Table of Contents
  • Home
  • /
  • Blog
  • /
  • Breaking Down the Latest September 2025 Patch Tuesday Report
September 10, 2025
|
26m

Breaking Down the Latest September 2025 Patch Tuesday Report


September 2025 Patch Tuesday, Patch Tuesday September 2025

Microsoft has released its September 2025 Patch Tuesday security updates, addressing 81 vulnerabilities across Windows, Office, Azure, SQL Server, and other products. This month's release includes fixes for two publicly disclosed zero-day vulnerabilities and addresses concerns rated as Critical for nine flaws while giving an Important ranking to 72 bugs.

The two zero-days are a Windows SMB elevation of privilege vulnerability and a previously known issue in Newtonsoft.Json affecting SQL Server. Both vulnerabilities were publicly disclosed prior to patches being made available, highlighting the importance of prompt remediation efforts.

This comprehensive update provides patches covering multiple vulnerability types including elevation of privilege, remote code execution, information disclosure, denial of service, security feature bypass, and spoofing vulnerabilities. Technologies receiving fixes span from core Windows components to Office applications, Azure cloud services, and specialized systems like Hyper-V, demonstrating the extensive scope of this month's security improvements.

Among the highlights are critical remote code execution vulnerabilities in Windows Graphics Component, DirectX Graphics Kernel, Microsoft Office, and Windows Hyper-V, alongside critical elevation of privilege flaws in Windows NTLM and Windows Graphics Component. Additional noteworthy issues include information disclosure vulnerabilities in Windows Imaging Component and multiple important-rated flaws across Azure services, SQL Server, and Windows core components.

In this monthly report, we'll break down these zero-day threats along with other major critical issues addressed. Our analysis will examine severity ratings, exploitation vectors, and remediation guidance to help prioritize the essential patches for deployment. Whether you manage Windows environments, Azure cloud infrastructure, or Office productivity suites, applying these September security updates helps strengthen defenses against emerging threats as we advance through 2025.

Key Highlights - Patch Tuesday September 2025

In September's Patch Tuesday, Microsoft addressed 81 flaws, including two publicly disclosed zero-day vulnerabilities: a Windows SMB elevation of privilege flaw and a previously known Newtonsoft.Json issue affecting SQL Server. This update included patches across categories like elevation of privilege, remote code execution, information disclosure, denial of service, security feature bypass, and spoofing vulnerabilities.

The key affected products in this release span Microsoft's ecosystem, including Windows, Office, Azure, SQL Server, Hyper-V, and specialized components. Swiftly applying these September security fixes remains essential for maintaining robust cybersecurity posture.

Key Highlights are:

  1. Total Flaws and Zero-Day Vulnerabilities: This update resolves 81 total bugs, with two publicly disclosed zero-days affecting Windows SMB Server and SQL Server's Newtonsoft.Json component.

  2. Critical Flaws: Nine critical issues were addressed, including remote code execution vulnerabilities in Windows Graphics Component, DirectX Graphics Kernel, Microsoft Office, and Windows Hyper-V, plus critical elevation of privilege flaws in Windows NTLM and Azure Networking.

  3. Vulnerability Types: Forty-one elevation of privilege vulnerabilities lead the volume, followed by 22 remote code execution flaws. Information disclosure, denial of service, security feature bypass, and spoofing rank as other categories with multiple patches.

  4. Zero-Day Threats: The two zero-days include CVE-2025-55234 affecting Windows SMB Server relay attacks and CVE-2024-21907, a denial of service vulnerability in Newtonsoft.Json used by SQL Server.

  5. Critical-Rated Bugs: Major critical vulnerabilities include the Azure Networking flaw with a rare 10.0 CVSS score, Windows NTLM elevation of privilege, and multiple remote code execution bugs in graphics components and Office applications.

  6. Non-Critical Notables: Other significant issues include multiple Hyper-V elevation of privilege vulnerabilities, Windows NTFS remote code execution, SharePoint Server RCE, and information disclosure flaws across Windows kernel components and routing services.

This September Patch Tuesday demonstrates Microsoft's continued commitment to addressing vulnerabilities across its diverse product portfolio. Apply these updates promptly to close security gaps before threats can exploit them in enterprise and personal computing environments.

Zero-day Vulnerabilities Patched in September 2025

In September 2025, Microsoft addressed two publicly disclosed zero-day vulnerabilities in its Patch Tuesday release. These vulnerabilities are significant because they were disclosed publicly before patches were made available, creating a window of exposure for affected systems. Both zero-days affect core Windows infrastructure components, emphasizing the importance of rapid deployment of these fixes.

CVE-2025-55234 - Windows SMB Elevation of Privilege Vulnerability

Vulnerability type: Elevation of Privilege

Affected product: Windows SMB Server

CVSS v3 base score: 8.8

Severity rating: Important

This vulnerability affects Windows Server Message Block (SMB) and makes systems susceptible to relay attacks depending on their configuration. An attacker who successfully exploits this vulnerability could perform relay attacks and elevate user privileges through various attack vectors.

The exploitation typically involves an attacker pretending to be a legitimate server using techniques such as ARP spoofing, DNS poisoning, or other network manipulation methods. Attack options include credential relaying and offline hash cracking to reveal passwords. While SMB server signing can mitigate credential relaying attacks, many environments may not have this protection fully configured.

Microsoft emphasizes that Windows already includes settings to harden SMB Server against relay attacks, including SMB Server Signing and SMB Server Extended Protection for Authentication (EPA). However, enabling these hardening features could cause compatibility issues with older devices and legacy implementations.

As part of the September 2025 updates, Microsoft has enabled support for auditing SMB client compatibility, allowing administrators to assess potential impacts before fully enforcing hardening measures. The company recommends that administrators enable auditing on SMB servers to identify compatibility issues prior to implementing the security enhancements.

Microsoft has not attributed this vulnerability to specific researchers, and the original disclosure source remains unclear.

CVE-2024-21907 - Newtonsoft.Json Improper Handling of Exceptional Conditions

Vulnerability type: Denial of Service

Affected product: Microsoft SQL Server (via Newtonsoft.Json)

CVSS v3 base score: Not specified

Severity rating: Not specified

Microsoft has addressed a previously known vulnerability in Newtonsoft.Json that is included as part of Microsoft SQL Server. This vulnerability represents an interesting case of supply chain security, where a third-party component vulnerability affects Microsoft's enterprise database platform.

CVE-2024-21907 addresses a mishandling of exceptional conditions vulnerability in Newtonsoft.Json versions prior to 13.0.1. When crafted data is passed to the JsonConvert.DeserializeObject method, it may trigger a StackOverflow exception resulting in denial of service conditions.

Depending on the implementation and usage of the library, an unauthenticated remote attacker may be able to cause denial of service conditions by sending specially crafted JSON data with thousands of levels of nested objects. While this may seem like a limited impact vulnerability, it can have significant consequences when targeting critical infrastructure systems such as hospitals, airports, or other essential services that rely on SQL Server.

The vulnerability has a complex history spanning several years. The underlying defect was first identified by Aleph Security in 2018 but did not receive a CVE designation at that time. CVE-2024-21907 was originally made public on January 3, 2024, with assistance from VulnCheck, making Microsoft's response a significant delay in addressing this known issue.

Microsoft's documented SQL Server updates now incorporate the necessary updates to Newtonsoft.Json to address this vulnerability, bringing the component to a secure version that properly handles exceptional conditions during JSON deserialization operations.

Zero-Day Vulnerabilities Summary Table

CVE ID
Description
CVSSv3
Severity
CVE-2025-55234
Windows SMB Elevation of Privilege Vulnerability
8.8
Important
CVE-2024-21907
VulnCheck: CVE-2024-21907 Improper Handling of Exceptional Conditions in Newtonsoft.Json
N/A
Unknown

Critical Vulnerabilities Patched in September 2025

September's Patch Tuesday release addressed nine critical vulnerabilities spanning remote code execution, elevation of privilege, and information disclosure categories. These high-severity flaws represent significant threats that malicious actors could leverage in targeted attacks, making immediate patching a top priority for security teams.

CVE-2025-54914 - Azure Networking Elevation of Privilege Vulnerability

CVE-2025-54914 stands out with an exceptionally rare perfect 10.0 CVSS v3 base score, reflecting the critical nature of this cloud service vulnerability. This elevation of privilege flaw affects Azure Networking services and includes the seldom-seen scope change component in its CVSS vector calculation.

While the advisory provides minimal technical details about the vulnerability's nature, Microsoft has clarified that this is a cloud service issue that has already been resolved on their infrastructure. No action is required from Azure customers, as Microsoft has implemented the necessary fixes on the backend systems.

The acknowledgments section lists only Microsoft researchers, suggesting internal discovery rather than external disclosure. For organizations heavily reliant on Azure networking services for cloud asset communication, this represents a significant risk that has been mitigated through Microsoft's proactive remediation.

CVE-2025-54918 - Windows NTLM Elevation of Privilege Vulnerability

CVE-2025-54918 scores an 8.8 CVSS rating for its critical threat to Windows New Technology LAN Manager (NTLM) authentication systems. This elevation of privilege vulnerability could allow an authenticated attacker to elevate their privileges to SYSTEM level, providing complete control over the compromised system.

Microsoft's Exploitability Index rates this vulnerability as "Exploitation More Likely," indicating higher probability of active exploitation attempts. This assessment, combined with NTLM's central role in Windows authentication infrastructure, makes this vulnerability particularly concerning for enterprise environments.

This represents the second consecutive month featuring a critical NTLM elevation of privilege vulnerability, following CVE-2025-53778 in August 2025, and the third such critical NTLM flaw addressed in 2025. The recurring pattern suggests ongoing attention from both security researchers and potential threat actors targeting this authentication mechanism.

CVE-2025-54910 - Microsoft Office Remote Code Execution Vulnerability

The Microsoft Office remote code execution vulnerability CVE-2025-54910 earns an 8.4 CVSS score and represents a critical threat to Office document security. This heap-based buffer overflow flaw allows attackers to achieve remote code execution by convincing targets to open specially crafted Office documents.

Particularly concerning is the vulnerability's exploitation through Microsoft Outlook's Preview Pane, meaning users could be compromised simply by previewing malicious emails without actively opening attachments. This attack vector significantly reduces the social engineering requirements typically needed for Office-based exploits.

Despite the high severity rating, Microsoft's Exploitability Index classifies this as "Exploitation Less Likely," potentially due to existing Office security mitigations. However, the combination of widespread Office deployment and preview pane exploitation capabilities makes this a priority patch for organizations.

CVE-2025-55224 - Windows Hyper-V Remote Code Execution Vulnerability

CVE-2025-55224 presents a critical remote code execution threat in Windows Hyper-V virtualization infrastructure, scoring 7.8 on the CVSS scale. This vulnerability allows authenticated attackers who can win a race condition to traverse security boundaries between guest virtual machines and the Hyper-V host system.

Successful exploitation enables arbitrary code execution on the Hyper-V host machine, representing a complete virtualization escape scenario. While the attack complexity is rated as high due to the race condition requirement, the potential impact is severe given Hyper-V's role in enterprise virtualization environments.

Microsoft rates this as "Exploitation Less Likely" in their Exploitability Index, likely reflecting the technical challenges associated with winning the required race condition. Nevertheless, the critical impact of host system compromise makes this vulnerability a significant concern for data centers and cloud infrastructure.

Graphics Component Remote Code Execution Vulnerabilities

Multiple critical remote code execution vulnerabilities affect Windows graphics subsystems, including CVE-2025-55226 (Graphics Kernel), CVE-2025-55228 (Windows Graphics Component), and CVE-2025-55236 (DirectX Graphics Kernel). These vulnerabilities allow authenticated attackers to achieve remote code execution through various graphics processing operations.

CVE-2025-55228 specifically requires attackers to win a race condition for successful exploitation, while the DirectX Graphics Kernel flaw (CVE-2025-55236) scores 7.3 on the CVSS scale. The graphics subsystem's deep integration with Windows operations and its accessibility through various applications make these vulnerabilities particularly significant.

These graphics-related vulnerabilities highlight the expanding attack surface as modern systems increasingly rely on complex graphics processing for both user interface operations and multimedia content handling.

CVE-2025-53799 - Windows Imaging Component Information Disclosure Vulnerability

CVE-2025-53799 represents a critical information disclosure vulnerability in the Windows Imaging Component, arising from the use of uninitialized resources. This flaw allows unauthenticated attackers to disclose information locally, potentially reading small portions of heap memory.

While information disclosure vulnerabilities typically receive lower severity ratings, the critical classification suggests either widespread impact or the potential for this flaw to serve as a component in more complex attack chains. The local attack vector limits remote exploitation but poses risks in environments where attackers have already gained initial access.

The Windows Imaging Component's role in processing various image formats across the operating system makes this vulnerability particularly relevant for systems handling untrusted image content from web browsers, email clients, or file sharing applications.

Critical Vulnerabilities Summary Table

CVE ID
Description
CVSSv3
Severity
CVE-2025-54914
Azure Networking Elevation of Privilege Vulnerability
10.0
Critical
CVE-2025-54918
Windows NTLM Elevation of Privilege Vulnerability
8.8
Critical
CVE-2025-54910
Microsoft Office Remote Code Execution Vulnerability
8.4
Critical
CVE-2025-55224
Windows Hyper-V Remote Code Execution Vulnerability
7.8
Critical
CVE-2025-55228
Windows Graphics Component Remote Code Execution Vulnerability
7.8
Critical
CVE-2025-53800
Windows Graphics Component Elevation of Privilege Vulnerability
7.8
Critical
CVE-2025-55236
Graphics Kernel Remote Code Execution Vulnerability
7.3
Critical
CVE-2025-55226
Graphics Kernel Remote Code Execution Vulnerability
6.7
Critical
CVE-2025-53799
Windows Imaging Component Information Disclosure Vulnerability
5.5
Critical

Vulnerabilities by Category

In total, 81 vulnerabilities were addressed in September's Patch Tuesday. Elevation of privilege issues top the list with 41 patches, followed by 22 remote code execution and 16 information disclosure vulnerabilities. The rest consist of 3 denial of service, 2 security feature bypass, and 1 spoofing flaw.

Here is the breakdown of the categories patched this month:

  1. Elevation of Privilege - 41

  2. Remote Code Execution - 22

  3. Information Disclosure - 16

  4. Denial of Service - 3

  5. Security Feature Bypass - 2

  6. Spoofing - 1

The table below shows the CVE IDs mapped to these vulnerability types from Microsoft's September 2025 Patch Tuesday:

Vulnerability Category
CVE IDs
Elevation of Privilege
CVE-2025-54914, CVE-2025-55316, CVE-2025-55244, CVE-2025-55241, CVE-2025-49692, CVE-2025-54108, CVE-2025-55223, CVE-2025-53807, CVE-2025-53800, CVE-2025-55317, CVE-2025-54112, CVE-2025-54092, CVE-2025-54091, CVE-2025-54115, CVE-2025-54098, CVE-2025-55227, CVE-2025-54099, CVE-2025-54911, CVE-2025-54912, CVE-2025-53802, CVE-2025-54102, CVE-2025-53810, CVE-2025-53808, CVE-2025-54094, CVE-2025-54915, CVE-2025-54109, CVE-2025-54104, CVE-2025-53801, CVE-2025-54110, CVE-2025-54894, CVE-2025-54103, CVE-2025-54116, CVE-2025-54918, CVE-2025-49734, CVE-2025-54093, CVE-2025-54111, CVE-2025-54913, CVE-2025-55245, CVE-2025-54895, CVE-2025-55234
Remote Code Execution
CVE-2025-55232, CVE-2025-55236, CVE-2025-55226, CVE-2025-54910, CVE-2025-54906, CVE-2025-54902, CVE-2025-54899, CVE-2025-54904, CVE-2025-54903, CVE-2025-54898, CVE-2025-54896, CVE-2025-54900, CVE-2025-54908, CVE-2025-54897, CVE-2025-54907, CVE-2025-54916, CVE-2025-54106, CVE-2025-54113, CVE-2025-54101, CVE-2025-55224, CVE-2025-55228, CVE-2025-54919
Information Disclosure
CVE-2025-55238, CVE-2025-53799, CVE-2025-54901, CVE-2025-54905, CVE-2025-47997, CVE-2025-53803, CVE-2025-53804, CVE-2025-54095, CVE-2025-54096, CVE-2025-53797, CVE-2025-53796, CVE-2025-54097, CVE-2025-53798, CVE-2025-55225, CVE-2025-53806, CVE-2025-55242
Denial of Service
CVE-2025-54114, CVE-2025-53805, CVE-2025-53809
Security Feature Bypass
CVE-2025-53791, CVE-2025-54107, CVE-2025-54917
Spoofing
CVE-2025-55243

List of Products Patched in September 2025 Patch Tuesday Report

Microsoft's September 2025 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:

Product Name
No. of Vulnerabilities Patched
Windows Routing and Remote Access Service (RRAS)
10
Microsoft Office Excel
8
Windows Defender Firewall Service
6
Role: Windows Hyper-V
4
Microsoft Edge (Chromium-based)
5
Microsoft Office
3
Windows Kernel
3
SQL Server
3
Graphics Kernel
2
Microsoft Graphics Component
2
Windows Connected Devices Platform Service
2
Windows BitLocker
2
Windows Local Security Authority Subsystem Service (LSASS)
2
Windows MapUrlToZone
2
Windows Win32K - GRFX
2
Azure - Networking
1
Azure Arc
1
Azure Bot Service
1
Azure Entra
1
Azure Windows Virtual Machine Agent
1
Capability Access Management Service (camsvc)
1
Dynamics 365 FastTrack Implementation Assets
1
Microsoft AutoUpdate (MAU)
1
Microsoft Brokering File System
1
Microsoft High Performance Compute Pack (HPC)
1
Microsoft Office PowerPoint
1
Microsoft Office SharePoint
1
Microsoft Office Visio
1
Microsoft Office Word
1
Microsoft Virtual Hard Drive
1
Windows Ancillary Function Driver for WinSock
1
Windows Bluetooth Service
1
Windows DWM
1
Windows Imaging Component
1
Windows Internet Information Services
1
Windows Management Services
1
Windows MultiPoint Services
1
Windows NTFS
1
Windows NTLM
1
Windows PowerShell
1
Windows SMB
1
Windows SMBv3 Client
1
Windows SPNEGO Extended Negotiation
1
Windows TCP/IP
1
Windows UI XAML Maps MapControlSettings
1
Windows UI XAML Phone DatePickerFlyout
1
Xbox
1
XBox Gaming Services
1

Summary tables

Apps vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Xbox Gaming Services Elevation of Privilege Vulnerability
No
No
7.8
Xbox Certification Bug Copilot Djando Information Disclosure Vulnerability
No
No
6.5

Azure vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Azure Networking Elevation of Privilege Vulnerability
No
No
10
Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability
No
No
9.8
Azure Entra Elevation of Privilege Vulnerability
No
No
9
Azure Bot Service Elevation of Privilege Vulnerability
No
No
9
Azure Connected Machine Agent Elevation of Privilege Vulnerability
No
No
7.8
Azure Arc Elevation of Privilege Vulnerability
No
No
7.8

Browser vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
No
No
4.7
Chromium: CVE-2025-9867 Inappropriate implementation in Downloads
No
No
N/A
Chromium: CVE-2025-9866 Inappropriate implementation in Extensions
No
No
N/A
Chromium: CVE-2025-9865 Inappropriate implementation in Toolbar
No
No
N/A
Chromium: CVE-2025-9864 Use after free in V8
No
No
N/A

ESU Windows vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Windows SMB Elevation of Privilege Vulnerability
No
Yes
8.8
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
No
No
8.8
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
No
No
8.8
Windows NTLM Elevation of Privilege Vulnerability
No
No
8.8
Windows Kernel Elevation of Privilege Vulnerability
No
No
8.8
Windows NTFS Remote Code Execution Vulnerability
No
No
7.8
Windows Hyper-V Elevation of Privilege Vulnerability
No
No
7.8
Windows Hyper-V Elevation of Privilege Vulnerability
No
No
7.8
Windows BitLocker Elevation of Privilege Vulnerability
No
No
7.8
SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Elevation of Privilege Vulnerability
No
No
7.8
Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
No
No
7.8
Windows BitLocker Elevation of Privilege Vulnerability
No
No
7.3
Windows TCP/IP Driver Elevation of Privilege Vulnerability
No
No
7
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
No
No
7
Windows Defender Firewall Service Elevation of Privilege Vulnerability
No
No
6.7
Windows Defender Firewall Service Elevation of Privilege Vulnerability
No
No
6.7
Windows Defender Firewall Service Elevation of Privilege Vulnerability
No
No
6.7
Windows Defender Firewall Service Elevation of Privilege Vulnerability
No
No
6.7
Windows Defender Firewall Service Elevation of Privilege Vulnerability
No
No
6.7
Windows Defender Firewall Service Elevation of Privilege Vulnerability
No
No
6.7
Graphics Kernel Remote Code Execution Vulnerability
No
No
6.7
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
No
No
6.5
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
No
No
6.5
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
No
No
6.5
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
No
No
6.5
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
No
No
6.5
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
No
No
6.5
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
No
No
6.5
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
No
No
6.5
Windows Kernel-Mode Driver Information Disclosure Vulnerability
No
No
5.5
Windows Kernel Memory Information Disclosure Vulnerability
No
No
5.5
Windows SMB Client Remote Code Execution Vulnerability
No
No
4.8
MapUrlToZone Security Feature Bypass Vulnerability
No
No
4.3
MapUrlToZone Security Feature Bypass Vulnerability
No
No
4.3

ESU Windows Microsoft Office vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Windows Imaging Component Information Disclosure Vulnerability
No
No
5.5

Mariner vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via the decode_array_index_from_pointer function in cJSON_Utils.c, allowing remote attackers to bypass array bounds checking and access restricted data via malformed JSON pointer strings containing alphanumeric characters.
No
No
9.8
Podman: podman kube play command may overwrite host files
No
No
8.1

Microsoft Dynamics vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Dynamics 365 FastTrack Implementation Assets Information Disclosure Vulnerability
No
No
7.5

Microsoft Office vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Microsoft SharePoint Remote Code Execution Vulnerability
No
No
8.8
Microsoft Office Remote Code Execution Vulnerability
No
No
8.4
Microsoft PowerPoint Remote Code Execution Vulnerability
No
No
7.8
Microsoft Office Visio Remote Code Execution Vulnerability
No
No
7.8
Microsoft Office Remote Code Execution Vulnerability
No
No
7.8
Microsoft Excel Remote Code Execution Vulnerability
No
No
7.8
Microsoft Excel Remote Code Execution Vulnerability
No
No
7.8
Microsoft Excel Remote Code Execution Vulnerability
No
No
7.8
Microsoft Excel Remote Code Execution Vulnerability
No
No
7.8
Microsoft Excel Remote Code Execution Vulnerability
No
No
7.8
Microsoft Excel Remote Code Execution Vulnerability
No
No
7.8
Microsoft Excel Remote Code Execution Vulnerability
No
No
7.8
Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability
No
No
7.8
Microsoft OfficePlus Spoofing Vulnerability
No
No
7.5
Microsoft Word Information Disclosure Vulnerability
No
No
7.1
Microsoft Excel Information Disclosure Vulnerability
No
No
5.5

Open Source Software vulnerabilities

At time of writing, Microsoft has published patches for these OSS vulnerabilities, but without providing an accompanying advisory for most of them.

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read()
No
No
9
scsi: bfa: Double-free fix
No
No
7.8
fbdev: fix potential buffer overflow in do_register_framebuffer()
No
No
7.8
fbdev: Fix vmalloc out-of-bounds write in fast_imageblit
No
No
7.8
drm/xe: Make dma-fences compliant with the safe access rules
No
No
7.8
NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()
No
No
7.5
tracing: Limit access to parser->buffer when trace_get_user failed
No
No
7.1
jfs: upper bound check of tree index in dbAllocAG
No
No
7.1
jfs: Regular file corruption check
No
No
7.1
ipv6: sr: Fix MAC comparison to be constant-time
No
No
7.1
iommufd: Prevent ALIGN() overflow
No
No
7.1
ftrace: Also allocate and copy hash for reading of filter files
No
No
7.1
fs/buffer: fix use-after-free when call bh_read() helper
No
No
7.1
wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask()
No
No
7
sctp: linearize cloned gso packets in sctp_rcv
No
No
7
scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure
No
No
7
s390/sclp: Fix SCCB present check
No
No
7
ppp: fix race conditions in ppp_fill_forward_path
No
No
7
netfilter: nf_reject: don't leak dst refcount for loopback packets
No
No
7
net/sched: ets: use old 'nbands' while purging unused classes
No
No
7
net/sched: Fix backlog accounting in qdisc_dequeue_internal
No
No
7
net, hsr: reject HSR frame if skb can't hold tag
No
No
7
media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()
No
No
7
media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls
No
No
7
loop: Avoid updating block size under exclusive owner
No
No
7
gve: prevent ethtool ops after shutdown
No
No
7
gfs2: Validate i_depth for exhash directories
No
No
7
ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr
No
No
7
exfat: add cluster chain loop check for dir
No
No
7
crypto: qat - flush misc workqueue during device shutdown
No
No
7
ALSA: usb-audio: Validate UAC3 power domain descriptors, too
No
No
7
nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
No
No
6.8
tls: fix handling of zero-length records on the rx_list
No
No
6.5
drbd: add missing kref_get in handle_write_conflicts
No
No
6.3
hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
No
No
6.1
netfilter: nf_tables: reject duplicate device on updates
No
No
6
Libsoup: improper handling of http vary header in libsoup caching
No
No
5.9
x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper
No
No
5.5
vsock/virtio: Validate length in packet header before skb_put()
No
No
5.5
smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy()
No
No
5.5
smb3: fix for slab out of bounds on mount to ksmbd
No
No
5.5
smb/server: avoid deadlock when linking with ReplaceIfExists
No
No
5.5
serial: 8250: fix panic due to PSLVERR
No
No
5.5
scsi: qla4xxx: Prevent a potential error pointer dereference
No
No
5.5
s390/ism: fix concurrency management in ism_cmd()
No
No
5.5
rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access
No
No
5.5
parisc: Revise gateway LWS calls to probe user read access
No
No
5.5
parisc: Revise __get_user() to probe user read access
No
No
5.5
pNFS: Fix uninited ptr deref in block/scsi layout
No
No
5.5
netfilter: ctnetlink: fix refcount leak on table dump
No
No
5.5
net: usb: asix_devices: add phy_mask for ax88772 mdio bus
No
No
5.5
net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization
No
No
5.5
net: kcm: Fix race condition in kcm_unattach()
No
No
5.5
net/smc: fix UAF on smcsk after smc_listen_out()
No
No
5.5
mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()
No
No
5.5
media: venus: protect against spurious interrupts during probe
No
No
5.5
media: venus: Fix OOB read due to missing payload bound check
No
No
5.5
media: usbtv: Lock resolution while streaming
No
No
5.5
ksmbd: fix refcount leak causing resource not released
No
No
5.5
io_uring/net: commit partial buffers on retry
No
No
5.5
iio: light: as73211: Ensure buffer holes are zeroed
No
No
5.5
iio: imu: bno055: fix OOB access of hw_xlate array
No
No
5.5
hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file()
No
No
5.5
hfs: fix slab-out-of-bounds in hfs_bnode_read()
No
No
5.5
hfs: fix general protection fault in hfs_find_init()
No
No
5.5
habanalabs: fix UAF in export_dmabuf()
No
No
5.5
fs/ntfs3: Add sanity check for file name
No
No
5.5
f2fs: vm_unmap_ram() may be called from an invalid context
No
No
5.5
drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor().
No
No
5.5
drm/amdkfd: Destroy KFD debugfs after destroy KFD wq
No
No
5.5
drm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities
No
No
5.5
drm/amd/pm: fix null pointer access
No
No
5.5
drm/amd/display: fix a Null pointer dereference vulnerability
No
No
5.5
drm/amd/display: Avoid a NULL pointer dereference
No
No
5.5
drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session()
No
No
5.5
comedi: pcl726: Prevent invalid irq number
No
No
5.5
comedi: fix race between polling and detaching
No
No
5.5
comedi: Make insn_rw_emulate_bits() do insn->n samples
No
No
5.5
comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()
No
No
5.5
NFS: Fix a race when updating an existing write
No
No
5.5
MIPS: Don't crash in stack_top() for tasks without ABI or vDSO
No
No
5.5
LoongArch: BPF: Fix jump offset calculation in tailcall
No
No
5.5
scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated
No
No
4.7
ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()
No
No
4.7
Glib: buffer under-read on glib through glib/gfileutils.c via get_tmp_file()
No
No
3.7
media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()
No
No
3.3
media: venus: Add a check for packet size after reading from shared memory
No
No
N/A
ACPI: pfr_update: Fix the driver update version check
No
No
N/A

SQL Server vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Microsoft SQL Server Elevation of Privilege Vulnerability
No
No
8.8
Microsoft SQL Server Information Disclosure Vulnerability
No
No
6.5
VulnCheck: CVE-2024-21907 Improper Handling of Exceptional Conditions in Newtonsoft.Json
No
Yes
N/A

Windows vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Windows UI XAML Phone DatePickerFlyout Elevation of Privilege Vulnerability
No
No
7.8
Windows UI XAML Maps MapControlSettings Elevation of Privilege Vulnerability
No
No
7.8
Windows Hyper-V Remote Code Execution Vulnerability
No
No
7.8
Windows Hyper-V Elevation of Privilege Vulnerability
No
No
7.8
Windows Graphics Component Remote Code Execution Vulnerability
No
No
7.8
Windows Graphics Component Elevation of Privilege Vulnerability
No
No
7.8
Windows Connected Devices Platform Service Elevation of Privilege Vulnerability
No
No
7.8
Microsoft DWM Core Library Elevation of Privilege Vulnerability
No
No
7.8
Windows Graphics Component Remote Code Execution Vulnerability
No
No
7.5
HTTP.sys Denial of Service Vulnerability
No
No
7.5
Windows Management Service Elevation of Privilege Vulnerability
No
No
7.4
Windows MultiPoint Services Elevation of Privilege Vulnerability
No
No
7.3
Graphics Kernel Remote Code Execution Vulnerability
No
No
7.3
Windows Hyper-V Elevation of Privilege Vulnerability
No
No
7
Windows Graphics Component Elevation of Privilege Vulnerability
No
No
7
Windows Connected Devices Platform Service (Cdpsvc) Denial of Service Vulnerability
No
No
7
Windows Bluetooth Service Elevation of Privilege Vulnerability
No
No
7
PowerShell Direct Elevation of Privilege Vulnerability
No
No
7
Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability
No
No
7
Microsoft Brokering File System Elevation of Privilege Vulnerability
No
No
7
DirectX Graphics Kernel Elevation of Privilege Vulnerability
No
No
7
Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability
No
No
7
Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability
No
No
6.5

Bottom Line

Microsoft's September 2025 Patch Tuesday addressed 81 vulnerabilities, including two publicly disclosed zero-day flaws and nine critical remote code execution and elevation of privilege issues affecting Windows, Office, Azure, and other key products.

This release saw a significant focus on elevation of privilege vulnerabilities, which accounted for 41 of the total patches, followed by remote code execution vulnerabilities with 22 instances. Among the zero-days, the Windows SMB elevation of privilege flaw and the Newtonsoft.Json denial of service issue in SQL Server underscore the importance of immediate patching for infrastructure components.

Critical vulnerabilities this month include an exceptionally rare 10.0 CVSS-rated Azure Networking flaw, Windows NTLM elevation of privilege, and multiple remote code execution vulnerabilities in graphics components, Office applications, and Hyper-V. The Windows SMB zero-day particularly highlights ongoing concerns around relay attacks and the need for proper SMB hardening configurations.

Among the notable important-rated vulnerabilities are multiple Hyper-V elevation of privilege flaws, Windows NTFS remote code execution, SharePoint Server RCE, and extensive information disclosure issues across Windows Routing and Remote Access Service components. The continued patching of graphics-related vulnerabilities demonstrates the expanding attack surface in modern Windows environments.

Overall, September's patches address 81 security gaps across Microsoft's comprehensive product portfolio, with particular emphasis on core infrastructure components and productivity applications. Organizations should prioritize deployment of the critical and zero-day fixes while implementing comprehensive testing procedures for the broader update set.

We aim to keep readers informed each month in our Patch Tuesday reports. Please follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Report

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe