The Bug Report – September 2025 Edition

By Jonathan Omakun · October 7, 2025

Why am I here?

Ah, September. When the leaves change colors,  so do the threat landscapes! As summer fades into autumn, cybersecurity professionals are harvesting a bumper crop of vulnerabilities that would make any pumpkin patch jealous. This month's collection reads like a greatest hits album of "How Not to Write Secure Code," featuring chart-toppers from Google, Microsoft, and the usual suspects.

September brought us five delightful specimens of digital dysfunction, ranging from Chrome's V8 engine having another identity crisis to FreePBX serving up SQL injection with a side of cryptocurrency mining. We've got Windows NTLM playing fast and loose with authentication (shocking, we know), and Django's ORM getting a little too friendly with user input.

So grab your favorite caffeinated beverage, settle in, and let's dive into this month's cavalcade of coding catastrophes.

Here are the five bugs we're focusing on:

CVE-2025-10585 Google Chrome V8, Type Confusion

CVE-2025-57819 Sangoma FreePBX, Authentication Bypass

CVE-2025-54918 Microsoft Windows NTLM, Elevation of Privilege

CVE-2025-50177 Microsoft Windows Message Queuing, Use After Free Remote Code Execution

CVE-2025-57833 Django Django FilteredRelation, SQL Injection

CVE-2025-10585: Chrome's v8 engine plays fast and loose with types (again)

What is it?

Picture this: you're at a fancy restaurant, and the waiter confidently tells you that the fish special is actually a steak. That's essentially what's happening in Chrome's V8 JavaScript engine with this type confusion vulnerability. The engine gets bamboozled about what type of data it's handling, leading to memory corruption that attackers can exploit for remote code execution.

Discovered by Google's own Threat Intelligence Group (because who better to find Chrome bugs than Chrome's makers), this zero-day represents the sixth Chrome vulnerability exploited in the wild during 2025. The vulnerability lurks in V8's JavaScript and WebAssembly engine, where improper type handling creates a perfect storm for memory corruption.

Here's the kicker: this isn't just theoretical. Nation-state actors and commercial spyware vendors are actively exploiting this flaw through malicious web content. The attack requires user interaction (clicking that suspicious link), but once triggered, it's game over for the browser sandbox.

Who cares?

Everyone with a pulse and a browser should care about this one. Chrome commands over 65% of the global browser market share, making this vulnerability a dream come true for threat actors. When Google's Threat Intelligence Group discovers active exploitation of its own browser, you know it's serious business.

The timing is particularly concerning - this marks the sixth zero-day Chrome vulnerability exploited in 2025, suggesting either a particularly active year for browser hunters or a rough patch for Chrome. The fact that sophisticated adversaries are burning zero-days on this indicates high-value targeting, likely against journalists, activists, or government officials.

Google has wisely withheld technical details to prevent script kiddies from joining the party, but that also means we're flying blind on detection until patches are deployed. The exploitation requires user interaction, so social engineering campaigns are likely in full swing.

What can I do?

Immediate Actions: - Update Chrome to version 140.0.7339.185 or later immediately.

Don't forget Chromium-based browsers (Edge, Brave, Opera) - they need updates too.Enable automatic updates if you haven't already (seriously, it's 2025).

CVE-2025-57819: FreePBX gets a hostile takeover via sql injection

What is it?

Imagine if your office phone system had a backdoor that anyone could walk through, grab the master keys, and then redecorate your entire building with malware. That's essentially what CVE-2025-57819 represents—a critical SQL injection vulnerability in Sangoma's FreePBX that's about as secure as a screen door on a submarine.

This vulnerability lives in the endpoint module of FreePBX versions 15, 16, and 17, specifically in the way the system handles validation in modular.php. The flaw allows attackers to inject malicious SQL commands through the template, model, and brand GET parameters in the /admin/ajax.php endpoint. It's a textbook SQL injection that bypasses authentication entirely, essentially giving attackers a VIP pass to the administrator's lounge.

An analysis from watchTowr Labs shows an attack chain that is elegantly simple and devastatingly effective. Attackers start by exploiting the validation error in modular.php, then leverage SQL injection to manipulate the database directly. From there, they can escalate to administrator-level access and eventually achieve root-level command execution. It's like starting with a paperclip and ending up with the keys to the kingdom—except the kingdom is your entire phone system and potentially your network.

The attack vector is network-based, requires no authentication, needs no user interaction, allowing it to  completely compromise the confidentiality, integrity, and availability of the system.

Who cares?

Anyone running FreePBX should be sweating bullets right about now. FreePBX is one of the most popular open-source PBX solutions, deployed in thousands of organizations worldwide. From small businesses to large enterprises, if you're using FreePBX for your phone system, you're potentially sitting on a ticking time bomb.

The vulnerability has been actively exploited since August 21, 2025, and attackers aren't being subtle about it. They're deploying cryptominers, installing web shells, and setting up persistent backdoors faster than you can say "please hold while we transfer your call." The exploitation is so widespread that CISA has added it to its Known Exploited Vulnerabilities catalog, which is basically the cybersecurity equivalent of a most-wanted poster.

What's particularly concerning is the availability of weaponized proof-of-concept exploits. We're not talking about academic demonstrations here—these are full-blown, ready-to-use attack tools that can completely compromise a FreePBX system. There are at least four different exploit repositories available, ranging from non-destructive vulnerability scanners to multi-stage system compromise tools that can upload web shells and establish interactive command interfaces.

The targeting pattern shows attackers are going after publicly exposed FreePBX systems. This means if your PBX is accessible from the internet without proper protection, you're essentially hanging a "hack me" sign on your digital front door. The observed post-exploitation activities include crypto-miner deployment and web shell installation, with attackers even deploying cleanup scripts to cover their tracks.

What can I do?

Patch immediately—and we mean drop-everything-and-patch-now immediately. Update to the latest FreePBX versions: Security-Reporting 17.0.3+, 16.0.89+, or 15.0.66+. This isn't a "patch Tuesday" kind of update; this is a "patch right now before your phone system becomes a cryptocurrency mining operation" update.

If you can't patch immediately, implement emergency access controls. Set up IP filtering and access control lists (ACLs) to restrict access to your FreePBX admin interface. Only allow connections from trusted IP addresses and networks. Consider putting your FreePBX system behind a VPN if it needs to be accessible remotely.

Conduct an immediate security audit of your existing FreePBX systems. Look for signs of compromise, including unexpected web shells in / var/www/html/, unusual processes running on the system, and suspicious network connections. Pay particular attention to any files with names like .clean.sh or similar cleanup scripts that attackers might have left behind.

Monitor your FreePBX logs for suspicious activity, particularly failed authentication attempts and unusual SQL queries. Set up alerts for any access to the /admin/ajax.php endpoint with suspicious parameters. If you find evidence of compromise, assume the worst—treat the system as fully compromised and plan for a complete rebuild from clean backups.

For future protection, implement network segmentation to isolate your PBX systems from critical network resources. Deploy endpoint detection and response (EDR) solutions that can catch post-exploitation activities even if the initial attack succeeds.

CVE-2025-54918: Windows NTLM authentication takes a privilege vacation

What is it?

Windows NTLM authentication is supposed to be the digital equivalent of a bouncer checking IDs at a nightclub—it's meant to verify who you are and what you're allowed to do. But CVE-2025-54918 reveals that this particular bouncer has been handing out VIP passes to anyone who asks nicely. The vulnerability allows attackers with low-privilege network access to escalate their privileges to SYSTEM level—essentially going from "can barely use the copy machine" to "owns the entire building" in one smooth move. 

The technical details are still somewhat sparse, as this is a relatively recent disclosure; however, the broad impact across Windows versions suggests this is a fundamental flaw in how NTLM handles authentication and authorization decisions. It's the kind of vulnerability that makes system administrators wake up in cold sweats, especially those managing large Windows environments where NTLM is still widely used for backward compatibility.

Who cares?

Everyone running Windows should care about this one. The affected systems list reads like a Windows version hall of fame: Windows 10 (all versions from 1507 to 22H2), Windows 11 (22H2 through 24H2), and Windows Server versions from 2008 to 2025. That's essentially every Windows system that's still receiving security updates, plus some that probably should have been retired years ago.

The elevated privilege nature of this vulnerability makes it particularly attractive for attackers who have already gained initial access to a network. It's the perfect second-stage payload for ransomware operators, advanced persistent threat (APT) groups, and anyone else looking to move from a foothold to full domain compromise. Once attackers achieve SYSTEM-level privileges, they can install persistent backdoors, access sensitive data, and move laterally throughout the network.

The "Exploitation More Likely" assessment from Microsoft suggests they have good reasons to believe this vulnerability will be weaponized. Microsoft doesn't throw around these assessments casually—when they say exploitation is more likely, it usually means they've seen indicators that suggest active development of exploits or characteristics that make the vulnerability particularly attractive to attackers.

What can I do?

Apply the September 2025 Microsoft security patches immediately if you haven't already. This vulnerability was patched as part of Microsoft's regular Patch Tuesday cycle, so the fixes are available and tested. Use Windows Update, WSUS, or your enterprise patch management system to deploy these updates across your environment with high priority.

Trellix Customers: Trellix Network Security (NX) contains coverage for this vulnerability. Please ensure your solution is up to date.

CVE-2025-50177: Windows message queuing races against security

What is it?

Microsoft Message Queuing (MSMQ) is supposed to be the reliable postal service of the Windows world, ensuring messages get delivered between applications safely and securely. But CVE-2025-50177 reveals that this postal service has been running a side business in vulnerability delivery. This use-after-free vulnerability with a race condition twist affects MSMQ across a comprehensive range of Windows systems, from the ancient Windows Server 2008 all the way up to the latest Windows 11 24H2.

The vulnerability combines two classic memory corruption techniques:
use-after-free and race conditions. The use-after-free occurs when MSMQ continues to reference memory that has already been freed, while the race condition means attackers need to win a timing lottery to exploit the flaw successfully.

The CVSS score of 8.1 reflects the high potential impact (complete system compromise) tempered by the high attack complexity. Microsoft has classified this as "Exploitation Less Likely" in their assessment, which suggests they believe the technical barriers to exploitation are significant enough to deter most attackers.

Who cares?

Organizations running Windows systems with MSMQ enabled should pay attention, though the good news is that this vulnerability has already been patched as of August 12, 2025. The affected systems list is extensive, covering Windows Server 2008 through 2025 and Windows 10/11; however, the high attack complexity means this is unlikely to become a widespread exploitation target.

The race condition aspect of this vulnerability makes it particularly challenging for attackers to exploit reliably. Unlike straightforward buffer overflows or SQL injection attacks, race conditions require precise timing and often multiple attempts to achieve successful exploitation. It's the difference between picking a simple lock and trying to crack a safe while blindfolded—both are possible, but one requires significantly more skill and persistence.

However, the potential impact remains severe. Successful exploitation could lead to remote code execution with SYSTEM privileges, essentially giving attackers complete control over the affected system.

For organizations that rely heavily on MSMQ for application communication, this vulnerability represents a significant risk if left unpatched.

The network-based attack vector means that attackers don't need local access to exploit this vulnerability, but they do need to be able to send HTTP packets to the MSMQ service. This typically requires either network access or the ability to route traffic to the target system, which provides some natural barriers to exploitation.

What can I do?

Verify that the September 2025 Microsoft security patches have been applied to all Windows systems in your environment. This vulnerability was patched several weeks ago, so if you're currently on your patching, you should already be protected. Use your patch management system to confirm deployment status across your environment.

If MSMQ is not required in your environment, consider disabling it entirely. Like many Windows services, MSMQ is often enabled by default but not actually used by applications. Disabling unnecessary services reduces your attack surface and eliminates entire classes of vulnerabilities. Conduct an audit to determine which systems actually require MSMQ functionality.

Trellix Customers: Trellix Network Security (NX) contains coverage for this vulnerability. Please ensure your solution is updated to the latest signature set.

CVE-2025-57833: A Django Bug That's More than Just a Framework Flaw

What is it?

SQL Injection is one of the oldest tricks in the book, but as this vulnerability shows, it's far from dead. CVE-2025-57833 is a high-severity SQL injection flaw in the Django framework's FilteredRelation feature. This bug, discovered by Eyal Gabay of EyalSec, lies in the improper sanitization of column aliases when using QuerySet.annotate() or QuerySet.alias() with user-controlled input. This allows an attacker with low privileges to inject malicious SQL, which can lead to information disclosure, data manipulation, and, in the case of PostgreSQL, arbitrary code execution via the COPY...TO PROGRAM command.

The technical mechanism is elegantly simple: user-controlled dictionary keys in **kwargs parameters bypass Django's usual sanitization, allowing attackers to inject arbitrary SQL. When combined with PostgreSQL's ability to execute system commands through the COPY statement, you get a beautiful (terrifying) payload, spawning a reverse shell, and turning a web application vulnerability into complete server compromise.

Who cares?

Django powers a significant portion of the web. If you're running a Django application, especially one that uses FilteredRelation functionality with user-controlled input, you should be paying attention. The good news is that this vulnerability requires authenticated access with low privileges, so it's not as immediately dangerous as some of the other vulnerabilities we've seen.

While there's no evidence of active exploitation in the wild yet, the availability of working proof-of-concept code means it's only a matter of time before attackers start incorporating these techniques into their toolkits. The authentication requirement provides some protection, but in many web applications, low-privilege user accounts are relatively easy to obtain through registration processes or social engineering.

What can I do?

Upgrade Django to the patched versions immediately: 5.1.12+, 4.2.24+, or 5.2.6+. This should be your first priority, especially if your application uses FilteredRelation functionality. The patches address the core issue by properly handling user-controlled dictionary keys in QuerySet operations.

Discover the latest cybersecurity research from the Trellix Advanced Research Center: https://www.trellix.com/advanced-research-center/