Overview
Google has rolled out Chrome version 140.0.7339.185/.186 for Windows and macOS, and 140.0.7339.185 for Linux. The update will be distributed gradually over the next several days and weeks.
This release addresses four high-severity security flaws, one of which (CVE-2025-10585) is already known to be actively exploited.
- CVE-2025-10585 – Type confusion in V8 (High)
- CVE-2025-10500 – Use-after-free in Dawn (High)
- CVE-2025-10501 – Use-after-free in WebRTC (High)
- CVE-2025-10502 – Heap buffer overflow in ANGLE (High)
Microsoft has released security updates addressing 86 vulnerabilities across Windows and related products as part of its September 2025 Patch Tuesday. The patches are being made available to customers this week. According to Microsoft, none of the issues are known to be actively exploited at the time of release, though eight vulnerabilities have been marked as ‘exploitation more likely’.
Notable vulnerabilities include:
- CVE-2025-55232 – Remote Code Execution in HPC Pack (CVSS 9.8, Critical)
- CVE-2025-54106 – Remote Code Execution in Routing and Remote Access Service (High severity)
- CVE-2025-54113 – Remote Code Execution in Routing and Remote Access Service (High severity)
- CVE-2025-54897 – Remote Code Execution in SharePoint (High severity)
- CVE-2025-54910 – Remote Code Execution in Office (High severity)
- CVE-2025-55227 – Privilege Escalation in SQL Server (High severity)
These vulnerabilities affect a range of Microsoft products and services, including Windows kernel components, SMB, NTLM, Hyper-V, SQL Server, SharePoint, and Office.
SAP has issued security updates fixing four critical vulnerabilities in NetWeaver and one high-severity flaw in S/4HANA. The updates come as part of its September 2025 patch cycle.
These vulnerabilities include:
- CVE-2025-42944 — Insecure deserialisation in the RMI-P4 module of NetWeaver. Score: 10.0. Allows unauthenticated attackers to submit a malicious payload to an open port and execute operating-system commands.
- CVE-2025-42922 — Insecure file operations in NetWeaver AS Java’s Deploy Web Service. Score: 9.9. Allows authenticated non-administrative users to upload arbitrary files, potentially leading to full system compromise.
- CVE-2025-42958 — Missing authentication check in NetWeaver on IBM i-series. Score: 9.1. Allows high-privileged or privileged users to read, modify, or delete sensitive information or access privileged functionality.
- CVE-2023-27500 — Directory traversal defect in NetWeaver AS for ABAP and ABAP Platform. Score: 9.6. (Note: this was an update to a previously released security note.)
Also included:
- CVE-2025-42916 — Input validation bug in S/4HANA. Score: 8.1. Requires high privilege; allows deletion of database table content if the table is not protected by an authorisation group.
There is no evidence to date that any of the newly disclosed NetWeaver or S/4HANA vulnerabilities above are currently being exploited in the wild. However, one previously patched flaw (CVE-2025-42957) in S/4HANA is known to have seen active exploitation.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Google Chrome – Chrome Releases
Microsoft – Release Notes
SAP – Security Patch Day
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.