Table of Contents
In this week’s Security Advisory
- SAP Patches Critical NetWeaver Vulnerabilities
- Veeam Patches Three Vulnerabilities in Backup & Replication
- Fortinet Patches High-Severity Vulnerabilities
- Microsoft’s October Patch Tuesday Release
- Juniper Networks October Patch Release
- Security Updates for Adobe
SAP Patches Critical NetWeaver Vulnerabilities
SAP has released 16 new patches in its October Patch Cycle, including another fix for CVE-2025-42944 (CVSS 10/10). This is described as a deserialization vulnerability in NetWeaver that can be exploited by an unauthenticated user. These patches also resolve two more critical vulnerabilities, CVE-2025-42937 (CVSS 9.8) and CVE-2025-42910 (CVSS 9.0).
More Reading / Information
Original Advisory:
SAP has patched three critical severity vulnerabilities, CVE-2025-42944 (CVSS 10/10), CVE-2025-42922 (CVSS 9.9/10), and CVE-2025-42958 (CVSS 9.1/10), in its NetWeaver product that could lead to remote code execution and arbitrary file upload if exploited. This comes days after CVE-2025-42957 (CVSS 9.9/10) from last month’s patch cycle was confirmed to be exploited in the wild. If those patches have not been applied yet, it is highly recommended to do so.
Affected Versions
- A full list of affected versions can be found here.
Recommendations
- Apply the latest patches.
More Reading / Information
- https://thehackernews.com/2025/09/sap-patches-critical-netweaver-cvss-up.html
- https://support.sap.com/en/my-support/knowledge-base/security-notes-news/september-2025.html
Veeam Patches Three Vulnerabilities in Backup & Replication
Veeam has released patches for three vulnerabilities in its Backup and Replication product that could expose organizations to remote code execution and privilege escalation. The first critical severity, CVE-2025-48983 (CVSS 9.9/10), stems from an insufficient input validation in the Mount service. The second critical, CVE-2025-48984 (CVSS 9.9/10), permits remote code execution on the backup server by an authenticated domain user.
Affected Versions
- Veeam Backup & Replication v12 and earlier.
Recommendations
- Apply the 12.3.2.4165 patch to Veeam Backup and Replication v12.
More Reading / Information
High-Severity Vulnerabilities Patched by Fortinet
Fortinet has released patches for 30 vulnerabilities as part of its October Patch Tuesday updates. Several of the vulnerabilities have been assigned a high severity rating, including CVE-2025-54988. This vulnerability is due to FortiDLP’s use of Apache Tika, which is vulnerable to a sensitive data read vulnerability. The remaining patches address issues that can be exploited for arbitrary code execution, causing a DoS condition, conducting XSS attacks, privilege escalation, and more.
Of note, CyberMaxx has already taken steps to globally mitigate our equipment against these vulnerabilities.
Affected Versions
- For a full list of affected products and versions, click here.
Recommendations
- Please apply the latest patches.
More Reading / Information
- https://www.fortiguard.com/psirt/FG-IR-24-457
- https://www.securityweek.com/high-severity-vulnerabilities-patched-by-fortinet-and-ivanti/
Microsoft’s October Patch Tuesday Release
Microsoft has released its Patch Tuesday for October. This includes security updates for 172 vulnerabilities. This also includes six zero-day vulnerabilities and eight critical vulnerabilities, five of which are remote code execution, and three are elevation of privilege vulnerabilities.
The two Windows zero-days that have come under active exploitation are as follows:
- CVE-2025-24990 (CVSS score: 7.8/10) – Windows Agere Modem Driver (“ltmdm64.sys”) Elevation of Privilege Vulnerability
- CVE-2025-59230 (CVSS score: 7.8/10) – Windows Remote Access Connection Manager (RasMan) Elevation of Privilege Vulnerability
Affected Versions
- A full list of affected versions can be found here.
Recommendations
- Apply the latest patches.
More Reading / Information
https://thehackernews.com/2025/10/two-new-windows-zero-days-exploited-in.html
Juniper Networks October Patch Release
Juniper Networks has released patches for over 200 vulnerabilities in Junos Space and Junos Space Security Director. The most severe is CVE-2025-59978 (CVSS 9/10), a cross-site scripting vulnerability that could allow an attacker to store script tags and execute commands with admin privileges. Juniper stated that they are not aware of any vulnerabilities being exploited in the wild.
Affected Versions
A full list of affected versions can be found here.
Recommendations
Apply the latest patches.
More Reading / Information
- https://www.securityweek.com/juniper-networks-patches-critical-junos-space-vulnerabilities/
- https://supportportal.juniper.net/s/global-search/%40uri#sortCriteria=date%20descending&f-sf_primarysourcename=Knowledge&f-sf_articletype=Security%20Advisories&numberOfResults=25
Security Updates for Adobe
Adobe released patches for 60 vulnerabilities, affecting its Adobe Connect, Commerce, Magento, and more products. Successful exploitation of these issues could lead to code execution, privilege escalation, bypass of security features, and arbitrary read access to the file system.
Affected Versions
A full list of affected versions can be found here.
Recommendations
Apply the latest patches.
More Reading / Information
- https://helpx.adobe.com/security.html
- https://www.securityweek.com/adobe-patches-critical-vulnerability-in-collaboration-suite/
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to “vendor-supported versions” only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, CyberMaxx strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.