SecureIT Top Vulnerabilities - September 2025
September was another busy month for defenders. Critical flaws emerged across network devices, browsers, mobile platforms, and core Windows services many already exploited in the wild.
These aren’t just technical bugs. They translate directly into downtime, fraud, data loss, and reputational risk if left unpatched. Cisco firewalls, Chrome browsers, Android phones, and even Git developer tools were all targeted, proving that attackers are going after every layer of the enterprise stack.
At SecureIT, we’ve analyzed the month’s top vulnerabilities and prioritized what matters most for organizations like yours. Here’s our roundup and what you should do next.
Cisco Secure Firewall ASA and Secure Firewall Threat Defense. CVE-2025-20333, CVE-2025-20362
What happened
A crafted web VPN request can run code on the firewall without valid login [remote code execution]. A second flaw lets an attacker jump from admin to root on the device [privilege escalation]. Both issues are being exploited.
Impact
Perimeter firewalls become an entry point. VPN sessions can be hijacked and traffic inspected. Devices may crash or hide traces while attackers move inward and increase incident response cost.
Who is at risk
Any internet exposed ASA or FTD with VPN web services enabled. Older trains and end of support appliances carry higher risk.
What to do
Update all ASA and FTD to fixed releases and reboot. If patching is delayed, remove web VPN exposure or geofence access and restrict to trusted management networks. Hunt for persistence such as a hidden command page that grants attacker control [web shell] and rotate local and VPN credentials.
Sources: Cisco advisory. Cisco Independent directive and guidance. CISA
Cisco IOS and IOS XE. CVE-2025-20352
What happened
A flaw in the SNMP component lets attackers crash systems or run code depending on their access level. Read access can trigger a crash [denial of service]. Admin level access can reach full control [remote code execution].
Impact
Routers and switches can reboot repeatedly. Network service access fails for staff and customers. Orders cannot be placed and SLA credits are triggered.
Who is at risk
Any IOS or IOS XE device with SNMP enabled. Environments with broad SNMP exposure or weak community strings are at higher risk.
What to do
Update to the fixed Cisco releases. Restrict SNMP to management subnets, require SNMPv3, and rotate all community strings and credentials. Monitor for spikes in SNMP queries and unexpected traps from core devices.
Sources: Cisco advisory. Cisco Independent coverage. BleepingComputer
Google Chrome. CVE-2025-10585
What happened
A bug in the JavaScript engine allows a malicious site to run code on the endpoint [remote code execution]. Google confirmed an exploit exists in the wild.
Impact
Login cookies and browser stored passwords are taken. Business email and SaaS accounts are abused and fraud follows. Incident response and user password resets disrupt work.
Who is at risk
Any Chrome on Windows, macOS, and Linux that has not reached the current stable build.
What to do
Update Chrome to the current stable release across the fleet and force a relaunch. Confirm policy based auto update is on and audit for unapproved extensions. Increase monitoring for suspicious browser logins and unusual OAuth grants.
Sources: Google Chrome Releases note. Chrome Releases Independent coverage. SecurityWeek
Android. CVE-2025-38352, CVE-2025-48543
What happened
A kernel bug and a runtime bug let malicious apps gain system control [privilege escalation]. Google says these were used in limited targeted attacks.
Impact
Compromised phones leak corporate email, files, and authentication seeds. Fraud and unapproved transfers follow. Support queues grow while devices are reimaged.
Who is at risk
Android 13 through 16 devices until they receive the September 2025 patch level. BYOD and field teams are most exposed.
What to do
Update devices to security patch level 2025 09 01 or 2025 09 05. Use MDM to block access for devices below policy and remove risky sideloaded apps. Monitor for unusual data transfers from mobile devices.
Sources: Android Security Bulletin. Android Open Source Project Independent analysis. SecurityWeek
Apple iOS, iPadOS, macOS. CVE-2025-43300
What happened
Processing a malicious image can corrupt memory and hand over device control [remote code execution]. Apple backported August fixes to older iPhones, iPads, and Macs after targeted exploitation.
Impact
Executive and staff devices can be monitored. Messages, photos, and microphone access are exposed. Legal and regulatory reporting may follow for privacy impact.
Who is at risk
Unpatched iPhones, iPads, and Macs. Older models still in service are affected and require the backport updates.
What to do
Update to the latest iOS, iPadOS, and macOS releases or the backported security updates for older versions. Enforce updates via MDM and restrict message preview from unknown senders for high risk users. Consider Apple Lockdown Mode for travel or sensitive roles.
Sources: Apple security update details. Apple Support Independent coverage. SecurityWeek
Ivanti Endpoint Manager Mobile. CVE-2025-4427, CVE-2025-4428
What happened
An API login bypass combined with code injection lets attackers run code without credentials [authentication bypass] and [remote code execution]. CISA published malware analysis from a real compromise.
Impact
The mobile device manager becomes an attacker platform. Profiles and certificates are altered. Email and VPN settings are abused to reach internal systems.
Who is at risk
On premises Ivanti EPMM servers exposed to the internet. Enterprises and public sector with enrolled fleets.
What to do
Update to the fixed EPMM versions and remove direct internet exposure until fully remediated. Hunt for malicious Tomcat listeners and unusual tasks, then rotate admin and service credentials. Review device compliance and reissue affected profiles.
Sources: Ivanti advisory. forums.ivanti.com CISA malware analysis. CISA
Microsoft Windows SMB Server. CVE-2025-55234
What happened
Weak SMB authentication handling allows attackers to relay logins to gain higher rights [relay attack] and then raise access [privilege escalation]. Microsoft added audit events to help measure exposure before enforcing stronger settings.
Impact
Attackers move laterally and reach shared data and domain resources. Recovery demands resets for accounts and services. Project timelines slip during containment.
Who is at risk
Domain joined Windows servers and clients that do not enforce SMB signing or Extended Protection for Authentication.
What to do
Apply the September Windows updates. Use the new audit events to find incompatible clients, then enable SMB signing and Extended Protection for Authentication. Monitor for relay patterns and reset passwords for systems that show exposure.
Sources: Microsoft support guidance on SMB hardening and audit events. Microsoft Support Independent coverage. The Hacker News
Libraesva Email Security Gateway. CVE-2025-59689
What happened
A crafted compressed attachment triggers command injection during archive checks. This lets an attacker run commands on the gateway as a low privilege user [remote code execution]. Libraesva confirmed exploitation by a state actor.
Impact
Email filtering is weakened or bypassed. Credential theft and business email compromise increase. Response teams must inspect mail flow and quarantine affected systems.
Who is at risk
Libraesva ESG from version 4.5 onward that has not been updated. On premises and hosted deployments are affected.
What to do
Update to the fixed ESG builds immediately. Inspect the system for unauthorized accounts, scheduled tasks, and unexpected outbound connections from the gateway. Review recent quarantines and logs for suspicious compressed attachments.
Sources: Libraesva advisory. docs.libraesva.com Independent coverage. SecurityWeek
Git CLI on developer endpoints and CI. CVE-2025-48384
What happened
Weaponized repositories can write files during submodule setup and trigger scripts to run on the machine [arbitrary code execution]. CISA and vendors warn that exploitation is occurring.
Impact
Developer laptops and build servers become a path to the business. Source code and secrets leak. Release pipelines are tampered with and downstream customers are put at risk.
Who is at risk
Teams that clone third party repositories or use recursive submodules. CI platforms that fetch unvetted code.
What to do
Update Git to the fixed versions across endpoints and CI images. Disable hooks globally via the configuration path and block recursive clones from untrusted sources until updates are complete. Audit active submodules and rebuild affected CI containers.
Sources: Git project advisory. GitHub Independent analysis and warnings. SecurityWeek
What to prioritize this week
- Patch Cisco ASA and Secure Firewall. Check for persistence before returning devices to service.
- Update Cisco IOS and IOS XE. Restrict SNMP to management subnets and move to SNMPv3 only.
- Push the Chrome update and force browser relaunch on all desktops.
- Move Android devices to the September patch level and block noncompliant phones via MDM.
- Apply Apple’s security updates across iOS, iPadOS, and macOS. Enforce updates for older models.
- Patch or isolate Ivanti EPMM and hunt for malicious Tomcat listeners.
- Apply the Windows SMB updates. Use audit events, then enable SMB signing and Extended Protection.
- Update Git on developer machines and CI images. Disable hooks and recursive clones until complete.
Key Takeaways
- Patch your perimeter first: Cisco ASA/FTD and IOS exposures are being actively exploited.
- Secure endpoints fast: Chrome, Android, iOS/macOS, and Windows SMB all saw zero-days this month.
- Don’t forget dev tools: Git vulnerabilities can poison your supply chain just as effectively as compromised npm packages.
At SecureIT, we help businesses:
✔️ Prioritize patches based on real-world exploitation
✔️ Hunt for persistence and backdoors attackers leave behind
✔️ Strengthen defenses against phishing and supply chain compromise
If you’re unsure where to start, or need help reducing patch fatigue, [contact us] our team can guide you through immediate fixes and long-term resilience.