Threat intel · 3 MIN READ · BEN NAHORNEY AND MATT JASTRAM · SEP 9, 2025 · TAGS: vulnerability prioritization
TL;DR
- Microsoft released 86 new CVEs this month.
- 13 of these CVEs are marked as critical by Microsoft.
- This month we examine a vulnerability that could allow an attacker to take full control of an SAP S/4HANA system.
It’s that time of year where the leaves start to drop, along with the temperatures, leading us to wonder how the summer flew by so quickly. Has it already been a month since we got our last batch of patches?
At any rate, welcome to the September Patch Tuesday blog!
Patch Tuesday: September 9, 2025
There are 13 critical vulnerabilities in this month’s Patch Tuesday batch. Nearly half of these are elevation of privilege vulnerabilities, with a quarter of them being remote code execution vulnerabilities.
Here are three vulnerabilities that we think warrant your attention sooner than later. In each case, successful exploitation of the vulnerability will lead to the attacker gaining higher privileges, allowing them to take control of the system and/or further their attacks.
- Windows NTLM Elevation of Privilege Vulnerability (CVE-2025-54918): This vulnerability’s impact could allow an attacker to remotely elevate their privileges to the SYSTEM account on a targeted computer. The CVE’s low attack complexity means an attacker could regularly use it successfully against vulnerable components.
- Windows SMB Elevation of Privilege Vulnerability (CVE-2025-55234): The risk posed by this vulnerability relies on how the SMB Server was configured. But under the right circumstances it could be used in SMB relay attacks, leading to elevation of privileges. Fortunately Microsoft has also released an SMB Server Hardening guide alongside this month’s batch of patches that can help mitigate this threat.
- Windows Kernel Elevation of Privilege Vulnerability (CVE-2025-54110): This CVE could allow an attacker to break free from a sandboxed process, allowing them to gain SYSTEM privileges on a vulnerable system. Fortunately the exploit appears to require local access, requiring direct access to the system, to already have gained SSH access, or to trick a user into either clicking on a link or opening a malicious document.
Note: each of these vulnerabilities reach back to Microsoft OS server versions 2008 to 2025 which is a large infrastructure footprint.
Exploit Tales: SAP S/4HANA
This month we’re taking a look at CVE-2025-42957, a code injection vulnerability in SAP’s enterprise resource planning (ERP) software S/4HANA. Successful exploitation can lead to full system takeover, and while not widespread so far, there are reports of this vulnerability being used in the wild. The vulnerability has been given a CVSS score of 9.9.
In order to carry out a successful compromise, all an attacker needs is access to a user account. The attack takes advantage of a weakness in a function module made available through the Remote Function Call (RFC) communication interface, allowing for code to run that bypasses proper authorization checks.
Successfully carrying out this exploit effectively works as a backdoor would, allowing an attacker to remotely run arbitrary commands on the compromised system. This could lead to the exposure of sensitive information, data exfiltration, fraud, or allowing the attacker to use the compromised system to further attacks against an organization.
We recommend patching this vulnerability immediately if your organization uses S/4HANA. If patching is not an immediate option, prevent or limit public exposure of the RFC interface.
While attacks against CVE-2025-42957 are not currently widespread, there have been other SAP vulnerabilities that have recently been utilized by bad actors. Several months ago, we covered one in SAP NetWeaver, and there are currently 14 listed in the Known Exploited Vulnerabilities (KEV) catalog. The one currently seeing the most activity, according to telemetry from GreyNoise, is CVE-2022-22536, which allows attackers to tack on their own code to commands sent by the target. At the time of this writing there are currently over 400 IP addresses that have been observed attempting to exploit this CVE.
Also, as we were wrapping up this month’s roundup, SAP has released a new batch of patches, including CVE-2025-42944, which receives a CVSS 3.x score of 10. This vulnerability in NetWeaver could be exploited if an organization accidentally exposes a port to the internet that is used for administering NetWeaver. If this occurs, an attacker could gain the ability to send arbitrary commands to the NetWeaver instance, taking control of the system. We recommend prioritizing the patching of this vulnerability, and limiting the exposure of this administrative port on NetWeaver instances.
That’s all we have for this month’s Patch Tuesday blog. If you have questions about the vulnerabilities discussed here, drop us a line.
