This Month in Security: September 2025 - Google Chrome Zero-Day, Email Abuse Campaigns, OAuth Application Attacks and More

"Source code Brain" by Christiaan Colen is licensed under CC BY-SA 2.0.

September was defined by the urgent patching of an actively exploited zero-day vulnerability in Google Chrome along with the continuation of widespread software supply chain attacks; this time targeting the NPM ecosystem. New government regulations were also seen that will change incident reporting requirements. 

‍

Critical Zero-Day Exploits

An actively exploited zero-day in the Google Chrome web browser put pressure on defenders to patch quickly, while Microsoft disclosed two vulnerabilities of their own.

• Google Chrome Zero-Day (CVE-2025-10585): Google issued an emergency update for a critical type confusion vulnerability in the V8 JavaScript engine. This flaw was discovered by Google’s Threat Analytics Group, and the company confirmed that an exploit exists “in the wild”. The active exploitation of this vulnerability could allow attackers to achieve remote code execution on user systems through malicious websites (The Hacker News).
• Windows SMB Zero-Day (CVE-2025-55234): Microsoft disclosed a privilege escalation vulnerability in the Windows SMB protocol. The flaw has not been reported as being actively exploited, but could allow an unauthenticated remote attacker to perform a relay attack if exploited (CrowdStrike). 

‍

Notable Threats and Incidents

Large scale data breaches and sophisticated supply chain attacks continued to be a major source of risk and disruption this month. Researchers also disclosed several new attack techniques targeting cloud environments.

• Ongoing NPM Supply Chain Attacks: Security researchers uncovered multiple malicious campaigns targeting the NPM package repository. The first compromised dozens of popular NPM packages to steal developer credentials and other sensitive data (Sonatype). The second, “Shai-Hulud”, used typosquatted packages to harvest secrets like .npmrc files and SSH keys (GetSafety). 
• “SlopAds” Ad Fraud Campaign: The Satori Threat Intelligence and Research team discovered a massive ad fraud campaign, leading to the removal of 224 malicious apps from the Google Play Store. These apps were downloaded 38 million times and could generate billions of ad requests daily; slowing down user devices and defrauding advertisers (Malwarebytes). 
• Cloud Email Abuse Campaign: A widespread campaign was discovered, where attackers abused legitimate cloud email services, AWS SES, to send malicious phishing emails. This was done by leveraging trusted domains to bypass standard email controls (Wiz). 
• Rise of OAuth Application Attacks: Threat researchers highlighted an increase of abuse with cloud applications that are using OAuth. Attackers are leveraging malicious or rogue third party OAuth applications to maintain persistent access to user data, launch phishing campaigns from compromised accounts, and establish backdoors in cloud infrastructure (Red Canary). Red Canary details out how these attacks work, below. 

• Entra ID Global Admin Vulnerability: A security researcher disclosed a novel technique, CVE-2025-55241, that could allow an attacker to gain Global Administrator privileges in any Microsoft Entra ID tenant. The attack leverages a flaw in how actor tokens are handled, potentially allowing for a complete takeover of the target organization’s cloud environment (DirkJanM).

‍

Policy and Framework Updates

Government agencies focused on security emerging technologies and providing guidance against common attack vectors.

• CISA Presents New Vision for CVE Program: The Cybersecurity and Infrastructure Security Agency (CISA) outlined a new strategic vision for the Common Vulnerabilities and Exposures (CVE) program. The plan focuses on modernizing the program’s infrastructure and processes to improve the quality, loneliness, and usability of vulnerability data for defenders (CISA).
• China Issues New Incident Reporting Framework: The Cyberspace Administration of China (CAC) released new measures requiring network operators to report significant cybersecurity incidents. For “relatively large” incidents, such as a data leak that involves over 1 million citizens, reports must be made to the CAC within four hours. Failure to comply can result in significant penalties (Morgan Lewis). 
• U.S House Advances Key Cybersecurity Bills: The House Homeland Security Committee advanced two bills to reauthorize the Cybersecurity Information Sharing Act of 2015 and provide funding for the State and Local Cybersecurity Grant Program (SLCGP). These measures aim to improve the flow of threat intelligence between the private sector and government and bolster the defenses of local governments (Nossaman).

‍

August Patches and Vulnerabilities

September's Patch Tuesday released patches for over 80 vulnerabilities including two zero-days.  

• Microsoft's September Patch Tuesday: This update included two zero-days (CVE-2025-55234 and CVE-2024-21907). Several critical vulnerabilities were also addressed, including:
  
  • CVE-2025-54918: A critical elevation of privilege vulnerability in Windows NTLM that could allow an authenticated attacker to gain SYSTEM-level privileges.
  • CVE-2025-54910: A critical remote code execution vulnerability in Microsoft Office that can be exploited by a specially crafted file.
  • Other critical patches included fixes in the Windows Graphics Component, DirectX Graphics Kernel, and Windows TCP/IP driver (Qualys, Talos).
• Adobe Security Updates: Adobe released security updates for a wide range of its products including, Acrobat Reader, Premiere Pro, and Adobe Commerce. These patches addressed 22 vulnerabilities, 12 of which were rated critical and several of these could lead to arbitrary code execution (Qualys).

‍

Key Takeaways for Staying Secure

• Prioritize Patching Google Chrome: All instances of the browser and other Chromium-based browsers are potentially vulnerable to CVE-2025-10585. 
• Address Critical Microsoft Vulnerabilities: Patching the Windows NTLM and SMB vulnerabilities should be a high priority to help prevent privilege escalation and remote attacks. 
• Audit Open-Source and Cloud Dependancies: The relentless supply chain attacks of NPM and the above of cloud services highlight the urgent need for organizations to have a clear inventory of their open-source components, audit third-party OAuth applications, and monitor for anomalous activity in their cloud environments.
• Reinforce User Awareness: Many of the critical vulnerabilities matched this month require some form of user interaction to be exploited. Continue to educate users on the dangers of opening unsolicited attachments and clicking suspicious links. 
• Review Your Security Posture: When needed, reach out to a trusted provider to review your security posture, like Cloud Security Partners. 

‍

About the Author

Jordan Darrah is a Security Consultant at Cloud Security Partners. Jordan's interest in IT started when she was working as a menswear fashion designer and bridal seamstress. Since then, she has built a diverse technical background spanning hardware repair, systems administration, regulatory compliance, and penetration testing.

Currently, Jordan specializes in application and cloud security assessments, where she evaluates system vulnerabilities and conducts penetration tests. Jordan holds multiple industry certifications, including CISSP, eJPT, and CompTIA PenTest+. She also runs an OSCP study group along with a blog where she tries to break down concepts and tools for new security professionals.

‍