September continues a similar trend with the vulnerability metrics. The number of vulnerabilities increased from 92 to 101. Similarly, the number of versions released, and vulnerable applications had a slight increase.
Notable Vulnerabilities in September 2025 Third-Party Patches
Highest CVSS and average CVSS continue to follow very similar trends compared to earlier months. There is also only one confirmed exploitation in the wild when considering these applications. The highest EPSS rating took a jump to 0.461.
CVE-2025-10585 is a critical zero-day vulnerability in Google Chrome’s V8 JavaScript and WebAssembly engine, discovered by Google’s Threat Analysis Group on September 16, 2025. It is classified as a type confusion flaw, where the browser misinterprets memory objects, potentially allowing attackers to execute arbitrary code, corrupt memory, or crash the browser.
This vulnerability has been actively exploited in the wild, often via malicious web pages, and poses a high risk to users of Chrome and other Chromium-based browsers (e.g., Edge, Brave, Opera). More information about the vulnerability can be found on Chrome Releases.
CVE-2024-45337 is a high severity vulnerability in the golang.org/x/crypto SSH implementation, specifically related to the misuse of the ServerConfig.PublicKeyCallback API. Applications and libraries that incorrectly assume the order of keys passed to this callback can make flawed authorization decisions, leading to authorization bypass. CVSS rating for this vulnerability is 9.1 and EPSS rating is 0.460, indicating a moderate likelihood of exploitation in the wild. This vulnerability impacts Splunk. You can read more about the vulnerability in their advisory.
CVE-2022-37601 is a critical prototype pollution vulnerability in the parseQuery function of parseQuery.js within the webpack loader-utils package. The flaw occurs because the name variable is not properly sanitized, allowing attackers to manipulate object prototypes. This vulnerability affects all versions prior to 1.4.1 and versions 2.0.0 up to (but not including) 2.0.3. This is a third-party package vulnerability for Splunk. The EPSS rating is 0.158, so it is slightly increased, meaning that there is some chance of it getting exploited. More information about this vulnerability can be found on their advisory.
Browser Security Updates in September 2025
Major browsers, including Google Chrome, Microsoft Edge, Brave, Mozilla Firefox (including ESR versions), Opera One, and Vivaldi received numerous security updates addressing various vulnerabilities.
| Browser | Vulnerabilities | Updates |
| Google Chrome | 13 | 4 |
| Microsoft Edge | 23 | 5 |
| Brave Browser | 17 | 5 |
| Pale Moon | 2 | 1 |
| Mozilla Firefox | 11 | 1 |
| Mozilla Firefox ESR 140 | 7 | 1 |
| Opera One | 1 | 1 |
| Vivaldi | 2 | 2 |
Microsoft Product Updates Included in September 2025 Third-Party Patches
In addition to Edge, Microsoft issued security updates for several other products:
- Microsoft Edge for Business
- Microsoft Visual Studio Code
- Microsoft 365 Apps
- Microsoft Edge Beta
- Microsoft Azure CLI
Detailed List of September 2025 Third-Party Patches
For a complete list of applications, versions, and the number of remediated vulnerabilities, see the table below generated using Application Workspace data.
| ProductName | Version | Vulnerabilities remediated |
| Adobe Acrobat DC | 25.001.20693 | 2 |
| Adobe Acrobat DC Pro and Standard 2020 Classic Track | 20.005.30793 | 2 |
| Adobe Acrobat Reader 2020 MUI – Classic Track | 20.005.30793 | 2 |
| Adobe Acrobat Reader DC | 25.001.20693 | 2 |
| Adobe Acrobat Reader DC – Multilingual (MUI) | 25.001.20693 | 2 |
| Adobe Reader DC | 25.001.20693 | 2 |
| Apache Groovy 5 | 5.0.0 | 1 |
| Autodesk AutoCAD 2023 | 2023.1.8 | 17 |
| Autodesk AutoCAD 2024 | 2024.1.8 | 17 |
| Autodesk AutoCAD 2026 | 2026.1 | 4 |
| Autodesk AutoCAD LT 2023 | 2023.1.8 | 9 |
| Autodesk AutoCAD LT 2024 | 2024.1.8 | 9 |
| Autodesk AutoCAD LT 2025 | 2025.1.3 | 7 |
| Brave Browser | 1.82.170 | 4 |
| Brave Browser | 1.82.172 | 3 |
| Brave Browser | 1.82.165 | 4 |
| Brave Browser | 1.82.166 | 2 |
| Brave Browser | 1.82.161 | 4 |
| Burp Suite Community Edition | 2025.9.3 | 3 |
| Burp Suite Community Edition | 2025.9.2 | 4 |
| Burp Suite Community Edition | 2025.9.1 | 2 |
| Burp Suite Community Edition | 2025.9 | 4 |
| Burp Suite Professional Edition | 2025.9.3 | 3 |
| Burp Suite Professional Edition | 2025.9.2 | 4 |
| Burp Suite Professional Edition | 2025.9.1 | 2 |
| Burp Suite Professional Edition | 2025.9 | 4 |
| Colour Contrast Analyser | 3.5.5 | 1 |
| Colour Contrast Analyser | 3.5.5 | 2 |
| Docker Desktop | 4.47.0 | 1 |
| Docker Desktop | 4.47.0.206054 | 1 |
| Electron | 38.0.0 | 1 |
| Element | 1.11.112 | 1 |
| Foxit PDF Editor 13 | 13.2.1.23955 | 2 |
| Foxit PDF Editor 2025 | 2025.2.0.33046 | 17 |
| Foxit PDF Reader | 2025.2.0.33046 | 17 |
| Google Chrome for Business | 140.0.7339.186 | 4 |
| Google Chrome for Business | 140.0.7339.208 | 3 |
| Google Chrome for Business | 140.0.7339.128 | 2 |
| Google Chrome for Business | 140.0.7339.81 | 4 |
| Google Chrome for Education | 140.0.7339.186 | 4 |
| Google Chrome for Education | 140.0.7339.208 | 3 |
| Google Chrome for Education | 140.0.7339.128 | 2 |
| Google Chrome for Education | 140.0.7339.81 | 4 |
| Google Go Programming Language | 1.25.1 | 1 |
| Google Go Programming Language | 1.24.7 | 1 |
| Microsoft 365 Apps | 2506 (Build 16.0.18925.20242) | 13 |
| Microsoft 365 Apps | 2502 (Build 16.0.18526.20604) | 13 |
| Microsoft 365 Apps | 16.101.25091314 | 11 |
| Microsoft Azure CLI | 2.77.0 | 1 |
| Microsoft Edge Beta | 140.0.3485.54 | 5 |
| Microsoft Edge Beta | 140.0.3485.54 | 7 |
| Microsoft Edge for Business | 140.0.3485.81 | 5 |
| Microsoft Edge for Business | 140.0.3485.94 | 3 |
| Microsoft Edge for Business | 140.0.3485.66 | 2 |
| Microsoft Edge for Business | 140.0.3485.54 | 6 |
| Microsoft Edge for Business | 140.0.3485.54 | 7 |
| Microsoft Visual Studio Code | 1.104.0 | 1 |
| Mozilla Firefox | 143.0 | 11 |
| Mozilla Firefox ESR 140 | 140.3.0 | 7 |
| Mozilla Thunderbird | 140.3.0 | 7 |
| Mozilla Thunderbird ESR 140 | 140.3.0 | 7 |
| Opera One | 122.0.5643.51 | 1 |
| Pale Moon | 33.9.0 | 2 |
| pgAdmin 4 | 9.8 | 1 |
| Splunk Enterprise 10.0 | 10.0.1 | 4 |
| TeamCity | 2025.07.2 | 3 |
| Vivaldi | 7.6.3797.52 | 1 |
| Vivaldi | 7.5.3735.74 | 1 |
| Zoom Client for VDI | 6.5.11.26770 | 4 |
| Zoom Client for VDI | 6.5.10.26710 | 2 |
| Zoom Rooms | 6.6.1 | 4 |
| Zoom Rooms | 6.6.0 | 2 |
| Zoom Rooms | 6.6.1 | 2 |
| Zoom Workplace | 6.6.2.65462 | 2 |
| Zoom Workplace | 6.6.0.64511 | 2 |
| 0 |
Conclusion
Fast third-party patching protects your environment. September updates closed critical gaps across browsers and apps—tightening security and boosting uptime. Check back next month for fresh insights.
Want to cut patch MTTR and shrink your attack surface? Explore our eBook Reduce Your Attack Footprint or follow our App Management and Patching series.
