnerability.

Passwordstate is used by more than 370,000 IT professionals across 29,000 organizations, including government agencies, financial institutions, and Fortune 500 companies. The platform allows centralized access control for passwords, certificates, API keys, and other credentials.

Click Studios is urging customers to update immediately to Passwordstate version 9.9 Build 9972, which includes two security fixes. One of these addresses a high-severity vulnerability that allows attackers to bypass authentication using a specially crafted URL targeting the emergency access page, potentially granting access to the administration interface. This issue has not been assigned a CVE.

For those unable to update right away, the company has provided a temporary workaround. Users should configure an emergency access IP address in the system settings. However, this is only a short-term measure. Click Studios strongly recommends updating the software as soon as possible.

The urgency and language used by the company have raised concerns about a repeat of the April 2021 incident, when attackers compromised Passwordstate’s update mechanism and delivered the Moserpass info-stealer to an unknown number of users.

Days later, Click Studios confirmed that some affected customers had credentials stolen, while others were targeted with phishing campaigns involving a new version of the Moserpass malware.

FreePBX

Sangoma FreePBX has issued a warning about an actively exploited zero-day vulnerability affecting systems with administrator control panels exposed to the internet. FreePBX is an open-source PBX platform built on Asterisk, widely used by businesses, call centers, and voice service providers.
According to the Sangoma FreePBX security team, attacks targeting internet-facing admin panels began on August 21. The team has identified the issue and is preparing a fix expected within 36 hours. Users are urged to restrict FreePBX Administrator access through the firewall module, limiting it to trusted hosts.

The vulnerability, assigned the CVE identifier CVE-2025-57819, carries a CVSS score of 10.0, indicating maximum severity.

An EDGE module fix has already been released for testing, with a standard release planned shortly. Systems running versions 16 and 17 may be affected if the endpoint module is installed and the login page is exposed.

Following the announcement, many users reported that their servers had been compromised. The exploit allows attackers to execute any command available to the Asterisk user. While details of the campaign have not been shared, Sangoma provided indicators of compromise:

• Missing or altered /etc/freepbx.conf
• Presence of /var/www/html/.clean.sh shell script
• Suspicious modular.php entries in Apache logs
• Unusual calls to number 9998 in Asterisk logs since August 21
• Unauthorized ampuser entries in the ampusers table of MariaDB or MySQL

If a system is compromised, Sangoma advises restoring from backups made before August 21, deploying patched modules on clean installations, and rotating all system and SIP credentials.

Administrators with publicly exposed FreePBX interfaces are strongly encouraged to inspect their systems and apply patches as soon as they are available.

Citrix

Citrix has patched three vulnerabilities in NetScaler ADC and NetScaler Gateway, including a critical remote code execution vulnerability tracked as CVE-2025-7775. This zero-day flaw was exploited in the wild and involves a memory overflow that allows unauthenticated remote code execution.

According to Citrix, the vulnerability was actively exploited on unpatched systems. The company urges all users to update their firmware immediately, as no workarounds are available. Although Citrix has not shared indicators of compromise, it has outlined the configurations affected by CVE-2025-7775:

• NetScaler configured as a gateway (VPN, ICA proxy, CVPN, RDP proxy) or AAA virtual server
• Load balancing virtual servers (HTTP, SSL, HTTP_QUIC) linked to IPv6 services or service groups using IPv6 DBS
• Content redirection virtual servers using HDX

The issue affects NetScaler ADC and Gateway versions 14.1 up to 14.1-47.48 and 13.1 up to 13.1-59.22. It also impacts 13.1-FIPS, 13.1-NDcPP, and older FIPS/NDcPP versions of 12.1.

The Shadowserver Foundation reports that more than 28,000 Citrix instances remain vulnerable. The highest number is in the US (10,100), followed by Germany (4,300), the UK (1,400), the Netherlands (1,300), Switzerland (1,300), Australia (880), Canada (820), and France (600).

Citrix recommends updating to one of the following versions or later:

• 14.1-47.48
• 13.1-59.22
• 13.1-FIPS or 13.1-NDcPP 13.1-37.241
• 12.1-FIPS or 12.1-NDcPP 12.1-55.330

Versions 12.1 and 13.0 (non-FIPS/NDcPP) are also vulnerable but are no longer supported. Customers using these versions must upgrade to supported releases.

Two additional vulnerabilities were also addressed in this update: CVE-2025-7776, a memory overflow that can lead to denial of service, and CVE-2025-8424, which involves improper access control in the management interface.

Docker

A critical vulnerability in Docker Desktop for Windows and macOS allows attackers to compromise the host by running a malicious container, even with Enhanced Container Isolation (ECI) enabled. The flaw, tracked as CVE-2025-9074, is related to server-side request forgery (SSRF) and has been assigned a severity rating of 9.3.

According to Docker’s advisory, a malicious container can access the Docker Engine and launch additional containers without requiring the Docker socket to be mounted. This can lead to unauthorized access to files on the host. Notably, ECI does not prevent exploitation of this issue.

Felix Boulot, the researcher who discovered the vulnerability, found that the Docker Engine API was accessible without authentication at http://192.168.65.7:2375/ from any running container. Philippe Dugré, a DevSecOps engineer at Pvotal Technologies, independently confirmed the vulnerability in Docker Desktop for both Windows and macOS. The Linux version is not affected.

On Windows, because Docker Engine runs through WSL2, an attacker could mount the full file system, read sensitive files, and even overwrite a system DLL. On macOS, the operating system’s default restrictions prevent such access unless the user explicitly grants permission. However, the researcher warns that an attacker still gains full control over the application and containers, allowing configuration changes without user consent.

Dugré noted that the exploit is simple to execute, consisting of just three lines of Python code. Docker has released a fix in version 4.44.3 of Docker Desktop.

Password Managers Browser Extensions

Researcher Marek Toth has identified clickjacking vulnerabilities in browser extensions for several popular password managers, including 1Password, Bitwarden, Dashlane, Enpass, Keeper, LastPass, LogMeOnce, NordPass, ProtonPass, RoboForm, and Apple iCloud Passwords. These extensions collectively have around 40 million active installations, based on data from Chrome, Edge, and Firefox extension repositories.

While some vendors have already issued patches, several remain unpatched. As of now, the following versions are still vulnerable: Bitwarden 2025.7.0, 1Password 8.11.4.27, iCloud Passwords 3.1.25, Enpass 6.11.6, LastPass 4.146.3, and LogMeOnce 7.12.4. Vendors were initially notified in April 2025.

Toth presented his findings at DEF CON earlier this month and published a detailed analysis on his blog. The research was also confirmed by Socket, which coordinated the disclosure.

Clickjacking is a technique in which users are tricked into clicking invisible or disguised elements. Attackers create web pages that overlay malicious buttons on top of benign-looking content. When users interact with the page, they unknowingly trigger hidden actions.

Toth demonstrated how DOM-based clickjacking and autofill functionality can be used to extract sensitive data, including usernames, passwords, personal details, access keys, and payment card information. He also showed a technique where a hidden interface follows the user’s cursor, allowing autofill to be triggered by any click. In most cases, only a single click was needed. Some attacks combined this method with XSS or other client-side vulnerabilities.

A universal attack script can detect which password manager is active in the browser and adapt the exploit in real time.

Despite receiving advance notice in August, vendor response has been slow. Socket followed up again this week to assist with CVE assignments. Bitwarden has announced a patch will be released in version 2025.8.0. LogMeOnce acknowledged the issue and is working on a fix. It is unclear if LastPass or 1Password plan to take further action. Some developers have responded by emphasizing that clickjacking is a known web risk and that their products already include basic protections.

Vendors that have released fixes include Dashlane (version 6.2531.1 as of August 1), NordPass, ProtonPass, RoboForm, and Keeper (version 17.2.0 as of July).

Until updates are available, Toth recommends disabling the autofill feature in affected password managers and using copy-paste instead.

Intel

Researcher Eaton Zveare has disclosed several vulnerabilities that gave him access to professional and personal data of more than 270,000 Intel employees.

He gained access in October 2024 by exploiting a flaw that allowed him to bypass authentication on the Intel India portal, which was used for ordering employee business cards. Although the portal was regionally focused, its database contained global employee information. The exposed data included names, email addresses, phone numbers, and job titles. More sensitive data such as social security numbers and salary details were not part of the breach.

Zveare later found two additional internal resources containing hardcoded administrator credentials that exposed company-wide data. A fourth Intel portal related to supplier management also had an authentication bypass vulnerability, which could be exploited to access more confidential information about both employees and suppliers.

Intel has since patched the vulnerabilities and stated there was no evidence of unauthorized access or data leaks. Following Zveare’s disclosure, Intel expanded its Bug Bounty program to include cloud services and SaaS platforms, which were previously excluded.

Apple

Apple has released emergency updates to fix a zero-day vulnerability, CVE-2025-43300, discovered in the Image I/O framework. The issue is related to an out-of-bounds write and was reportedly used in a highly sophisticated targeted attack.

Processing a malicious image file could result in memory corruption. Apple has addressed the issue by improving bounds checking. While the company has not provided details about the nature of the attacks or their targets, it confirmed that specific individuals were affected.

Although the attack appears to have been limited in scope, all users are advised to update their systems as soon as possible.

Fortinet

Fortinet has patched a serious vulnerability in FortiWeb firewalls, tracked as CVE-2025-52970 and dubbed “FortMajeure.” It allows attackers to forge session cookies and bypass authentication, impersonating any active user, including administrators.

A working proof of concept has already been released by researcher 0x_shaq. Exploiting the flaw requires an active session on the target system. The attacker brute-forces a small numerical value in the session cookie, typically within 30 requests. The use of an all-zero key makes it possible to instantly confirm whether a guess is successful.

This vulnerability affects FortiWeb versions 7.0 through 7.6 and has been fixed in versions 7.6.4, 7.4.8, 7.2.11, and 7.0.11. FortiWeb version 8.0 is not affected. There are no workarounds, and updating to a patched version is the only recommended action.

Although Fortinet assigned the flaw a CVSS score of 7.7 due to what it described as “high attack complexity,” researchers argue that the exploit is simple to execute in practice.

Technical details demonstrating administrator impersonation on a REST endpoint have been shared. The full exploit, which includes access to the command-line interface via /ws/cli/open, has not yet been released. The researcher plans to publish it later to give users time to apply the patches.

The vulnerability has already attracted the attention of cybercriminals, and active exploitation is expected soon.

Fortinet is also warning about a separate remote unauthenticated command injection vulnerability in FortiSIEM, tracked as CVE-2025-25256 with a CVSS score of 9.8. A working exploit is already in circulation.

The flaw exists in versions 5.4 through 7.3 and allows attackers to execute arbitrary code using specially crafted CLI requests. It is caused by improper neutralization of special elements.

Fortinet has not confirmed that it is being exploited as a zero-day, but acknowledges that a functional exploit is available. The company also notes that exploitation does not leave clear indicators of compromise.

Users are urged to update to one of the following patched versions: 7.3.2, 7.2.6, 7.1.8, 7.0.4, or 6.7.10. Versions 5.4 to 6.6 are also affected but are no longer supported and will not receive patches. As a temporary workaround, Fortinet recommends restricting access to the phMonitor service through port 7900, which has been identified as the attack vector.

Cisco

Cisco has published over 20 security advisories in its August 2025 update covering Secure Firewall Management Center (FMC), Secure Firewall Threat Defense (FTD), and Secure Firewall Adaptive Security Appliance (ASA).

The most critical issue is CVE-2025-20265 (CVSS score: 10.0), a remote command injection vulnerability in the RADIUS subsystem of Secure FMC. An unauthenticated remote attacker could exploit it to execute arbitrary shell commands with high privileges. The flaw arises from improper handling of user input during RADIUS authentication. Exploitation is possible if Secure FMC is configured to use RADIUS for the web management interface, SSH access, or both.

The vulnerability affects Secure FMC software versions 7.0.7 and 7.7.0 when RADIUS authentication is enabled. No workarounds are available, and Cisco recommends applying the provided patches.

Other significant vulnerabilities addressed in this update include:

• CVE-2025-20217 (CVSS 8.6): Snort 3 denial-of-service in Secure Firewall Threat Defense
• CVE-2025-20222 (CVSS 8.6): IPv6 via IPsec denial-of-service in Secure Firewall and Firepower 2100 Series
• CVE-2025-20224, CVE-2025-20225, CVE-2025-20239 (CVSS 8.6): IKEv2 denial-of-service in IOS, IOS XE, ASA, and Threat Defense
• CVE-2025-20133, CVE-2025-20243 (CVSS 8.6): SSL VPN denial-of-service in Secure Firewall
• CVE-2025-20134 (CVSS 8.6): SSL/TLS certificate denial-of-service in Secure Firewall and Threat Defense
• CVE-2025-20136 (CVSS 8.6): DNS inspection denial-of-service in ASA and Threat Defense
• CVE-2025-20263 (CVSS 8.6): Web services failover issue in ASA and Threat Defense
• CVE-2025-20148 (CVSS 8.5): HTML injection in Secure Firewall Management Center
• CVE-2025-20251 (CVSS 8.5): VPN server denial-of-service in Secure Firewall and Threat Defense
• CVE-2025-20127 (CVSS 7.7): TLS 1.3 encryption denial-of-service in Secure Firewall for Firepower 3100 and 4200 Series
• CVE-2025-20244 (CVSS 7.7): Remote access VPN web server denial-of-service in ASA and Threat Defense

Cisco states that none of these vulnerabilities have been exploited in the wild, but given the frequent targeting of Cisco systems, exploitation is considered likely.

Industrial sector highlights

• Siemens: Released 22 advisories including a critical RCE (CVE-2025-40746) in Simatic RTLS Locating Manager, with additional high-severity flaws affecting Comos, Simcenter, Sinumerik, Simatic, and Ruggedcom platforms.
• Schneider Electric: Fixed multiple high-severity vulnerabilities in EcoStruxure, Modicon M340, and the Software Update tool, including RCE, DoS, and privilege escalation.
• Honeywell: Issued 6 security bulletins for SCADA products, including Windows updates for Maxpro, Pro-Watch NVR/VMS, and access control systems.
• Aveva: Patched two vulnerabilities in PI Integrator for Business Analytics, including an arbitrary file upload flaw that could lead to RCE.
• ABB: Reported unauthenticated RCE and credential harvesting vulnerabilities in Aspect, Nexus, and Matrix platforms.
• Phoenix Contact: Disclosed an elevation-of-privilege vulnerability in its device and update management system.
• Rockwell Automation: Warned of serious code execution vulnerabilities in the Arena Simulation platform.
• Mitsubishi Electric: Addressed a spoofing vulnerability in Genesis and MC Works64 products.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both OS and third-party software.

Webinar Recording: September 2025 Vulnerability Digest from Action1