Vulnerability Notice: Adobe, Android, Microsoft, SAP, Ivanti

Overview

Adobe released security updates on 9^th September patching a range of vulnerabilities identified on a number of their products. These products include Acrobat Reader, After Effects, Dreamweaver and Commerce amongst other popular Adobe products.

There are several critical vulnerabilities, some of which are listed below:

• CVE-2025-54257 - Use After Free arbitrary code execution (Acrobat DC/Reader range)
• CVE-2025-54236 – Improper Input Validation security feature bypass (Adobe Commerce range)
• CVE-2025-54242 - Use After Free arbitrary code execution (Adobe Premiere Pro)
• CVE-2025-54256 – Cross-Site Request Forgery (CSRF) arbitrary code execution (Adobe Dreamweaver)

Adobe is not aware of any exploits in the wild for the issues addressed in the updates, however, it is strongly recommended to update to the latest versions as soon as possible.

A full list of Adobe’s latest security updates and their associated CVE’s can be found by visiting the link at the bottom of this page.

Android published a security bulletin on 2^nd September to address over 100 vulnerabilities affecting Android devices. Google has indicated that the vulnerabilities described below may be under some limited targeted exploitation.

• CVE-2025-38352 – Android Runtime Linux Kernel Race Condition (CVSS: 7.4)
• CVE-2025-48543 – Use After Free Privilege Escalation (CVSS: 8.8)

Microsoft have issued their September security updates to address 86 vulnerabilities. There are no known “zero-day” or actively exploited vulnerabilities, however, 13 of these patched flaws have been flagged as ‘critical’ on the severity scale.

Amongst the security issues listed are vulnerabilities affecting the Windows 10, 11 and Server 2022 Operating Systems, Microsoft Office range and Microsoft 365 Apps for Enterprise.

Notable critical vulnerabilities include:

• CVE-2025-55236 – Windows 10 Version 21H2, Windows Server 2022 RCE (CVSS: 6.4)
• CVE-2025-54910 – Microsoft Office 2016 (32 & 64 Bit editions) RCE (CVSS: 8.4)
• CVE-2025-49734 – Windows PowerShell Elevation of Privilege (CVSS: 7.0)
• CVE-2025-55227 – Microsoft SQL Server Elevation of Privilege (CVSS: 8.8)

SAP, a market-leading provider of business applications and technology, have published security advisories to address vulnerabilities in several SAP products, including the NetWeaver range (CVE-2025-42944), Commerce Cloud (CVE-2025-22228) and Supplier Relationship Management (CVE-2025-42920).

These vulnerabilities range from low to critical severity. SAP strongly recommends customers to visit the SAP Support Portal and apply patches as a priority to protect their SAP landscape and connected systems.

Ivanti has issued a security notice regarding eleven flaws identified in Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access.

• CVE-2025-55145 – Missing Authorisation flaw – CVSSv3 rating: 8.9
• CVE-2025-55147 – Cross-Site Request Forgery flaw – CVSSv3 rating: 8.8
• CVE-2025-55141 – Missing Authorisation flaw – CVSSv3 rating: 8.8
• CVE-2025-55142 – Missing Authorisation flaw – CVSSv3 rating: 8.8
• CVE-2025-55148 – Missing Authorisation flaw – CVSSv3 rating: 7.6

In addition to these, the update also mitigates a further six vulnerabilities categorised as medium severity.

Recommend Action

Organisations and individuals are encouraged to review the appropriate security advisory pages and apply the updates:

Adobe – Security Bulletin (US Website)

Android – September Security Bulletin

Microsoft – September Security Updates  

SAP – Security Notes (September 2025)

Ivanti – Security Advisory