Microsoft has released its September 2025 Patch Tuesday security updates, addressing 81 vulnerabilities across Windows, Office, Azure, SQL Server, and other products. This month's release includes fixes for two publicly disclosed zero-day vulnerabilities and addresses concerns rated as Critical for nine flaws while giving an Important ranking to 72 bugs.
The two zero-days are a Windows SMB elevation of privilege vulnerability and a previously known issue in Newtonsoft.Json affecting SQL Server. Both vulnerabilities were publicly disclosed prior to patches being made available, highlighting the importance of prompt remediation efforts.
This comprehensive update provides patches covering multiple vulnerability types including elevation of privilege, remote code execution, information disclosure, denial of service, security feature bypass, and spoofing vulnerabilities. Technologies receiving fixes span from core Windows components to Office applications, Azure cloud services, and specialized systems like Hyper-V, demonstrating the extensive scope of this month's security improvements.
Among the highlights are critical remote code execution vulnerabilities in Windows Graphics Component, DirectX Graphics Kernel, Microsoft Office, and Windows Hyper-V, alongside critical elevation of privilege flaws in Windows NTLM and Windows Graphics Component. Additional noteworthy issues include information disclosure vulnerabilities in Windows Imaging Component and multiple important-rated flaws across Azure services, SQL Server, and Windows core components.
In this monthly report, we'll break down these zero-day threats along with other major critical issues addressed. Our analysis will examine severity ratings, exploitation vectors, and remediation guidance to help prioritize the essential patches for deployment. Whether you manage Windows environments, Azure cloud infrastructure, or Office productivity suites, applying these September security updates helps strengthen defenses against emerging threats as we advance through 2025.
In September's Patch Tuesday, Microsoft addressed 81 flaws, including two publicly disclosed zero-day vulnerabilities: a Windows SMB elevation of privilege flaw and a previously known Newtonsoft.Json issue affecting SQL Server. This update included patches across categories like elevation of privilege, remote code execution, information disclosure, denial of service, security feature bypass, and spoofing vulnerabilities.
The key affected products in this release span Microsoft's ecosystem, including Windows, Office, Azure, SQL Server, Hyper-V, and specialized components. Swiftly applying these September security fixes remains essential for maintaining robust cybersecurity posture.
Key Highlights are:
Total Flaws and Zero-Day Vulnerabilities: This update resolves 81 total bugs, with two publicly disclosed zero-days affecting Windows SMB Server and SQL Server's Newtonsoft.Json component.
Critical Flaws: Nine critical issues were addressed, including remote code execution vulnerabilities in Windows Graphics Component, DirectX Graphics Kernel, Microsoft Office, and Windows Hyper-V, plus critical elevation of privilege flaws in Windows NTLM and Azure Networking.
Vulnerability Types: Forty-one elevation of privilege vulnerabilities lead the volume, followed by 22 remote code execution flaws. Information disclosure, denial of service, security feature bypass, and spoofing rank as other categories with multiple patches.
Zero-Day Threats: The two zero-days include CVE-2025-55234 affecting Windows SMB Server relay attacks and CVE-2024-21907, a denial of service vulnerability in Newtonsoft.Json used by SQL Server.
Critical-Rated Bugs: Major critical vulnerabilities include the Azure Networking flaw with a rare 10.0 CVSS score, Windows NTLM elevation of privilege, and multiple remote code execution bugs in graphics components and Office applications.
Non-Critical Notables: Other significant issues include multiple Hyper-V elevation of privilege vulnerabilities, Windows NTFS remote code execution, SharePoint Server RCE, and information disclosure flaws across Windows kernel components and routing services.
This September Patch Tuesday demonstrates Microsoft's continued commitment to addressing vulnerabilities across its diverse product portfolio. Apply these updates promptly to close security gaps before threats can exploit them in enterprise and personal computing environments.
In September 2025, Microsoft addressed two publicly disclosed zero-day vulnerabilities in its Patch Tuesday release. These vulnerabilities are significant because they were disclosed publicly before patches were made available, creating a window of exposure for affected systems. Both zero-days affect core Windows infrastructure components, emphasizing the importance of rapid deployment of these fixes.
Vulnerability type: Elevation of Privilege
Affected product: Windows SMB Server
CVSS v3 base score: 8.8
Severity rating: Important
This vulnerability affects Windows Server Message Block (SMB) and makes systems susceptible to relay attacks depending on their configuration. An attacker who successfully exploits this vulnerability could perform relay attacks and elevate user privileges through various attack vectors.
The exploitation typically involves an attacker pretending to be a legitimate server using techniques such as ARP spoofing, DNS poisoning, or other network manipulation methods. Attack options include credential relaying and offline hash cracking to reveal passwords. While SMB server signing can mitigate credential relaying attacks, many environments may not have this protection fully configured.
Microsoft emphasizes that Windows already includes settings to harden SMB Server against relay attacks, including SMB Server Signing and SMB Server Extended Protection for Authentication (EPA). However, enabling these hardening features could cause compatibility issues with older devices and legacy implementations.
As part of the September 2025 updates, Microsoft has enabled support for auditing SMB client compatibility, allowing administrators to assess potential impacts before fully enforcing hardening measures. The company recommends that administrators enable auditing on SMB servers to identify compatibility issues prior to implementing the security enhancements.
Microsoft has not attributed this vulnerability to specific researchers, and the original disclosure source remains unclear.
Vulnerability type: Denial of Service
Affected product: Microsoft SQL Server (via Newtonsoft.Json)
CVSS v3 base score: Not specified
Severity rating: Not specified
Microsoft has addressed a previously known vulnerability in Newtonsoft.Json that is included as part of Microsoft SQL Server. This vulnerability represents an interesting case of supply chain security, where a third-party component vulnerability affects Microsoft's enterprise database platform.
CVE-2024-21907 addresses a mishandling of exceptional conditions vulnerability in Newtonsoft.Json versions prior to 13.0.1. When crafted data is passed to the JsonConvert.DeserializeObject method, it may trigger a StackOverflow exception resulting in denial of service conditions.
Depending on the implementation and usage of the library, an unauthenticated remote attacker may be able to cause denial of service conditions by sending specially crafted JSON data with thousands of levels of nested objects. While this may seem like a limited impact vulnerability, it can have significant consequences when targeting critical infrastructure systems such as hospitals, airports, or other essential services that rely on SQL Server.
The vulnerability has a complex history spanning several years. The underlying defect was first identified by Aleph Security in 2018 but did not receive a CVE designation at that time. CVE-2024-21907 was originally made public on January 3, 2024, with assistance from VulnCheck, making Microsoft's response a significant delay in addressing this known issue.
Microsoft's documented SQL Server updates now incorporate the necessary updates to Newtonsoft.Json to address this vulnerability, bringing the component to a secure version that properly handles exceptional conditions during JSON deserialization operations.
CVE ID
|
Description
|
CVSSv3
|
Severity
|
---|---|---|---|
CVE-2025-55234
|
Windows SMB Elevation of Privilege Vulnerability
|
8.8
|
Important
|
CVE-2024-21907
|
VulnCheck: CVE-2024-21907 Improper Handling of Exceptional Conditions in Newtonsoft.Json
|
N/A
|
Unknown
|
September's Patch Tuesday release addressed nine critical vulnerabilities spanning remote code execution, elevation of privilege, and information disclosure categories. These high-severity flaws represent significant threats that malicious actors could leverage in targeted attacks, making immediate patching a top priority for security teams.
CVE-2025-54914 stands out with an exceptionally rare perfect 10.0 CVSS v3 base score, reflecting the critical nature of this cloud service vulnerability. This elevation of privilege flaw affects Azure Networking services and includes the seldom-seen scope change component in its CVSS vector calculation.
While the advisory provides minimal technical details about the vulnerability's nature, Microsoft has clarified that this is a cloud service issue that has already been resolved on their infrastructure. No action is required from Azure customers, as Microsoft has implemented the necessary fixes on the backend systems.
The acknowledgments section lists only Microsoft researchers, suggesting internal discovery rather than external disclosure. For organizations heavily reliant on Azure networking services for cloud asset communication, this represents a significant risk that has been mitigated through Microsoft's proactive remediation.
CVE-2025-54918 scores an 8.8 CVSS rating for its critical threat to Windows New Technology LAN Manager (NTLM) authentication systems. This elevation of privilege vulnerability could allow an authenticated attacker to elevate their privileges to SYSTEM level, providing complete control over the compromised system.
Microsoft's Exploitability Index rates this vulnerability as "Exploitation More Likely," indicating higher probability of active exploitation attempts. This assessment, combined with NTLM's central role in Windows authentication infrastructure, makes this vulnerability particularly concerning for enterprise environments.
This represents the second consecutive month featuring a critical NTLM elevation of privilege vulnerability, following CVE-2025-53778 in August 2025, and the third such critical NTLM flaw addressed in 2025. The recurring pattern suggests ongoing attention from both security researchers and potential threat actors targeting this authentication mechanism.
The Microsoft Office remote code execution vulnerability CVE-2025-54910 earns an 8.4 CVSS score and represents a critical threat to Office document security. This heap-based buffer overflow flaw allows attackers to achieve remote code execution by convincing targets to open specially crafted Office documents.
Particularly concerning is the vulnerability's exploitation through Microsoft Outlook's Preview Pane, meaning users could be compromised simply by previewing malicious emails without actively opening attachments. This attack vector significantly reduces the social engineering requirements typically needed for Office-based exploits.
Despite the high severity rating, Microsoft's Exploitability Index classifies this as "Exploitation Less Likely," potentially due to existing Office security mitigations. However, the combination of widespread Office deployment and preview pane exploitation capabilities makes this a priority patch for organizations.
CVE-2025-55224 presents a critical remote code execution threat in Windows Hyper-V virtualization infrastructure, scoring 7.8 on the CVSS scale. This vulnerability allows authenticated attackers who can win a race condition to traverse security boundaries between guest virtual machines and the Hyper-V host system.
Successful exploitation enables arbitrary code execution on the Hyper-V host machine, representing a complete virtualization escape scenario. While the attack complexity is rated as high due to the race condition requirement, the potential impact is severe given Hyper-V's role in enterprise virtualization environments.
Microsoft rates this as "Exploitation Less Likely" in their Exploitability Index, likely reflecting the technical challenges associated with winning the required race condition. Nevertheless, the critical impact of host system compromise makes this vulnerability a significant concern for data centers and cloud infrastructure.
Multiple critical remote code execution vulnerabilities affect Windows graphics subsystems, including CVE-2025-55226 (Graphics Kernel), CVE-2025-55228 (Windows Graphics Component), and CVE-2025-55236 (DirectX Graphics Kernel). These vulnerabilities allow authenticated attackers to achieve remote code execution through various graphics processing operations.
CVE-2025-55228 specifically requires attackers to win a race condition for successful exploitation, while the DirectX Graphics Kernel flaw (CVE-2025-55236) scores 7.3 on the CVSS scale. The graphics subsystem's deep integration with Windows operations and its accessibility through various applications make these vulnerabilities particularly significant.
These graphics-related vulnerabilities highlight the expanding attack surface as modern systems increasingly rely on complex graphics processing for both user interface operations and multimedia content handling.
CVE-2025-53799 represents a critical information disclosure vulnerability in the Windows Imaging Component, arising from the use of uninitialized resources. This flaw allows unauthenticated attackers to disclose information locally, potentially reading small portions of heap memory.
While information disclosure vulnerabilities typically receive lower severity ratings, the critical classification suggests either widespread impact or the potential for this flaw to serve as a component in more complex attack chains. The local attack vector limits remote exploitation but poses risks in environments where attackers have already gained initial access.
The Windows Imaging Component's role in processing various image formats across the operating system makes this vulnerability particularly relevant for systems handling untrusted image content from web browsers, email clients, or file sharing applications.
CVE ID
|
Description
|
CVSSv3
|
Severity
|
---|---|---|---|
CVE-2025-54914
|
Azure Networking Elevation of Privilege Vulnerability
|
10.0
|
Critical
|
CVE-2025-54918
|
Windows NTLM Elevation of Privilege Vulnerability
|
8.8
|
Critical
|
CVE-2025-54910
|
Microsoft Office Remote Code Execution Vulnerability
|
8.4
|
Critical
|
CVE-2025-55224
|
Windows Hyper-V Remote Code Execution Vulnerability
|
7.8
|
Critical
|
CVE-2025-55228
|
Windows Graphics Component Remote Code Execution Vulnerability
|
7.8
|
Critical
|
CVE-2025-53800
|
Windows Graphics Component Elevation of Privilege Vulnerability
|
7.8
|
Critical
|
CVE-2025-55236
|
Graphics Kernel Remote Code Execution Vulnerability
|
7.3
|
Critical
|
CVE-2025-55226
|
Graphics Kernel Remote Code Execution Vulnerability
|
6.7
|
Critical
|
CVE-2025-53799
|
Windows Imaging Component Information Disclosure Vulnerability
|
5.5
|
Critical
|
In total, 81 vulnerabilities were addressed in September's Patch Tuesday. Elevation of privilege issues top the list with 41 patches, followed by 22 remote code execution and 16 information disclosure vulnerabilities. The rest consist of 3 denial of service, 2 security feature bypass, and 1 spoofing flaw.
Here is the breakdown of the categories patched this month:
Elevation of Privilege - 41
Remote Code Execution - 22
Information Disclosure - 16
Denial of Service - 3
Security Feature Bypass - 2
Spoofing - 1
The table below shows the CVE IDs mapped to these vulnerability types from Microsoft's September 2025 Patch Tuesday:
Vulnerability Category
|
CVE IDs
|
---|---|
Elevation of Privilege
|
CVE-2025-54914, CVE-2025-55316, CVE-2025-55244, CVE-2025-55241, CVE-2025-49692, CVE-2025-54108, CVE-2025-55223, CVE-2025-53807, CVE-2025-53800, CVE-2025-55317, CVE-2025-54112, CVE-2025-54092, CVE-2025-54091, CVE-2025-54115, CVE-2025-54098, CVE-2025-55227, CVE-2025-54099, CVE-2025-54911, CVE-2025-54912, CVE-2025-53802, CVE-2025-54102, CVE-2025-53810, CVE-2025-53808, CVE-2025-54094, CVE-2025-54915, CVE-2025-54109, CVE-2025-54104, CVE-2025-53801, CVE-2025-54110, CVE-2025-54894, CVE-2025-54103, CVE-2025-54116, CVE-2025-54918, CVE-2025-49734, CVE-2025-54093, CVE-2025-54111, CVE-2025-54913, CVE-2025-55245, CVE-2025-54895, CVE-2025-55234
|
Remote Code Execution
|
CVE-2025-55232, CVE-2025-55236, CVE-2025-55226, CVE-2025-54910, CVE-2025-54906, CVE-2025-54902, CVE-2025-54899, CVE-2025-54904, CVE-2025-54903, CVE-2025-54898, CVE-2025-54896, CVE-2025-54900, CVE-2025-54908, CVE-2025-54897, CVE-2025-54907, CVE-2025-54916, CVE-2025-54106, CVE-2025-54113, CVE-2025-54101, CVE-2025-55224, CVE-2025-55228, CVE-2025-54919
|
Information Disclosure
|
CVE-2025-55238, CVE-2025-53799, CVE-2025-54901, CVE-2025-54905, CVE-2025-47997, CVE-2025-53803, CVE-2025-53804, CVE-2025-54095, CVE-2025-54096, CVE-2025-53797, CVE-2025-53796, CVE-2025-54097, CVE-2025-53798, CVE-2025-55225, CVE-2025-53806, CVE-2025-55242
|
Denial of Service
|
CVE-2025-54114, CVE-2025-53805, CVE-2025-53809
|
Security Feature Bypass
|
CVE-2025-53791, CVE-2025-54107, CVE-2025-54917
|
Spoofing
|
CVE-2025-55243
|
Microsoft's September 2025 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:
Product Name
|
No. of Vulnerabilities Patched
|
---|---|
Windows Routing and Remote Access Service (RRAS)
|
10
|
Microsoft Office Excel
|
8
|
Windows Defender Firewall Service
|
6
|
Role: Windows Hyper-V
|
4
|
Microsoft Edge (Chromium-based)
|
5
|
Microsoft Office
|
3
|
Windows Kernel
|
3
|
SQL Server
|
3
|
Graphics Kernel
|
2
|
Microsoft Graphics Component
|
2
|
Windows Connected Devices Platform Service
|
2
|
Windows BitLocker
|
2
|
Windows Local Security Authority Subsystem Service (LSASS)
|
2
|
Windows MapUrlToZone
|
2
|
Windows Win32K - GRFX
|
2
|
Azure - Networking
|
1
|
Azure Arc
|
1
|
Azure Bot Service
|
1
|
Azure Entra
|
1
|
Azure Windows Virtual Machine Agent
|
1
|
Capability Access Management Service (camsvc)
|
1
|
Dynamics 365 FastTrack Implementation Assets
|
1
|
Microsoft AutoUpdate (MAU)
|
1
|
Microsoft Brokering File System
|
1
|
Microsoft High Performance Compute Pack (HPC)
|
1
|
Microsoft Office PowerPoint
|
1
|
Microsoft Office SharePoint
|
1
|
Microsoft Office Visio
|
1
|
Microsoft Office Word
|
1
|
Microsoft Virtual Hard Drive
|
1
|
Windows Ancillary Function Driver for WinSock
|
1
|
Windows Bluetooth Service
|
1
|
Windows DWM
|
1
|
Windows Imaging Component
|
1
|
Windows Internet Information Services
|
1
|
Windows Management Services
|
1
|
Windows MultiPoint Services
|
1
|
Windows NTFS
|
1
|
Windows NTLM
|
1
|
Windows PowerShell
|
1
|
Windows SMB
|
1
|
Windows SMBv3 Client
|
1
|
Windows SPNEGO Extended Negotiation
|
1
|
Windows TCP/IP
|
1
|
Windows UI XAML Maps MapControlSettings
|
1
|
Windows UI XAML Phone DatePickerFlyout
|
1
|
Xbox
|
1
|
XBox Gaming Services
|
1
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Xbox Gaming Services Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Xbox Certification Bug Copilot Djando Information Disclosure Vulnerability
|
No
|
No
|
6.5
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Azure Networking Elevation of Privilege Vulnerability
|
No
|
No
|
10
|
|
Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability
|
No
|
No
|
9.8
|
|
Azure Entra Elevation of Privilege Vulnerability
|
No
|
No
|
9
|
|
Azure Bot Service Elevation of Privilege Vulnerability
|
No
|
No
|
9
|
|
Azure Connected Machine Agent Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Azure Arc Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
|
No
|
No
|
4.7
|
|
Chromium: CVE-2025-9867 Inappropriate implementation in Downloads
|
No
|
No
|
N/A
|
|
Chromium: CVE-2025-9866 Inappropriate implementation in Extensions
|
No
|
No
|
N/A
|
|
Chromium: CVE-2025-9865 Inappropriate implementation in Toolbar
|
No
|
No
|
N/A
|
|
Chromium: CVE-2025-9864 Use after free in V8
|
No
|
No
|
N/A
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Windows SMB Elevation of Privilege Vulnerability
|
No
|
Yes
|
8.8
|
|
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Windows NTLM Elevation of Privilege Vulnerability
|
No
|
No
|
8.8
|
|
Windows Kernel Elevation of Privilege Vulnerability
|
No
|
No
|
8.8
|
|
Windows NTFS Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Windows Hyper-V Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Windows Hyper-V Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Windows BitLocker Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Windows BitLocker Elevation of Privilege Vulnerability
|
No
|
No
|
7.3
|
|
Windows TCP/IP Driver Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
|
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
|
Windows Defender Firewall Service Elevation of Privilege Vulnerability
|
No
|
No
|
6.7
|
|
Windows Defender Firewall Service Elevation of Privilege Vulnerability
|
No
|
No
|
6.7
|
|
Windows Defender Firewall Service Elevation of Privilege Vulnerability
|
No
|
No
|
6.7
|
|
Windows Defender Firewall Service Elevation of Privilege Vulnerability
|
No
|
No
|
6.7
|
|
Windows Defender Firewall Service Elevation of Privilege Vulnerability
|
No
|
No
|
6.7
|
|
Windows Defender Firewall Service Elevation of Privilege Vulnerability
|
No
|
No
|
6.7
|
|
Graphics Kernel Remote Code Execution Vulnerability
|
No
|
No
|
6.7
|
|
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
|
No
|
No
|
6.5
|
|
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
|
No
|
No
|
6.5
|
|
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
|
No
|
No
|
6.5
|
|
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
|
No
|
No
|
6.5
|
|
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
|
No
|
No
|
6.5
|
|
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
|
No
|
No
|
6.5
|
|
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
|
No
|
No
|
6.5
|
|
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
|
No
|
No
|
6.5
|
|
Windows Kernel-Mode Driver Information Disclosure Vulnerability
|
No
|
No
|
5.5
|
|
Windows Kernel Memory Information Disclosure Vulnerability
|
No
|
No
|
5.5
|
|
Windows SMB Client Remote Code Execution Vulnerability
|
No
|
No
|
4.8
|
|
MapUrlToZone Security Feature Bypass Vulnerability
|
No
|
No
|
4.3
|
|
MapUrlToZone Security Feature Bypass Vulnerability
|
No
|
No
|
4.3
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Windows Imaging Component Information Disclosure Vulnerability
|
No
|
No
|
5.5
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via the decode_array_index_from_pointer function in cJSON_Utils.c, allowing remote attackers to bypass array bounds checking and access restricted data via malformed JSON pointer strings containing alphanumeric characters.
|
No
|
No
|
9.8
|
|
Podman: podman kube play command may overwrite host files
|
No
|
No
|
8.1
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Dynamics 365 FastTrack Implementation Assets Information Disclosure Vulnerability
|
No
|
No
|
7.5
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Microsoft SharePoint Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft Office Remote Code Execution Vulnerability
|
No
|
No
|
8.4
|
|
Microsoft PowerPoint Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Office Visio Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Office Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Excel Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Excel Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Excel Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Excel Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Excel Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Excel Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Excel Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft OfficePlus Spoofing Vulnerability
|
No
|
No
|
7.5
|
|
Microsoft Word Information Disclosure Vulnerability
|
No
|
No
|
7.1
|
|
Microsoft Excel Information Disclosure Vulnerability
|
No
|
No
|
5.5
|
At time of writing, Microsoft has published patches for these OSS vulnerabilities, but without providing an accompanying advisory for most of them.
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read()
|
No
|
No
|
9
|
|
scsi: bfa: Double-free fix
|
No
|
No
|
7.8
|
|
fbdev: fix potential buffer overflow in do_register_framebuffer()
|
No
|
No
|
7.8
|
|
fbdev: Fix vmalloc out-of-bounds write in fast_imageblit
|
No
|
No
|
7.8
|
|
drm/xe: Make dma-fences compliant with the safe access rules
|
No
|
No
|
7.8
|
|
NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()
|
No
|
No
|
7.5
|
|
tracing: Limit access to parser->buffer when trace_get_user failed
|
No
|
No
|
7.1
|
|
jfs: upper bound check of tree index in dbAllocAG
|
No
|
No
|
7.1
|
|
jfs: Regular file corruption check
|
No
|
No
|
7.1
|
|
ipv6: sr: Fix MAC comparison to be constant-time
|
No
|
No
|
7.1
|
|
iommufd: Prevent ALIGN() overflow
|
No
|
No
|
7.1
|
|
ftrace: Also allocate and copy hash for reading of filter files
|
No
|
No
|
7.1
|
|
fs/buffer: fix use-after-free when call bh_read() helper
|
No
|
No
|
7.1
|
|
wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask()
|
No
|
No
|
7
|
|
sctp: linearize cloned gso packets in sctp_rcv
|
No
|
No
|
7
|
|
scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure
|
No
|
No
|
7
|
|
s390/sclp: Fix SCCB present check
|
No
|
No
|
7
|
|
ppp: fix race conditions in ppp_fill_forward_path
|
No
|
No
|
7
|
|
netfilter: nf_reject: don't leak dst refcount for loopback packets
|
No
|
No
|
7
|
|
net/sched: ets: use old 'nbands' while purging unused classes
|
No
|
No
|
7
|
|
net/sched: Fix backlog accounting in qdisc_dequeue_internal
|
No
|
No
|
7
|
|
net, hsr: reject HSR frame if skb can't hold tag
|
No
|
No
|
7
|
|
media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()
|
No
|
No
|
7
|
|
media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls
|
No
|
No
|
7
|
|
loop: Avoid updating block size under exclusive owner
|
No
|
No
|
7
|
|
gve: prevent ethtool ops after shutdown
|
No
|
No
|
7
|
|
gfs2: Validate i_depth for exhash directories
|
No
|
No
|
7
|
|
No
|
No
|
7
|
||
exfat: add cluster chain loop check for dir
|
No
|
No
|
7
|
|
crypto: qat - flush misc workqueue during device shutdown
|
No
|
No
|
7
|
|
ALSA: usb-audio: Validate UAC3 power domain descriptors, too
|
No
|
No
|
7
|
|
nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
|
No
|
No
|
6.8
|
|
tls: fix handling of zero-length records on the rx_list
|
No
|
No
|
6.5
|
|
drbd: add missing kref_get in handle_write_conflicts
|
No
|
No
|
6.3
|
|
hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
|
No
|
No
|
6.1
|
|
netfilter: nf_tables: reject duplicate device on updates
|
No
|
No
|
6
|
|
Libsoup: improper handling of http vary header in libsoup caching
|
No
|
No
|
5.9
|
|
x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper
|
No
|
No
|
5.5
|
|
vsock/virtio: Validate length in packet header before skb_put()
|
No
|
No
|
5.5
|
|
smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy()
|
No
|
No
|
5.5
|
|
smb3: fix for slab out of bounds on mount to ksmbd
|
No
|
No
|
5.5
|
|
smb/server: avoid deadlock when linking with ReplaceIfExists
|
No
|
No
|
5.5
|
|
serial: 8250: fix panic due to PSLVERR
|
No
|
No
|
5.5
|
|
scsi: qla4xxx: Prevent a potential error pointer dereference
|
No
|
No
|
5.5
|
|
s390/ism: fix concurrency management in ism_cmd()
|
No
|
No
|
5.5
|
|
rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access
|
No
|
No
|
5.5
|
|
parisc: Revise gateway LWS calls to probe user read access
|
No
|
No
|
5.5
|
|
parisc: Revise __get_user() to probe user read access
|
No
|
No
|
5.5
|
|
pNFS: Fix uninited ptr deref in block/scsi layout
|
No
|
No
|
5.5
|
|
netfilter: ctnetlink: fix refcount leak on table dump
|
No
|
No
|
5.5
|
|
net: usb: asix_devices: add phy_mask for ax88772 mdio bus
|
No
|
No
|
5.5
|
|
net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization
|
No
|
No
|
5.5
|
|
net: kcm: Fix race condition in kcm_unattach()
|
No
|
No
|
5.5
|
|
net/smc: fix UAF on smcsk after smc_listen_out()
|
No
|
No
|
5.5
|
|
mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()
|
No
|
No
|
5.5
|
|
media: venus: protect against spurious interrupts during probe
|
No
|
No
|
5.5
|
|
media: venus: Fix OOB read due to missing payload bound check
|
No
|
No
|
5.5
|
|
media: usbtv: Lock resolution while streaming
|
No
|
No
|
5.5
|
|
ksmbd: fix refcount leak causing resource not released
|
No
|
No
|
5.5
|
|
io_uring/net: commit partial buffers on retry
|
No
|
No
|
5.5
|
|
iio: light: as73211: Ensure buffer holes are zeroed
|
No
|
No
|
5.5
|
|
iio: imu: bno055: fix OOB access of hw_xlate array
|
No
|
No
|
5.5
|
|
hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file()
|
No
|
No
|
5.5
|
|
hfs: fix slab-out-of-bounds in hfs_bnode_read()
|
No
|
No
|
5.5
|
|
hfs: fix general protection fault in hfs_find_init()
|
No
|
No
|
5.5
|
|
habanalabs: fix UAF in export_dmabuf()
|
No
|
No
|
5.5
|
|
fs/ntfs3: Add sanity check for file name
|
No
|
No
|
5.5
|
|
f2fs: vm_unmap_ram() may be called from an invalid context
|
No
|
No
|
5.5
|
|
drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor().
|
No
|
No
|
5.5
|
|
drm/amdkfd: Destroy KFD debugfs after destroy KFD wq
|
No
|
No
|
5.5
|
|
drm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities
|
No
|
No
|
5.5
|
|
drm/amd/pm: fix null pointer access
|
No
|
No
|
5.5
|
|
drm/amd/display: fix a Null pointer dereference vulnerability
|
No
|
No
|
5.5
|
|
drm/amd/display: Avoid a NULL pointer dereference
|
No
|
No
|
5.5
|
|
drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session()
|
No
|
No
|
5.5
|
|
comedi: pcl726: Prevent invalid irq number
|
No
|
No
|
5.5
|
|
comedi: fix race between polling and detaching
|
No
|
No
|
5.5
|
|
comedi: Make insn_rw_emulate_bits() do insn->n samples
|
No
|
No
|
5.5
|
|
comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()
|
No
|
No
|
5.5
|
|
NFS: Fix a race when updating an existing write
|
No
|
No
|
5.5
|
|
MIPS: Don't crash in stack_top() for tasks without ABI or vDSO
|
No
|
No
|
5.5
|
|
LoongArch: BPF: Fix jump offset calculation in tailcall
|
No
|
No
|
5.5
|
|
scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated
|
No
|
No
|
4.7
|
|
ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()
|
No
|
No
|
4.7
|
|
Glib: buffer under-read on glib through glib/gfileutils.c via get_tmp_file()
|
No
|
No
|
3.7
|
|
media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()
|
No
|
No
|
3.3
|
|
media: venus: Add a check for packet size after reading from shared memory
|
No
|
No
|
N/A
|
|
ACPI: pfr_update: Fix the driver update version check
|
No
|
No
|
N/A
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Microsoft SQL Server Elevation of Privilege Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft SQL Server Information Disclosure Vulnerability
|
No
|
No
|
6.5
|
|
VulnCheck: CVE-2024-21907 Improper Handling of Exceptional Conditions in Newtonsoft.Json
|
No
|
Yes
|
N/A
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Windows UI XAML Phone DatePickerFlyout Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Windows UI XAML Maps MapControlSettings Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Windows Hyper-V Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Windows Hyper-V Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Windows Graphics Component Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Windows Graphics Component Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Windows Connected Devices Platform Service Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft DWM Core Library Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Windows Graphics Component Remote Code Execution Vulnerability
|
No
|
No
|
7.5
|
|
HTTP.sys Denial of Service Vulnerability
|
No
|
No
|
7.5
|
|
Windows Management Service Elevation of Privilege Vulnerability
|
No
|
No
|
7.4
|
|
Windows MultiPoint Services Elevation of Privilege Vulnerability
|
No
|
No
|
7.3
|
|
Graphics Kernel Remote Code Execution Vulnerability
|
No
|
No
|
7.3
|
|
Windows Hyper-V Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
|
Windows Graphics Component Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
|
Windows Connected Devices Platform Service (Cdpsvc) Denial of Service Vulnerability
|
No
|
No
|
7
|
|
Windows Bluetooth Service Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
|
PowerShell Direct Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
|
Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
|
Microsoft Brokering File System Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
|
DirectX Graphics Kernel Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
|
Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
|
Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability
|
No
|
No
|
6.5
|
Microsoft's September 2025 Patch Tuesday addressed 81 vulnerabilities, including two publicly disclosed zero-day flaws and nine critical remote code execution and elevation of privilege issues affecting Windows, Office, Azure, and other key products.
This release saw a significant focus on elevation of privilege vulnerabilities, which accounted for 41 of the total patches, followed by remote code execution vulnerabilities with 22 instances. Among the zero-days, the Windows SMB elevation of privilege flaw and the Newtonsoft.Json denial of service issue in SQL Server underscore the importance of immediate patching for infrastructure components.
Critical vulnerabilities this month include an exceptionally rare 10.0 CVSS-rated Azure Networking flaw, Windows NTLM elevation of privilege, and multiple remote code execution vulnerabilities in graphics components, Office applications, and Hyper-V. The Windows SMB zero-day particularly highlights ongoing concerns around relay attacks and the need for proper SMB hardening configurations.
Among the notable important-rated vulnerabilities are multiple Hyper-V elevation of privilege flaws, Windows NTFS remote code execution, SharePoint Server RCE, and extensive information disclosure issues across Windows Routing and Remote Access Service components. The continued patching of graphics-related vulnerabilities demonstrates the expanding attack surface in modern Windows environments.
Overall, September's patches address 81 security gaps across Microsoft's comprehensive product portfolio, with particular emphasis on core infrastructure components and productivity applications. Organizations should prioritize deployment of the critical and zero-day fixes while implementing comprehensive testing procedures for the broader update set.
We aim to keep readers informed each month in our Patch Tuesday reports. Please follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.