Black Arrow Cyber Advisory - 12 November 2025 - Security Updates from Microsoft, Adobe and SAP

12 Nov

Executive Summary

This month’s Patch Tuesday features updates from Microsoft, Adobe and SAP. Microsoft’s release spans Windows, Microsoft 365/Office components and server/identity platforms. Adobe has posted product-specific advisories across its portfolio. SAP published its November Patch Day with a notable volume of new Security Notes. Prioritise internet-facing systems, identity infrastructure and widely deployed desktop applications, with emphasis on critical remote code execution and privilege escalation fixes.

Vulnerabilities by Vendor

Microsoft addressed 63 vulnerabilities impacting Windows, Windows Components, Office, Office Components, Edge, Azure Monitor Agent, Dynamics 365, Hyper-V, SQL Server, and WSL (Windows Subsystem for Linux) GUI. Four of these vulnerabilities are rated as Critical and 59 are rated Important. No vulnerabilities addressed this month were publicly known at the time of release and none are known to be under active exploitation.

Adobe updated addresses 29 vulnerabilities across InDesign, InCopy, Photoshop, Illustrator, Pass, Substance 3D Stager, and Format Plugins products. Critical arbitrary code execution vulnerabilities were addressed in InDesign, InCopy, Photoshop, Illustrator, Substance 3D Stager, and Format Plugins. Adobe says there is no evidence that any of these vulnerabilities are known to have been exploited in the wild.

SAP addressed 19 security vulnerabilities this month, including a critical flaw in SQL Anywhere Monitor and other vulnerabilties relating to Solution Manager, CommonCryptoLib, NetWeaver AS ABAP/Java, S/4HANA components, Business Connector, SAP GUI.

What’s the risk to me or my business?

The presence of actively exploited zero-days and critical RCE/privilege escalation vulnerabilities across major enterprise platforms significantly elevates the risk of data breaches, lateral movement, malware deployment, and full system compromise.

What can I do?

Black Arrow recommends promptly applying the available security updates for all affected products. Prioritise patches for vulnerabilities that are actively exploited or rated as critical or high severity. Regularly review and update your organisation's security policies and ensure that all systems are running supported and up-to-date software versions.