September’s Patch Tuesday delivered a predictable mix of Windows security updates and the usual Office headaches, but for enterprise security teams, the real fire alarm is ringing over SAP NetWeaver. Multiple high-severity vulnerabilities in the ERP platform—including a perfect 10.0 CVSS-rated flaw—have been flagged for active exploitation, demanding an urgent response that overshadows a relatively mild batch from Microsoft, Adobe, and other vendors.
Microsoft’s September Fixes: Manageable, but Not Without Risk
Microsoft’s September 2025 security update set is lighter than many recent months, but it still carries enough weight to warrant prompt testing and deployment. Security analysts noted that while there’s no immediate mass emergency, several critical and important patches address attack vectors that remain popular among threat actors.
One of the most concerning is CVE-2025-21198, a critical remote code execution (RCE) vulnerability in the High Performance Computing (HPC) Pack. With a CVSS score of 9.8, this flaw could allow attackers to execute arbitrary code over the network by exploiting how HPC Pack handles certain cluster communications. Microsoft warns administrators to monitor traffic on TCP port 5999 and other cluster ports for suspicious activity. Immediate patching and network segmentation are strongly advised for any organization running affected HPC clusters.
Office preview-pane vulnerabilities continue to haunt enterprises. While specific CVE numbers differ across reports—one advisory points to CVE-2025-54910 as a preview-pane RCE—the practical advice remains unchanged: consider disabling the Preview Pane in Outlook and File Explorer until patches are fully deployed, especially in environments where users handle untrusted attachments. These recurring attack paths exploit the thumbnail and rendering code that runs automatically when a file is selected, making them a low-effort, high-impact vector.
On the server side, a denial-of-service issue in Newtonsoft.Json (CVE-2024-21907) reappeared in the update cycle. Versions prior to 13.0.1 can be abused to cause DoS through deeply nested JSON structures. If your web APIs, Azure-hosted apps, or IIS sites depend on this library, upgrading to 13.0.1 or applying serializer MaxDepth limits is non-negotiable. This issue underscores a persistent enterprise weakness: vulnerable open-source components lurking in server stacks.
Microsoft also addressed flaws in SQL Server, Hyper-V, Defender Firewall, Routing and Remote Access Service (RRAS), and Excel. The cumulative nature of these patches means they should be rolled out with standard testing, but they don’t rise to the level of an “emergency” deployment—unlike the SAP situation.
A Week in Which SAP “Wins” Patch Tuesday—for the Worst Reasons
While Microsoft’s fixes were manageable, SAP’s security notes for NetWeaver and related components paint a far grimmer picture. Throughout 2025, SAP released a series of patches correcting critical and actively exploited vulnerabilities in core ERP modules. The impact is severe: unauthenticated or low-privileged attackers can achieve code execution, full system compromise, and data theft—exactly the risk profile ransomware groups and espionage actors seek.
The CVE Landscape: What’s Confirmed and What’s Fuzzy
Multiple security trackers, including the NVD and vendor advisories, confirm several high-impact SAP CVEs. However, some CVE numbers circulating in media coverage appear to be typos, editorial shorthand, or unverified assignments. Cross-referencing Microsoft’s official Security Update Guide, SAP’s monthly security notes, and public databases reveals a more reliable picture:
- CVE-2025-31324 (CVSS 10.0): An unauthenticated file upload bug in NetWeaver Visual Composer that has been associated with active exploitation. Attackers can leverage this to gain RCE on the ERP platform, opening doors to financial data, HR records, and integrated supply-chain credentials.
- CVE-2025-42944 (CVSS 10.0): An insecure deserialization flaw in NetWeaver’s RMI-P4 module, which allows an unauthenticated attacker to abuse authentication privileges for distributed Java objects. This is the “perfectly poisonous” vulnerability cited in the original Register article (though misattributed as CVE-2025-42944 in some reports; SAP’s advisory uses that exact ID).
- CVE-2025-42999 (~9.1): A deserialization vulnerability in the Visual Composer Metadata Uploader that lets privileged-user uploads be deserialized into Java objects, leading to arbitrary code execution. This class of bug is particularly deadly in platforms that deserialize with elevated privileges.
- CVE-2023-27500: A directory traversal and file overwrite bug in SAPRSBRO (the NetWeaver system control) that persists on older versions. It allows non-admin users to corrupt or overwrite system files, potentially causing loss of availability. This CVE has been public since 2023 but remains a high-severity concern for legacy installations.
- CVE-2025-42922 (CVSS 9.9): Another critical file upload flaw that enables “full compromise of confidentiality, integrity, and availability,” according to SAP’s advisory.
It’s worth noting that Register’s original piece referenced CVE-2025-55234 and CVE-2025-55232 for SMB relay and HPC RCE, respectively, but these identifiers cannot be found in any public CVE registry or Microsoft advisory at the time of writing. The functional description of an HPC RCE matches CVE-2025-21198, and the SMB relay guidance aligns with long-standing best practices. Such discrepancies are a reminder to always validate third-party reporting against primary vendor sources.
Why SAP Vulnerabilities Are Structurally More Dangerous
ERP systems like SAP NetWeaver are not just another application; they are the digital backbone of global commerce. A single RCE in NetWeaver can give attackers access to:
- Financial transactions and records
- Human resources databases
- Supply-chain credentials and integrations
- Privileged service accounts with connectivity across the enterprise
Compounding the risk, SAP patches are often delayed due to complex deployment architectures, multi-tenant environments, and strict change control processes. Downtime windows are hard to secure, and fear of business disruption leads many organizations to defer critical patches. Attackers know this and actively scan for unpatched endpoints. The fact that multiple NetWeaver flaws have been assigned maximum severity and flagged for in-the-wild exploitation makes the threat immediate and severe.
Adobe’s Batch: ColdFusion and Commerce Demands Priority
Adobe’s September patch cycle delivered 22 fixes across its product portfolio, with a few that demand immediate attention. ColdFusion versions from 2021 to 2025 received a critical fix for a file system overwriting vulnerability that could lead to arbitrary code execution. Given ColdFusion’s history as a high-value target, administrators should treat this as an emergency patch.
Adobe Commerce and Magento (versions 2.4.4 to 2.4.7) also received critical updates addressing high-impact CVEs. These e-commerce platforms are gateways to customer payment data and are heavily targeted by Magecart and similar threat groups. Delaying patches here can directly lead to credit card theft and compliance failures.
Other Adobe products saw fixes for code execution and security bypass flaws: Substance 3D Modeler, Premiere Pro, Dreamweaver, and Experience Manager all had critical or important issues resolved. Any organization using shared hosting for these tools should prioritize updates and tighten file upload controls.
Android’s Largest Bundle of the Year: 120 Fixes, Two Actively Exploited
Google released its biggest Android security update of the year, closing 120 vulnerabilities. Two of these were reportedly being exploited in the wild before the patch. Pixel devices received the update quickly, but non-Pixel OEM devices will depend on manufacturer rollouts—a perennial challenge for enterprise mobile fleets.
Mobile device managers and security teams should push for immediate deployment of the 2025-09-01 and 2025-09-05 security patch levels, as outlined in the Android Security Bulletin. The active exploitation status alone makes this a high-priority update.
Cisco’s Out-of-Band Fix: ASA/FTD Denial-of-Service
Separate from Patch Tuesday, Cisco released an out-of-cycle advisory for SSL/TLS certificate parsing and VPN web server DoS flaws in Secure Firewall ASA and FTD software. These vulnerabilities can cause device reloads, disrupting firewall and VPN services. Administrators should apply Cisco’s mitigation guidance and vendor updates immediately, as any firewall outage can cripple business operations.
Cross-Vendor Technical Verification: Where Reporting Diverged
The Register’s original article mentioned several CVE identifiers that could not be independently verified. For example, CVE-2025-55234 (SMB relay) and CVE-2025-55232 (HPC RCE) do not appear in Microsoft’s Security Update Guide, the NVD, or any reputable CVE database. The functional descriptions align with known issues—CVE-2025-21198 for HPC and general SMB signing guidance—but the specific ID numbers appear to be erroneous.
This kind of mismatch is not uncommon in rapid-fire Patch Tuesday coverage, but it creates operational friction for defenders who need accurate data to prioritize and act. Security teams should always cross-check media reports against primary sources: Microsoft’s Security Update Guide, SAP’s monthly security notes, Adobe’s APSB bulletins, and the NVD. When a CVE cannot be verified, treat the related guidance as unconfirmed until the vendor provides clarity.
Risk Analysis: What’s Notable, What’s Worrying
This Patch Tuesday cycle reveals both encouraging trends and persistent weaknesses.
Strengths in the Response Ecosystem
- Faster disclosure and coordination: Vendors like SAP, Microsoft, and Adobe are publishing actionable security notes on tighter cadences, helping defenders plan.
- Public CVE tracking and mitigation advice: NVD and vendor advisories now often include detection guidance and workarounds in near-real time.
Persistent Weaknesses and Attack Surface Issues
- ERP patching lag: Complex change control, compatibility fears, and uptime requirements mean many SAP NetWeaver instances remain unpatched for months, a window attackers now exploit aggressively.
- Recurring preview-pane and thumbnailing vectors: Office preview features continue to be a reliable RCE pathway, yet many organizations rely on default settings.
- Third-party library blind spots: Vulnerabilities like the Newtonsoft.Json DoS show that unattended dependencies can expose large parts of infrastructure.
- Inconsistent CVE reporting: Media inaccuracies force defenders to validate every detail, slowing response.
Practical Response Playbook for SOCs and IT Teams
Immediate (First 24-72 Hours)
- Inventory and map: List all exposed ERP systems (SAP NetWeaver/Visual Composer), e-commerce platforms (Adobe Commerce/Magento), and HPC clusters. Record versions and last patch dates.
- Apply emergency patches: Start with all available SAP security notes for critical NetWeaver flaws, Adobe ColdFusion/Commerce fixes, and the Microsoft HPC Pack update (CVE-2025-21198).
- Network isolation: Restrict access to SAP management and uploader endpoints. Place NetWeaver web interfaces behind reverse proxies and WAF rules that block file upload abuse patterns.
- Mitigate preview-pane risk: Disable Outlook and File Explorer Preview Pane on user populations most exposed to untrusted email or files.
Secondary (3-14 Days)
- Harden application stacks: Upgrade Newtonsoft.Json to 13.0.1 or apply serializer limits. Rotate service accounts and enforce least privilege.
- Hunt and monitor: Search logs for anomalous uploads, unexpected ABAP code changes, new user creations, and suspicious connections to HPC scheduler ports (TCP 5999 and others). Deploy SIEM rules to alert on unusual outbound connections from SAP servers.
Longer-Term (2-8 Weeks)
- Tighten emergency patch policies: Build a validated, repeatable test path for ERP and commerce platforms so critical fixes don’t get delayed by manual processes.
- Tabletop exercises: Conduct threat modeling that assumes an ERP compromise and rehearse containment, data recovery, and regulatory notifications.
- Third-party dependency governance: Adopt SBOMs and automated dependency scanners to identify vulnerable libraries before they are exploited.
Final Verdict: The Emergency Is in the Middleware, Not the Desktop
September 2025’s Patch Tuesday will not be remembered as a Microsoft catastrophe. Windows and Office teams should apply the cumulative updates and librarian patches on their normal schedule. However, the critical emergency in this cycle lies in enterprise middleware and specialized platforms. SAP NetWeaver and Visual Composer vulnerabilities carry a concrete, immediate danger for any organization that relies on SAP for core business functions. These are the kind of flaws that enable attackers to leap from a single compromised service into the heart of business-critical systems.
Administrators must treat SAP hotfixes as high-urgency work, while still maintaining disciplined patch testing for Microsoft, Adobe, and other updates. Relying on a single vendor’s release cadence is insufficient; effective defense requires fast identification, network isolation, library upgrades, and active threat hunting.
One operational lesson stands out from this month’s coverage: always verify CVE numbers and mitigation advice against primary vendor sources. Media summarization errors can seed confusion and delay. When in doubt, go to the vendor’s advisory.
The window between public disclosure and active exploitation is short—especially for high-value targets like SAP. Apply patches, restrict access, and prioritize ERP and commerce platform updates above routine workstation rollouts this week. The cost of delay can be catastrophic.