September 2025 was defined by the rapid emergence and confirmed active exploitation of several critical vulnerabilities across networking, enterprise applications, and widely used operating systems. The month’s disclosures included multiple flaws rated Critical with high CVSS scores, many granting unauthenticated or root-level Remote Code Execution (RCE).
The most severe threats centered on networking edge devices and critical web applications, specifically in Cisco firewalls and FreePBX, which prompted immediate emergency directives from government agencies. Other high-risk flaws were found in core Microsoft services, Adobe platforms, and the Linux/Unix Sudo utility, all allowing attackers a straightforward path to full system compromise or privilege escalation.
These weaknesses cut across fundamental infrastructure components, including firewalls, PBX systems, operating system kernels, and command utilities. Timely patching is a matter of enterprise survival, particularly for organizations running exposed network perimeters and collaboration tools.
What We'll Cover
CVE-2025-20333: Zero-Day RCE in Cisco Secure Firewall ASA and FTD
Severity: Critical
CVSS Score: 9.9/10
Vulnerability Type: Buffer Overflow, Zero-Day RCE
Impact: Full device control, persistence, and critical infrastructure access
Affected Systems: Cisco Secure Firewall ASA and Secure Firewall FTD software
This zero-day vulnerability, actively exploited by the ArcaneDoor threat actor (also known as Storm-1849), allows unauthenticated remote code execution on Cisco Secure Firewall devices. Exploitation enables attackers to implant persistent malware that survives reboots and system upgrades. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating immediate patching or decommissioning of affected devices by October 16, 2025.
Mitigation Strategies:
- Apply Cisco’s security updates immediately.
- Disconnect or replace ASA hardware with an end-of-support date on or before September 30, 2025.
- Conduct forensic analysis as per CISA’s guidelines.
CVE-2025-55232: RCE via Deserialization in Microsoft HPC Pack
Severity: Critical
Vulnerability Type: Deserialization of Untrusted Data
Impact: Execution of arbitrary code on HPC servers
Affected Systems: Microsoft High Performance Compute (HPC) Pack
This vulnerability arises from insecure handling of untrusted data, allowing unauthenticated attackers with network access to execute arbitrary code on HPC servers. The flaw is particularly critical in high-performance computing environments where such access can lead to significant data breaches or system compromises.
Mitigation Strategies:
- Apply the Microsoft September 9, 2025, security updates for HPC Pack immediately.
- Implement strict network segmentation and firewall rules to limit access to HPC services only to authorized internal systems.
CVE-2025-54918: Elevation of Privilege in Windows NTLM
Severity: Critical
CVSS Score: 8.8
Vulnerability Type: Improper Authentication (Elevation of Privilege)
Impact: Network-based privilege escalation to compromise user accounts
Affected Systems: Systems running Windows with the New Technology LAN Manager (NTLM) protocol enabled
This vulnerability in Windows NTLM allows an attacker to exploit improper authentication mechanisms to elevate their privileges over the network. Successful exploitation could provide an authenticated attacker with elevated permissions, potentially leading to a broader network compromise.
Mitigation Strategies:
- Apply the security update provided in the Microsoft September 2025 Patch Tuesday release.
- Consider disabling NTLM where possible and enforcing stronger authentication protocols.
CVE-2025-48543: Use-After-Free LPE in Android Runtime
Severity: High
Vulnerability Type: Use-After-Free (UAF), Local Privilege Escalation (LPE)
Impact: Sandbox escape from malicious apps to gain system privileges
Affected Systems: Android devices running certain versions of the Android Runtime (ART)
A critical memory management flaw, a Use-After-Free in the Android Runtime, allows an attacker to escape the sandbox of a less-privileged application, such as the Chrome browser, and escalate privileges to higher-level system processes. This is often leveraged in targeted attacks to gain persistent access or access sensitive data.
Mitigation Strategies:
- Apply the security patches included in the Android Security Bulletin for September 2025, 2025-09-05 patch level or later.
- Restrict physical access to devices and prohibit the sideloading of applications from untrusted sources.
CVE-2025-55234: Elevation of Privilege in Windows SMB
Severity: High
CVSS Score: 8.8
Vulnerability Type: Elevation of Privilege
Impact: Unauthenticated remote relay attacks to gain elevated privileges
Affected Systems: Windows Server Message Block (SMB) Server
This flaw was publicly disclosed as a zero-day prior to Microsoft’s patch release, making it an immediate risk. The vulnerability allows an unauthenticated remote attacker to perform network-based relay attacks by exploiting weak authentication mechanisms in the SMB protocol, leading to elevated privileges on the affected server.
Mitigation Strategies:
- Apply the security update provided in the Microsoft September 2025 Patch Tuesday release.
- Implement SMB signing and encryption to mitigate relay attacks.
CVE-2025-54236: Session Takeover in Adobe Commerce
Severity: Critical
CVSS Score: 9.1
Vulnerability Type: Improper Input Validation
Impact: Session takeover, leading to unauthorized administrator access and high-impact confidentiality and integrity loss
Affected Systems: Adobe Commerce versions 2.4.9-alpha2 and earlier
An improper input validation flaw in Adobe Commerce (formerly Magento) can be abused by an attacker to bypass security checks and take over a user’s session. This grants the attacker the ability to act as the legitimate user, which is particularly devastating if the compromised session belongs to an administrator.
Mitigation Strategies:
- Apply the patches released by Adobe on September 9, 2025.
- Implement Web Application Firewalls (WAFs) to detect and block exploit attempts.
CVE-2025-54261: Path Traversal RCE in Adobe ColdFusion
Severity: Critical
CVSS Score: 9.0
Vulnerability Type: Path Traversal, Remote Code Execution (RCE)
Impact: Execution of arbitrary code on the ColdFusion server
Affected Systems: ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier
This vulnerability is an instance of ‘Path Traversal,’ allowing an attacker to manipulate file paths to escape restricted directories. In the context of ColdFusion, this flaw can be chained to achieve arbitrary code execution, leading to a full compromise of the web server.
Mitigation Strategies:
- Apply the latest vendor-provided updates from Adobe for all affected ColdFusion versions.
- Restrict file upload capabilities and validate file paths rigorously.
CVE-2025-20352: RCE/DoS in Cisco IOS and IOS XE SNMP
Severity: Critical
Vulnerability Type: Stack-Based Buffer Overflow
Impact: Denial of Service (DoS) or Remote Code Execution (RCE) via the SNMP subsystem
Affected Systems: Cisco IOS and IOS XE Software
This vulnerability is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem. Exploitation allows an attacker to send crafted SNMP packets that can either crash the device (Denial of Service) or, in a worst-case scenario, allow them to execute arbitrary code on the networking equipment.
Mitigation Strategies:
- Apply the vendor-provided security updates from Cisco addressing the SNMP subsystem vulnerability.
- Implement strict Access Control Lists (ACLs) to limit SNMP access only to trusted management stations.
The vulnerabilities disclosed in September 2025 underscore that a reactive approach is no longer sustainable. From actively exploited edge devices to critical server software and mobile operating systems, the attack surface is vast. Prioritizing these critical patches, restricting access to management interfaces, and performing rigorous threat hunting are the essential steps for security teams to survive the continuous onslaught of sophisticated threats.
Learn how our tailored cybersecurity services help you manage vulnerabilities and protect your assets.
