The days leading into September Patch Tuesday include a bit of chaos from a pair of actively exploited Android CVEs (CVE-2025-38352, CVE-2025-48543), a zero day in WhatsApp (CVE-2025-55177), another zero day in WinRAR (CVE-2025-8088), and a major supply chain attack through the Drift AI Chat Agent exposing Salesforce customers data.

The good news is Microsoft only has a pair of publicly disclosed vulnerabilities (CVE-2025-55234, CVE-2024-21907) out of 81 total CVEs resolved this month, making this about as close to a calm Patch Tuesday as we can hope for.

The Windows OS and Office updates are rated Critical this month, putting those as the highest priority, but with no zero-day exploits, this month should be focused on routine maintenance from a Microsoft perspective.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Windows SMB (CVE-2025-55234), which Microsoft has confirmed is publicly disclosed. Microsoft rates the CVE as Important, and it has a CVSS v3.1 score of 8.8 and affects all Windows OS editions. The code maturity is unproven, which would indicate no code samples have been disclosed. A risk-based prioritization methodology would warrant treating this as Important.

Microsoft has resolved an Improper Handling of Exceptional Conditions vulnerability in Newtonsoft.Json (CVE-2024-21907), which Microsoft has confirmed is publicly disclosed. The CVE is unrated and affects SQL Server 2016, 2017 and 2019. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial-of-service condition. A risk-based prioritization methodology would warrant treating this as Important.

Third-party vulnerabilities

Adobe has released nine updates resolving 22 CVEs, 12 of which are rated Critical. The products affected include Adobe Acrobat Reader, After Effects, Premiere Pro, Commerce, Substance 3D Viewer, Experience Manager, Dreamweaver, 3D Substance Modeler and ColdFusion. Adobe has rated the ColdFusion update as a priority one and Commerce as a priority two. The other seven updates are rated priority three.

Ivanti security advisories

Ivanti has released two updates for September Patch Tuesday resolving a total of 13 CVEs. The affected products include Ivanti Connect Secure and Policy Secure and Ivanti EPM.

For more details, you can view the updates and information provided in the September Security Update on the Ivanti blog.

September update priorities

With no zero-days released on Patch Tuesday, the updates this month are predominantly low risk. Ensure you have the zero days leading up to Patch Tuesday in hand, and plan to deploy the Microsoft and Adobe updates through your regular maintenance activities this month.