Breaking Down the Latest September 2025 Patch Tuesday Report

Microsoft has released its September 2025 Patch Tuesday security updates, addressing 81 vulnerabilities across Windows, Office, Azure, SQL Server, and other products. This month's release includes fixes for two publicly disclosed zero-day vulnerabilities and addresses concerns rated as Critical for nine flaws while giving an Important ranking to 72 bugs.

The two zero-days are a Windows SMB elevation of privilege vulnerability and a previously known issue in Newtonsoft.Json affecting SQL Server. Both vulnerabilities were publicly disclosed prior to patches being made available, highlighting the importance of prompt remediation efforts.

This comprehensive update provides patches covering multiple vulnerability types including elevation of privilege, remote code execution, information disclosure, denial of service, security feature bypass, and spoofing vulnerabilities. Technologies receiving fixes span from core Windows components to Office applications, Azure cloud services, and specialized systems like Hyper-V, demonstrating the extensive scope of this month's security improvements.

Among the highlights are critical remote code execution vulnerabilities in Windows Graphics Component, DirectX Graphics Kernel, Microsoft Office, and Windows Hyper-V, alongside critical elevation of privilege flaws in Windows NTLM and Windows Graphics Component. Additional noteworthy issues include information disclosure vulnerabilities in Windows Imaging Component and multiple important-rated flaws across Azure services, SQL Server, and Windows core components.

In this monthly report, we'll break down these zero-day threats along with other major critical issues addressed. Our analysis will examine severity ratings, exploitation vectors, and remediation guidance to help prioritize the essential patches for deployment. Whether you manage Windows environments, Azure cloud infrastructure, or Office productivity suites, applying these September security updates helps strengthen defenses against emerging threats as we advance through 2025.

Key Highlights - Patch Tuesday September 2025

In September's Patch Tuesday, Microsoft addressed 81 flaws, including two publicly disclosed zero-day vulnerabilities: a Windows SMB elevation of privilege flaw and a previously known Newtonsoft.Json issue affecting SQL Server. This update included patches across categories like elevation of privilege, remote code execution, information disclosure, denial of service, security feature bypass, and spoofing vulnerabilities.

The key affected products in this release span Microsoft's ecosystem, including Windows, Office, Azure, SQL Server, Hyper-V, and specialized components. Swiftly applying these September security fixes remains essential for maintaining robust cybersecurity posture.

Key Highlights are:

This September Patch Tuesday demonstrates Microsoft's continued commitment to addressing vulnerabilities across its diverse product portfolio. Apply these updates promptly to close security gaps before threats can exploit them in enterprise and personal computing environments.

Zero-day Vulnerabilities Patched in September 2025

In September 2025, Microsoft addressed two publicly disclosed zero-day vulnerabilities in its Patch Tuesday release. These vulnerabilities are significant because they were disclosed publicly before patches were made available, creating a window of exposure for affected systems. Both zero-days affect core Windows infrastructure components, emphasizing the importance of rapid deployment of these fixes.

CVE-2025-55234 - Windows SMB Elevation of Privilege Vulnerability

Vulnerability type: Elevation of Privilege

Affected product: Windows SMB Server

CVSS v3 base score: 8.8

Severity rating: Important

This vulnerability affects Windows Server Message Block (SMB) and makes systems susceptible to relay attacks depending on their configuration. An attacker who successfully exploits this vulnerability could perform relay attacks and elevate user privileges through various attack vectors.

The exploitation typically involves an attacker pretending to be a legitimate server using techniques such as ARP spoofing, DNS poisoning, or other network manipulation methods. Attack options include credential relaying and offline hash cracking to reveal passwords. While SMB server signing can mitigate credential relaying attacks, many environments may not have this protection fully configured.

Microsoft emphasizes that Windows already includes settings to harden SMB Server against relay attacks, including SMB Server Signing and SMB Server Extended Protection for Authentication (EPA). However, enabling these hardening features could cause compatibility issues with older devices and legacy implementations.

As part of the September 2025 updates, Microsoft has enabled support for auditing SMB client compatibility, allowing administrators to assess potential impacts before fully enforcing hardening measures. The company recommends that administrators enable auditing on SMB servers to identify compatibility issues prior to implementing the security enhancements.

Microsoft has not attributed this vulnerability to specific researchers, and the original disclosure source remains unclear.

CVE-2024-21907 - Newtonsoft.Json Improper Handling of Exceptional Conditions

Vulnerability type: Denial of Service

Affected product: Microsoft SQL Server (via Newtonsoft.Json)

CVSS v3 base score: Not specified

Severity rating: Not specified

Microsoft has addressed a previously known vulnerability in Newtonsoft.Json that is included as part of Microsoft SQL Server. This vulnerability represents an interesting case of supply chain security, where a third-party component vulnerability affects Microsoft's enterprise database platform.

CVE-2024-21907 addresses a mishandling of exceptional conditions vulnerability in Newtonsoft.Json versions prior to 13.0.1. When crafted data is passed to the JsonConvert.DeserializeObject method, it may trigger a StackOverflow exception resulting in denial of service conditions.

Depending on the implementation and usage of the library, an unauthenticated remote attacker may be able to cause denial of service conditions by sending specially crafted JSON data with thousands of levels of nested objects. While this may seem like a limited impact vulnerability, it can have significant consequences when targeting critical infrastructure systems such as hospitals, airports, or other essential services that rely on SQL Server.

The vulnerability has a complex history spanning several years. The underlying defect was first identified by Aleph Security in 2018 but did not receive a CVE designation at that time. CVE-2024-21907 was originally made public on January 3, 2024, with assistance from VulnCheck, making Microsoft's response a significant delay in addressing this known issue.

Microsoft's documented SQL Server updates now incorporate the necessary updates to Newtonsoft.Json to address this vulnerability, bringing the component to a secure version that properly handles exceptional conditions during JSON deserialization operations.

Zero-Day Vulnerabilities Summary Table

Critical Vulnerabilities Patched in September 2025

September's Patch Tuesday release addressed nine critical vulnerabilities spanning remote code execution, elevation of privilege, and information disclosure categories. These high-severity flaws represent significant threats that malicious actors could leverage in targeted attacks, making immediate patching a top priority for security teams.

CVE-2025-54914 - Azure Networking Elevation of Privilege Vulnerability

CVE-2025-54914 stands out with an exceptionally rare perfect 10.0 CVSS v3 base score, reflecting the critical nature of this cloud service vulnerability. This elevation of privilege flaw affects Azure Networking services and includes the seldom-seen scope change component in its CVSS vector calculation.

While the advisory provides minimal technical details about the vulnerability's nature, Microsoft has clarified that this is a cloud service issue that has already been resolved on their infrastructure. No action is required from Azure customers, as Microsoft has implemented the necessary fixes on the backend systems.

The acknowledgments section lists only Microsoft researchers, suggesting internal discovery rather than external disclosure. For organizations heavily reliant on Azure networking services for cloud asset communication, this represents a significant risk that has been mitigated through Microsoft's proactive remediation.

CVE-2025-54918 - Windows NTLM Elevation of Privilege Vulnerability

CVE-2025-54918 scores an 8.8 CVSS rating for its critical threat to Windows New Technology LAN Manager (NTLM) authentication systems. This elevation of privilege vulnerability could allow an authenticated attacker to elevate their privileges to SYSTEM level, providing complete control over the compromised system.

Microsoft's Exploitability Index rates this vulnerability as "Exploitation More Likely," indicating higher probability of active exploitation attempts. This assessment, combined with NTLM's central role in Windows authentication infrastructure, makes this vulnerability particularly concerning for enterprise environments.

This represents the second consecutive month featuring a critical NTLM elevation of privilege vulnerability, following CVE-2025-53778 in August 2025, and the third such critical NTLM flaw addressed in 2025. The recurring pattern suggests ongoing attention from both security researchers and potential threat actors targeting this authentication mechanism.

CVE-2025-54910 - Microsoft Office Remote Code Execution Vulnerability

The Microsoft Office remote code execution vulnerability CVE-2025-54910 earns an 8.4 CVSS score and represents a critical threat to Office document security. This heap-based buffer overflow flaw allows attackers to achieve remote code execution by convincing targets to open specially crafted Office documents.

Particularly concerning is the vulnerability's exploitation through Microsoft Outlook's Preview Pane, meaning users could be compromised simply by previewing malicious emails without actively opening attachments. This attack vector significantly reduces the social engineering requirements typically needed for Office-based exploits.

Despite the high severity rating, Microsoft's Exploitability Index classifies this as "Exploitation Less Likely," potentially due to existing Office security mitigations. However, the combination of widespread Office deployment and preview pane exploitation capabilities makes this a priority patch for organizations.

CVE-2025-55224 - Windows Hyper-V Remote Code Execution Vulnerability

CVE-2025-55224 presents a critical remote code execution threat in Windows Hyper-V virtualization infrastructure, scoring 7.8 on the CVSS scale. This vulnerability allows authenticated attackers who can win a race condition to traverse security boundaries between guest virtual machines and the Hyper-V host system.

Successful exploitation enables arbitrary code execution on the Hyper-V host machine, representing a complete virtualization escape scenario. While the attack complexity is rated as high due to the race condition requirement, the potential impact is severe given Hyper-V's role in enterprise virtualization environments.

Microsoft rates this as "Exploitation Less Likely" in their Exploitability Index, likely reflecting the technical challenges associated with winning the required race condition. Nevertheless, the critical impact of host system compromise makes this vulnerability a significant concern for data centers and cloud infrastructure.

Graphics Component Remote Code Execution Vulnerabilities

Multiple critical remote code execution vulnerabilities affect Windows graphics subsystems, including CVE-2025-55226 (Graphics Kernel), CVE-2025-55228 (Windows Graphics Component), and CVE-2025-55236 (DirectX Graphics Kernel). These vulnerabilities allow authenticated attackers to achieve remote code execution through various graphics processing operations.

CVE-2025-55228 specifically requires attackers to win a race condition for successful exploitation, while the DirectX Graphics Kernel flaw (CVE-2025-55236) scores 7.3 on the CVSS scale. The graphics subsystem's deep integration with Windows operations and its accessibility through various applications make these vulnerabilities particularly significant.

These graphics-related vulnerabilities highlight the expanding attack surface as modern systems increasingly rely on complex graphics processing for both user interface operations and multimedia content handling.

CVE-2025-53799 - Windows Imaging Component Information Disclosure Vulnerability

CVE-2025-53799 represents a critical information disclosure vulnerability in the Windows Imaging Component, arising from the use of uninitialized resources. This flaw allows unauthenticated attackers to disclose information locally, potentially reading small portions of heap memory.

While information disclosure vulnerabilities typically receive lower severity ratings, the critical classification suggests either widespread impact or the potential for this flaw to serve as a component in more complex attack chains. The local attack vector limits remote exploitation but poses risks in environments where attackers have already gained initial access.

The Windows Imaging Component's role in processing various image formats across the operating system makes this vulnerability particularly relevant for systems handling untrusted image content from web browsers, email clients, or file sharing applications.

Critical Vulnerabilities Summary Table

Vulnerabilities by Category

In total, 81 vulnerabilities were addressed in September's Patch Tuesday. Elevation of privilege issues top the list with 41 patches, followed by 22 remote code execution and 16 information disclosure vulnerabilities. The rest consist of 3 denial of service, 2 security feature bypass, and 1 spoofing flaw.

Here is the breakdown of the categories patched this month:

The table below shows the CVE IDs mapped to these vulnerability types from Microsoft's September 2025 Patch Tuesday:

List of Products Patched in September 2025 Patch Tuesday Report

Microsoft's September 2025 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:

Summary tables

Apps vulnerabilities

Azure vulnerabilities

Browser vulnerabilities

ESU Windows vulnerabilities

ESU Windows Microsoft Office vulnerabilities

Mariner vulnerabilities

Microsoft Dynamics vulnerabilities

Microsoft Office vulnerabilities

Open Source Software vulnerabilities

At time of writing, Microsoft has published patches for these OSS vulnerabilities, but without providing an accompanying advisory for most of them.

SQL Server vulnerabilities

Windows vulnerabilities

Bottom Line

Microsoft's September 2025 Patch Tuesday addressed 81 vulnerabilities, including two publicly disclosed zero-day flaws and nine critical remote code execution and elevation of privilege issues affecting Windows, Office, Azure, and other key products.

This release saw a significant focus on elevation of privilege vulnerabilities, which accounted for 41 of the total patches, followed by remote code execution vulnerabilities with 22 instances. Among the zero-days, the Windows SMB elevation of privilege flaw and the Newtonsoft.Json denial of service issue in SQL Server underscore the importance of immediate patching for infrastructure components.

Critical vulnerabilities this month include an exceptionally rare 10.0 CVSS-rated Azure Networking flaw, Windows NTLM elevation of privilege, and multiple remote code execution vulnerabilities in graphics components, Office applications, and Hyper-V. The Windows SMB zero-day particularly highlights ongoing concerns around relay attacks and the need for proper SMB hardening configurations.

Among the notable important-rated vulnerabilities are multiple Hyper-V elevation of privilege flaws, Windows NTFS remote code execution, SharePoint Server RCE, and extensive information disclosure issues across Windows Routing and Remote Access Service components. The continued patching of graphics-related vulnerabilities demonstrates the expanding attack surface in modern Windows environments.

Overall, September's patches address 81 security gaps across Microsoft's comprehensive product portfolio, with particular emphasis on core infrastructure components and productivity applications. Organizations should prioritize deployment of the critical and zero-day fixes while implementing comprehensive testing procedures for the broader update set.

We aim to keep readers informed each month in our Patch Tuesday reports. Please follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.

You may also like these articles: