Black Arrow Cyber Advisory - 10 September 2025 - Security Updates from Microsoft, Adobe, Ivanti, SAP, Fortinet & NVIDIA

Executive Summary

September’s security updates address a wide spectrum of enterprise risks. Microsoft patched critical flaws across Windows, Office, and Azure, while Adobe issued nine product advisories. SAP released 21 new notes, including several high impact NetWeaver and S/4HANA issues. NVIDIA fixed firmware flaws in DGX/HGX platforms. Fortinet disclosed two medium severity vulnerabilities in FortiDDoS F and FortiWeb. Ivanti published 13 vulnerabilities, 11 affecting Connect Secure, Policy Secure, ZTA and Neurons gateways, and 2 in Endpoint Manager, underscoring the importance of promptly securing VPN appliances and management servers. Collectively, these updates emphasise timely patching of Internet facing and business critical systems.

Vulnerabilities by Vendor

• Microsoft[¹]: 86 vulnerabilities on the official September 2025 Security Update Guide release page, affecting Windows, Microsoft Edge (Chromium-based), Office, .NET/Developer Tools, and Azure components. Prioritise any items rated Critical, privilege escalation chains, and entries marked by Microsoft as “Exploited.”

• Adobe[²]: 9 updates released to address vulnerabilities published on September 9 bulletins (Acrobat Reader, After Effects, Premiere Pro, Commerce, Substance 3D Viewer/Modeler, Experience Manager, Dreamweaver, ColdFusion). Prioritise server- or Internet-facing workloads (Commerce, ColdFusion) and high-impact desktop estates (Acrobat Reader).

• Ivanti[³]: 13 vulnerabilities, comprising 11 in Connect Secure, Policy Secure, ZTA Gateways, and Neurons for Secure Access (five high, six medium) and 2 in Endpoint Manager (EPM 2024 SU3 / 2022 SU8) (both high-severity remote code execution requiring user interaction). No exploitation is reported. Prioritise patching Internet-facing gateway appliances and centralised EPM servers; also follow Ivanti’s guidance to avoid exposing admin portals to the Internet.

• SAP[⁴]: 21 vulnerabilities in Security Notes on 9 September, affecting core platforms including NetWeaver, S/4HANA, Business One, LT Replication Server, Fiori, and BusinessObjects, among others. Prioritise Critical NetWeaver issues and high severity input validation and authentication weaknesses in S/4HANA and LT.

• Fortinet[⁵]: 2 vulnerabilities, affecting FortiDDoS-F (OS command injection, CVSS 6.5) and FortiWeb (path traversal, CVSS 4.7). Both are medium-severity but exploitable by privileged or authenticated users. Prioritise updates for Internet-facing FortiWeb deployments and ensure FortiDDoS-F appliances are upgraded to fixed releases.

• NVIDIA[⁶]: 2 vulnerabilities in HGX/DGX vBIOS and LS10 components (CVE-2025-23301, CVE-2025-23302). Prioritise firmware updates in AI/accelerator infrastructure (DGX/HGX), especially shared or multi-tenant environments.

What’s the risk to me or my business?

The presence of actively exploited zero-days and critical RCE/privilege escalation vulnerabilities across major enterprise platforms significantly elevates the risk of data breaches, lateral movement, malware deployment, and full system compromise.

What can I do?

Black Arrow recommends promptly applying the available security updates for all affected products. Prioritise patches for vulnerabilities that are actively exploited or rated as critical or high severity. Regularly review and update your organisation's security policies and ensure that all systems are running supported and up-to-date software versions.

Footnotes:
¹ Microsoft Security Update Guide (September 2025 release): https://msrc.microsoft.com/update-guide/releaseNote/2025-Sep
² Adobe Security Bulletins and Advisories: https://helpx.adobe.com/security/security-bulletin.html
³ Ivanti September 2025 Security Update: https://www.ivanti.com/blog/september-2025-security-update
⁴ SAP Security Patch Day September 2025: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/september-2025.html
⁵ Fortinet PSIRT Advisories: https://www.fortiguard.com/psirt/FG-IR-25-512 ; https://www.fortiguard.com/psirt/FG-IR-24-344
⁶ NVIDIA Security Bulletin: NVIDIA HGX and DGX VBIOS and LS10 – September 2025: https://nvidia.custhelp.com/app/answers/detail/a_id/5674/~/security-bulletin%3A-nvidia-hgx-and-dgx-vbios-and-ls10---september-2025