Good Morning Security Gang!
It’s Wednesday, September 10th, 2025, and welcome back to the CyberHub Podcast. Yesterday was Patch Tuesday - the one day a month where every vendor on the planet drops vulnerabilities like confetti.
We’ve got 81 fixes from Microsoft, critical patches from Adobe, SAP, Ivanti, Fortinet, Rockwell, Siemens, and more. Plus, a new ransomware bounty, Apple’s new security feature, Docker exploitation campaigns, and some big shifts in U.S. cyber policy with Cyber Command and NSA. Espresso in hand—let’s get into it.
"Yesterday was that one day a month where everyone decides that we're going to just post all of their vulnerabilities simultaneously out there for everyone to see. And maybe that way we can fix cyber - not the best idea on the planet, but nonetheless, Patch Tuesday!" James Azar
🛠 Microsoft Patch Tuesday – 81 Flaws Fixed
Microsoft released patches for 81 vulnerabilities, including two publicly disclosed zero-days:
CVE-2025-55234 – Windows SMB elevation of privilege flaw, already seeing exploit attempts.
"SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks," explains Microsoft.
Microsoft says that Windows already includes settings to harden the SMB Server against relay attacks, including enabling SMB Server Signing and SMB Server Extended Protection for Authentication (EPA).
However, enabling these features could cause compatibility issues with older devices and implementations.
Microsoft recommends that admins enable auditing on SMB servers to determine if they will encounter any issues when those hardening features are fully enforced.
"As part of the Windows updates released on and after September 9, 2025 (CVE-2025-55234), support is enabled for auditing SMB client compatibility for SMB Server signing as well as SMB Server EPA," explains Microsoft.
Microsoft has not attributed the flaw to any researchers, and it is unclear where it was disclosed.
CVE-2024-21907 – A JSON deserialization issue leading to denial of service. Microsoft has fixed a previously known vulnerability in Newtonsoft.Json that is included as part of Microsoft SQL Server.
"CVE-2024-21907 addresses a mishandling of exceptional conditions vulnerability in Newtonsoft.Json before version 13.0.1," explains Microsoft.
"Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition."
"The documented SQL Server updates incorporate updates in Newtonsoft.Json which address this vulnerability."
This flaw was publicly disclosed in 2024.
In total: 41 EoP (Elevation of Privilege) flaws, 22 RCE (Remote Code Execution), 16 information disclosure, 3 DoS (Denial of Service), 2 security feature bypass, and 1 spoofing. Nine were critical, five of which were RCE.
🎯 Adobe SessionReaper & Magento Vulnerabilities
Adobe patched nearly two dozen vulnerabilities. The most critical:
CVE-2025-54261 – Path traversal in ColdFusion, CVSS 9.0.
CVE-2025-54236 “SessionReaper” – Impacts Magento/Commerce, allowing unauthenticated RCE and account takeover.
Other fixes covered Reader, Premiere Pro, Substance 3D, Dreamweaver, and more.
⚙ SAP NetWeaver Critical Flaws
SAP issued 21 advisories, including:
CVE-2025-42944 – Insecure deserialization in NetWeaver with CVSS 10.0, enabling unauthenticated attackers to execute arbitrary OS commands.
CVE-2025-42922 – Insecure file operations, CVSS 9.9.
Other flaws affected Business One, SLT Replication, and S/4 HANA.
🖥 Ivanti, Fortinet, Nvidia & OT Vendors Patch
Ivanti: Fixed two high-severity remote code execution flaws in Endpoint Manager and six more in ConnectSecure, ZTA, and Neurons.
Fortinet: Medium OS command injection in FortiDDoS and path traversal in FortiWeb.
Nvidia: Two flaws in NV Debug Tool fixed in v1.7.0, including privilege escalation.
Rockwell, Siemens, Schneider, Phoenix Contact, Honeywell: Dozens of advisories, many RCE and data exposure bugs across SCADA, BMS, and ICS products.
🇺🇸 NSA & Cyber Command Leadership Stays Dual-Hat
After months of speculation, the White House confirmed NSA and U.S. Cyber Command will remain under a single leader, citing the importance of unified direction in cyber conflict. Supported by Secretary of War Pete Hegseth, Direction of National Intelligence Tulsi Gabbart and Secretary of State and National Security Advisor Marco Rubio.
🇺🇸 New Cyber Director Sean Cairncross Sets Policy Direction
At the Billington Cyber Summit, new Cyber Director Sean Cairncross echoed Trump’s “America First” vision, stressing:
Ransomware, espionage, and critical infrastructure pre-positioning are top concerns.
The U.S. lacks strategic coherence in cyber policy.
His office will prioritize American citizens and businesses first in cyber defense.
Cairncross Said “Today, I seek your engagement and your help together by putting American citizens first, by putting American companies first, we'll put America First and that's the point,” he added. “Our way of life, our day-to-day, depends on an open and secure cyberspace.”
and continued “We have all the tools we need, and now we have the political will in place to address these challenges,” according to Carincross. “We must work together, using our nation's all of our nation's cyber capabilities, to shape adversary behavior and, most importantly, shift the burden of risk in cyberspace from Americans to them. That's what my team and I are here to do.”
🍏 Apple’s “Memory Integrity Enforcement” Feature
Apple introduced MIE protection, an always-on memory safety feature aimed at spyware mitigation on iPhones. It raises the bar for attackers exploiting memory flaws, though researchers note exploitation workarounds will eventually emerge.
🐳 Docker Exploitation Evolves
Threat actors updated tooling to target exposed Docker APIs (port 2375), shifting from crypto mining to botnet-style infrastructure. Attackers use modified Alpine images with Tor, cron jobs, and hidden services to maintain persistence and block defenders.
💰 $10M Ransomware Bounty
The U.S. State Department offered a $10 million bounty for info on Volodymyr Tymovych (aka “Boba” or “Dead4s”), indicted for operating LockerGoga, MegaCortex, and Nephilim ransomware. He and his crew hit 250+ orgs worldwide, causing hundreds of millions in losses.
🧠 James Azar’s CISO Take
Patch Tuesday this month reminds us that attackers don’t need to invent zero-days - they just wait for our patch cycles to lag. From SessionReaper in Magento to SAP’s deserialization flaw, the time between disclosure and exploitation is shrinking to days, even hours. This isn’t just about vulnerability management, it’s about operational maturity. CISOs must measure themselves by time-to-patch and time-to-mitigate.
The other theme is strategy and policy alignment. From NSA/Cyber Command leadership to Sean Cairncross’s America First cyber agenda, the U.S. is moving toward a more unified vision. Add Apple’s new MIE feature and Docker exploitation evolution, and it’s clear: we’re in an era where resilience and governance are as critical as technical controls. The question for CISOs is whether you’re prepared to align both.
✅ Action Items
🔐 Patch Microsoft SMB zero-day (CVE-2025-55234) and Adobe ColdFusion/Magento immediately.
⚙ Update SAP NetWeaver, Business One, and S/4 HANA to mitigate RCE risks.
🛡 Apply Ivanti, Fortinet, Nvidia, Rockwell, Siemens, and Schneider advisories—treat OT patches as priority.
🐳 Audit Docker APIs; block port 2375 if exposed.
🍏 Prepare for Apple’s MIA enforcement rollout—train SOC on memory exploitation detection.
💰 Track ransomware actor Volodymyr Tymovych; share intel with law enforcement if seen.
📊 Measure and improve time-to-patch and time-to-mitigate KPIs.
