Welcome to my September 2025 Patch Monday newsletter! A few of our 3rd party vendors have some high priority updates this month and there are a couple zero-days as well.
Our first zero-day comes from Apple. As I'm sure you are aware Apple had some product releases this month. Along with that are some updates for iOS and iPadOS that address an out-of-bounds zero-day that can cause memory corruption if the user tries to open a malicious image file. You can visit this link and this link to see which devices are affected. With more new devices, Apple now has four separate pages with patch information for just iOS and iPadOS. If you are using an iPhone XS or newer you are currently not affected.
Our next zero-day is from Google. On Sept 17th a stable channel update for Chrome addressed 4 rated "High" vulnerabilities. Of the four, CVE-2025-10585 exists in the wild. In addition to that update there were three other updates in the last 30 days addressing 13 different vulnerabilities with two being rated critical and six rated high including the aforementioned zero-day.
Next up is Adobe. CVE-2025-54236 for Adobe Commerce addresses a Priority 2 Critical vulnerability. It's not a zero-day but it has a CVSS score of 9.1 and doesn't require an authenticated user or admin privileges to exploit. Adobe released a dedicated page with more details and a resolution here. In addition to this is CVE-2025-54261 which is a Critical Priority 1 update for ColdFusion. This path traversal exploit has a CVSS score of 9.0. To read more about the security recommendations from Adobe for this update you can visit their documentation here.
Zoom also had more than the usual amount of updates released this month. Besides these it was a pretty normal month for Mozilla's products.
If there are any additional products you would like to see in the chart below, please let me know.
Be sure to browse the chart below and happy patching!
|
|
So, without further ado, here’s the chart of non-Microsoft 3rd party patches that affect Windows platforms in the past month.
|
Patch data provided by: |
|||||
|
Identifier |
Vendor/ |
Affected Versions |
Date Released |
Vulnerability Info |
Vender Severity / Our Recommedation |
|
Adobe Acrobat Reader |
Reader/DC Continuous |
9/9/2025 |
Arbitrary Code Execution, Security Feature Bypass |
Critical Priority 3: Update at admins discretion |
|
|
Adobe After Effects |
24.6.7 and earlier |
9/9/2025 |
Memory Exposure |
Important Priority 3: Update at admins discretion |
|
|
Adobe Premiere Pro |
25.3 and earlier |
9/9/2025 |
Arbitrary Code Execution |
Critical Priority 3: Update at admins discretion |
|
|
Adobe Commerce |
Commerce/Magento Open Source 2.4.9-alpha2 and earlier |
9/9/2025 |
Security Feature Bypass |
Critical Priority 2: Update within 30 days |
|
|
Adobe Substance 3D Viewer |
0.25.1 and earlier |
9/9/2025 |
Arbitrary Code Execution |
Critical Priority 3: Update at admin's discretion |
|
|
Adobe Substance 3D Modeler |
1.22.2 and earlier |
9/9/2025 |
Arbitrary Code Execution |
Critical Priority 3: Update at admin's discretion |
|
|
Adobe Experience Manager |
6.5 LTS SP1 and earlier |
9/9/2025 |
Security Feature Bypass |
Critical Priority 3: Update at admins discretion |
|
|
Adobe Dreamweaver |
21.5 and earlier |
9/9/2025 |
Arbitrary Code Execution |
Critical Priority 3: Update at admins discretion |
|
|
Adobe ColdFusion |
2025 Update 3 and earlier |
9/9/2025 |
Arbitrary File System Write |
Critical Priority 1: Update within 72 hours |
|
|
Apple iPadOS |
Before 26 |
9/15/2025 |
Application Termination, Data Leak, DoS, Keylogging, Logic Issue, Memory Corruption, Out of Bounds, Sandbox Breakout, Security Feature Bypass, System Termination, Type Confusion, Unexpected URL Redirect, Use After Free |
Zero Day - Update ASAP - See above for more information about which devices are affected |
|
|
Apple watchOS |
Before 26 |
9/15/2025 |
Application Termination, Data Leak, DoS, Logic Issue, Memory Corruption, Out of Bounds, Sandbox Breakout, Security Feature Bypass |
Update when possible |
|
|
Apple macOS Sequoia |
Before 15.7 |
9/15/2025 |
Application Termination, Buffer Overflow, Data Leak, DoS, Logic Issue, Memory Corruption, Out of Bounds, Privilege Escalation, Sandbox Breakout, Security Feature Bypass, System Termination, User Confusion |
Update after testing |
|
|
Apple macOS |
Before 14.8 |
9/15/2025 |
Application Termination, Data Leak, DoS, Logic Issue, Memory Corruption, Out of Bounds, Privilege Escalation, Race Condition, Sandbox Breakout, Security Feature Bypass, System Termination, User Confusion |
Update after testing |
|
|
Apple macOS Tahoe |
Before 26 |
9/15/2025 |
Application Termination, Data Leak, DoS, Logic Issue, Memory Corruption, Out of Bounds, Privilege Escalation, Race Condition, Sandbox Breakout, Security Feature Bypass, Spoofing, System Termination, User Confusion |
Update after testing |
|
|
Apple Safari |
Before 26 |
9/15/2025 |
Application Termination, Spoofing, Unauthorized Access, URL Redirection |
Update when possible |
|
|
Apple Xcode |
Before 26 |
9/15/2025 |
Process Crash, Remote Code Execution, Sandbox Breakout |
Update when possible |
|
|
Apple visionOS |
Before 26 |
9/15/2025 |
Application Termination, Data Leak, DoS, Logic Issue, Memory Corruption, Out of Bounds, Privilege Escalation |
Update when possible |
|
|
Google |
Before 140.0.7339.185 (Linux) |
9/17/2025 |
Heap Buffer Overflow, Inappropriate Implementation, Type Confusion, Use After Free |
Zero Day - Update ASAP | |
|
Mozilla Thunderbird |
Before 143 |
9/16/2025 |
Arbitrary Code Execution, Information Disclosure, Integer Overflow, Memory Corruption, Sandbox Breakout, Security Feature Bypass, Use After Free |
Update after testing |
|
|
Mozilla Firefox |
Before 143 |
9/16/2025 |
Arbitrary Code Execution, Information Disclosure, Integer Overflow, Memory Corruption, Sandbox Breakout, Security Feature Bypass, Spoofing, Use After Free |
Update after testing |
|
|
Mozilla Firefox ESR |
Before 140.3 |
9/16/2025 |
Arbitrary Code Execution, Information Disclosure, Integer Overflow, Memory Corruption, Sandbox Breakout, Security Feature Bypass, Use After Free |
Update after testing |
|
|
Mozilla Focus for iOS |
Before 143 |
9/16/2025 |
Spoofing |
Update after testing |
|
|
Zoom Workplace Clients |
Workplace for Windows, macOS, Linux before 6.5 |
9/9/2025 |
Buffer Overflow, Denial of Service |
Medium - Update after testing |
|
|
Zoom Workplace for Windows ARM |
Before 6.5 |
9/9/2025 |
Privilege Escalation via Local Access |
High - Update after testing |
|
|
Zoom Workplace Clients |
Workplace Desktop for Windows, macOS, Linux before 6.5 |
9/9/2025 |
Cross Site Scripting, Denial of Service |
Medium - Update after testing |
|
|
Zoom Workplace Clients |
Workplace Desktop, Rooms Controller, Rooms Client and Meeting SDK for Windows before 6.5 |
9/9/2025 |
Incorrect Authorization |
Medium - Update after testing |
|
|
Zoom Workplace VDI Plugin |
macOS Universal Installer for VMware Horizon before 6.4.10/6.2.15/6.3.12 |
9/9/2025 |
Race Condition, Information Disclosure |
Medium - Update after testing |
|
|
Zoom Workplace Clients |
Workplace Desktop for Windows, macOS, Linux before 6.5 |
9/9/2025 |
Uncontrolled Resource Consumption, Denial of Service |
Medium - Update after testing |
|
|
Zoom Workplace Clients |
Workplace Desktop, Rooms Controller, Rooms Client and Meeting SDK for Windows before 6.5 |
9/9/2025 |
Information Disclosure |
Medium - Update after testing |
|
Thanks as always for reading and best wishes on security,
Randy Franklin Smith
Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2025 Monterey Technology Group, All rights reserved. You may forward this email in its entirety but all other rights reserved.
9450 SW Gemini Drive #53822, Beaverton, OR 97008
Note: We do our best to provide quality information and expert commentary but use all information at your own risk.