Vulnerabilities & Alerts

Microsoft September 2025 Patch Tuesday

by  • 

On September 9, 2025, Microsoft released security updates addressing over 80 vulnerabilities across Windows operating systems and related software (81 vulnerabilities were patched on this date). Notably, there were no actively exploited “zero-day” vulnerabilities in this month’s update bundle. However, two publicly disclosed vulnerabilities (zero-days) were fixed, meaning they were known to attackers or researchers prior to patches being available. Most of the flaws patched are rated Important in severity, and Microsoft tagged thirteen of them as Critical. Among these critical issues are five that allow for remote code execution (RCE), one that leads to sensitive information disclosure, and two that enable privilege escalation to higher user rights. (Microsoft assigns a “Critical” rating to vulnerabilities that can be exploited by malware or attackers to gain unauthorized remote access with little to no user interaction.)

The following breakdown summarizes the 81 vulnerabilities by type, as addressed in September 2025:

  • 41 Elevation of Privilege vulnerabilities – flaws that could allow an attacker with initial access to elevate permissions on the system.
  • 22 Remote Code Execution vulnerabilities – flaws enabling arbitrary code execution on a target system, potentially from a remote source.
  • 16 Information Disclosure vulnerabilities – flaws that may expose sensitive information to unauthorized parties.
  • 3 Denial of Service vulnerabilities – flaws that could disrupt normal operation or crash services on a system.
  • 2 Security Feature Bypass vulnerabilities – flaws allowing attackers to circumvent security mechanisms or protections.
  • 1 Spoofing vulnerability – a flaw that could let an attacker impersonate another user or entity.

Remote Code Execution (RCE) Vulnerabilities

Remote Code Execution flaws are among the most critical, as they can potentially allow an attacker to run arbitrary code on affected systems. This Patch Tuesday includes fixes for five critical RCEs and numerous Important-rated RCEs:

  • CVE-2025-54916 (Windows NTFS) – A vulnerability in the Windows NTFS file system that can lead to code execution due to a stack buffer overflow. Despite being labeled as an “RCE,” it is not directly exploitable over the network without user interaction or prior access. In practice, an attacker would need to already run code on the target machine or trick a user into launching a malicious file that triggers the exploit. This is a common pattern in social engineering attacks, where a victim is persuaded to open an email attachment or download and run a file. Microsoft has flagged this flaw as “Exploitation More Likely,” especially given that the last NTFS vulnerability patched (in March 2025) was already being actively exploited as a zero-day. Administrators should treat this patch with high priority, as a reliable exploit could soon emerge in the wild.
  • CVE-2025-54910 (Microsoft Office) – A critical vulnerability in Microsoft Office (affecting Office 2016, 2019, Office LTSC 2021/2024, and Microsoft 365 Apps) caused by a heap-based memory overflow. It could be exploited by convincing a user to open a booby-trapped Office document (e.g., a Word or Excel file). The malicious file, once opened, can execute arbitrary code with the privileges of the victim user. Although this attack vector requires user interaction (opening a file), the trigger can be initiated remotely by sending the file via email or a download link. Given the prevalence of Office in enterprises, this type of client-side RCE is a serious threat and has earned a Critical rating.
  • CVE-2025-55226 & CVE-2025-55236 (DirectX Graphics Kernel) – These two critical vulnerabilities in the Windows graphics kernel (DirectX component) could allow code execution at the kernel level. CVE-2025-55226 arises from improper synchronization when using shared resources concurrently, and CVE-2025-55236 is due to a time-of-check to time-of-use (TOCTOU) race condition. In both cases, a local adversary or a malicious program could exploit the flaw to run code with kernel privileges. Exploiting these requires local access or execution, as an attacker would likely need to run a specially crafted application on the target system. Microsoft notes that for CVE-2025-55226 the attacker must prepare the target environment to improve exploit reliability, indicating a complex exploit scenario. Despite needing local access, these vulnerabilities are deemed critical because a successful attack could completely compromise the system (full control at the OS kernel level).
  • CVE-2025-54101 (Windows SMBv3 Client/Server) – A noteworthy remote code execution bug in the Windows SMB version 3 protocol, rated Important. It involves a use-after-free memory bug combined with a race condition. An attacker with network access and valid credentials could attempt to exploit this vulnerability to execute code on a target by leveraging a timing condition in how SMB handles certain requests. Successfully pulling off this attack is non-trivial — it requires winning a race condition, which can make exploitation unreliable. There have been no reports of active exploitation, likely due to its complexity. Nevertheless, this patch closes an opportunity for an authenticated network-based attacker to potentially run code on a server or client via SMB.
  • CVE-2025-55224 (Windows Hyper-V) – This Critical RCE vulnerability in Microsoft’s Hyper-V virtualization platform is also addressed, preventing a potentially dire scenario. The flaw could allow code execution on the Hyper-V host from within a guest virtual machine. In essence, an attacker who has compromised or controls a VM could exploit CVE-2025-55224 to escape the virtual environment and execute code on the underlying host server. Such a breach of the hypervisor boundary (VM escape) poses significant risk in cloud and datacenter environments. Although no active exploits are known, patching this vulnerability is crucial for any organization using Hyper-V to ensure isolation between VMs and hosts remains intact.

Elevation of Privilege (EoP) Vulnerabilities

Privilege escalation vulnerabilities make up the largest portion of this month’s patches (41 out of 81). These flaws are used by attackers after gaining an initial foothold on a system, to increase their access rights from a regular user to administrator or SYSTEM level. While they often receive less public attention than RCEs, EoP bugs are critical in multi-stage attack scenarios (for example, malware that gains user-level access and then uses EoP exploits to take full control). In fact, for the third time this year, Microsoft’s Patch Tuesday includes more fixes for privilege escalation flaws than for remote code execution, highlighting the emphasis on hardening post-compromise defenses.

  • CVE-2025-54918 (Windows NTLM) – Among the most serious flaws this month is a Critical-rated privilege escalation in the Windows NTLM authentication mechanism. This vulnerability stems from improper authentication handling in NTLM (the legacy Windows network authentication protocol). It could allow an attacker with network access and valid credentials (or stolen NTLM hashes) to craft and send specially formatted authentication requests that grant them SYSTEM-level privileges on the target system. In effect, CVE-2025-54918 enables a remote privilege escalation — a rarity, since most EoP vulnerabilities require local access. Microsoft has marked this issue as “Exploitation More Likely,” meaning administrators should assume attackers will attempt to leverage it. Environments using NTLM for authentication should prioritize this patch, as a compromise of even a low-level account could be leveraged to fully take over a machine.
  • CVE-2025-55234 (Windows SMB, Relay Attack) – Another notable EoP vulnerability is CVE-2025-55234, affecting the Windows SMB service. This bug, rated Important, was publicly disclosed prior to the patch release, making it a known zero-day. It enables SMB relay attacks: an adversary with network access can intercept a legitimate user’s authentication attempt and forward (relay) those credentials to a target SMB server to gain unauthorized access with that user’s privileges. Essentially, an attacker in position to perform a man-in-the-middle on SMB traffic could elevate their rights on an SMB server by leveraging a victim’s credentials. Microsoft points out that mitigations for such attacks already exist in Windows, namely enabling SMB Server Signing and Extended Protection for Authentication (EPA) on SMB servers to thwart relays. However, these features might be turned off in some environments for compatibility reasons. The September updates introduce auditing capabilities to help administrators gauge if enforcing SMB signing/EPA will cause issues in their network. It’s advisable to enable these SMB hardening features as soon as feasible; admins should apply this patch and then consider gradually enforcing SMB signing and EPA to eliminate this attack vector, verifying compatibility via the new audit mode.
  • Other notable EoP fixes – Beyond the above, a wide array of privilege escalation flaws were patched across various components. Several EoPs involve Hyper-V (e.g., CVE-2025-54098, CVE-2025-54092), indicating that an attacker who has code execution in a guest VM could potentially escalate privileges on the host or affect other VMs if those bugs were left unpatched. Additionally, a vulnerability in the Windows TCP/IP driver (CVE-2025-54093) was addressed; this could have allowed an attacker already running code on a machine to gain SYSTEM privileges by exploiting a bug in the networking stack. The Windows kernel and kernel-mode drivers also received fixes for EoP issues (for instance, CVE-2025-54110), which, if exploited, could let a local user or malware assume complete control of the OS. Other EoP patches cover components like BitLocker (full-disk encryption), LSASS (Local Security Authority Subsystem Service), the Bluetooth service, the Connected Devices Platform service, and more. None of these were reported as under active exploit at the time of release. However, Microsoft has assessed several as likely candidates for future exploitation. It is therefore essential for security teams to deploy these privilege escalation patches promptly, to limit attackers’ ability to leverage post-compromise exploits for lateral movement or persistent control.

Information Disclosure, Denial of Service, and Other Flaws

In addition to RCE and EoP, the September 2025 update bundle fixes 16 Information Disclosure vulnerabilities. Such issues may not grant full system access, but they can leak sensitive information that could aid attackers in further compromising a network. For example, CVE-2025-53799 (Windows Imaging Component) is a Critical-rated bug that could allow an attacker to read data from memory that should remain private. Likewise, CVE-2025-55242 (Xbox) is a Critical vulnerability in an Xbox-related certification component that might expose sensitive system information. Most other information disclosure bugs patched this month are rated Important and reside in various parts of the Windows OS (kernel drivers, network services, Office applications, etc.).

Three Denial of Service (DoS) vulnerabilities are also addressed. One notable case is CVE-2025-53805 in HTTP.sys, which is the Windows component that handles HTTP requests (and is used by the IIS web server). A remote, unauthenticated attacker could exploit this flaw by sending specially crafted HTTP requests to a Windows server, causing a crash or service hang – effectively taking the web service offline. Other DoS fixes involve, for instance, the LSASS process (Local Security Authority). An attack on LSASS could force a Windows system to reboot or at least disrupt authentication processes, potentially causing a loss of service or requiring manual intervention to restore operations.

Additionally, two Security Feature Bypass vulnerabilities were patched. These allow an attacker to circumvent certain security measures. For example, CVE-2025-54917 and CVE-2025-54107 involve the MapUrlToZone function (which determines the trust zone of a given URL); exploiting these could mislead the system about whether content comes from a trusted zone, possibly undermining security checks. Finally, one Spoofing vulnerability in Microsoft Office (CVE-2025-55243, affecting Office Online Server / OfficePlus) was fixed. While not as severe as RCEs, spoofing issues can be used in phishing or social engineering contexts – for instance, tricking users by displaying a fraudulent identity or source for malicious content.

Zero-Day Vulnerabilities Addressed

Two vulnerabilities that were known publicly (zero-days) before patches were available have been resolved in this update cycle:

  • CVE-2025-55234 (Windows SMB) – As discussed in the EoP section above, this SMB relay vulnerability was publicly disclosed prior to the patch release. Although Microsoft did not report any active exploitation, public knowledge of the flaw could have spurred attackers to develop exploits. Now patched, this vulnerability should be mitigated by applying the latest updates. Its presence underscored the need for defensive measures like SMB signing to already be in place as an interim protection.
  • CVE-2024-21907 (Newtonsoft.Json in SQL Server) – This issue involves the Newtonsoft.Json library (a JSON parsing component) used by Microsoft SQL Server. Disclosed in 2024, it’s essentially a denial-of-service vector rather than a code execution flaw. By feeding maliciously crafted data to the JsonConvert.DeserializeObject method, an attacker could trigger a StackOverflow exception in the library, causing the SQL Server process or service to crash. In scenarios where a SQL service is exposed (or accessible by lower-privileged users), an unauthenticated remote attacker might exploit this to take the database offline temporarily. The September 2025 SQL Server updates include an upgraded version of the Newtonsoft.Json library that fixes this issue. While this bug does not allow code execution, organizations should still apply the patch to prevent any potential service disruptions or exploitation of this vulnerability in attacks (for example, as part of a blended threat to distract or tie up resources).

Other Notable Security Updates in September 2025

Outside of Microsoft’s patches, several other vendors and projects released important security updates in September 2025:

  • Apple – Apple pushed out emergency updates for iOS (version 18.6.2), iPadOS (18.6.2 and 17.7.10), and macOS (15.6.1 “Sequoia,” 14.7.8 “Sonoma,” and 13.7.8 “Ventura”). These address, among other things, CVE-2025-43300, which is Apple’s seventh zero-day vulnerability of the year. That flaw was being actively exploited in the wild as part of a sophisticated spyware campaign. It was used in an exploit chain together with a WhatsApp vulnerability (CVE-2025-55177) to compromise iPhones and other Apple devices, according to research by Amnesty International. Users of Apple devices are strongly advised to install these updates to protect against the described spyware threat.
  • Google (Android) – The Android security bulletin for September 2025 fixes a total of 84 vulnerabilities. Notably, Google patched two actively exploited zero-day flaws earlier in the month (CVE-2025-38352 in the Android kernel, and CVE-2025-48543 in the Android Runtime). Both are privilege escalation issues that were being used by attackers in the wild prior to the patch. Android devices with a security patch level of 2025-09-05 or later include these fixes. It’s important for Android users (and enterprise device administrators) to ensure devices are updated, as these kernel and runtime vulnerabilities could allow apps or local attackers to gain elevated privileges.
  • Adobe – Adobe released security updates addressing a critical flaw nicknamed “SessionReaper” which impacts Magento, the popular e-commerce platform. Unpatched Magento instances could be at risk of exploitation, potentially allowing attackers to steal session data or take over online store accounts. Merchants running Magento should apply the Adobe patch promptly to secure their storefronts.
  • Cisco – Cisco published advisories and patches for multiple products, including Cisco WebEx and Cisco ASA (Adaptive Security Appliance), among others. These updates fix vulnerabilities that range from remote code execution to information disclosure. Network administrators using Cisco equipment or software should review Cisco’s September security advisories to identify relevant updates and implement them to protect against potential threats.
  • SAP – The enterprise software vendor SAP issued its monthly security updates, which include a fix for a maximum-severity command execution vulnerability in SAP NetWeaver (an application server platform). Several other SAP products received patches as well. Given the critical nature of the NetWeaver bug (which could allow remote command execution on unpatched systems), organizations running SAP software should prioritize these updates to prevent possible compromise of their SAP environments.
  • Argo CD – The open-source continuous deployment tool Argo CD had a security release to fix a vulnerability whereby low-privileged API tokens could access API endpoints and retrieve all repository credentials associated with a project. Such a flaw could leak sensitive secrets (like repository passwords or keys) and undermine the security of deployment pipelines. Users of Argo CD should update to the fixed version to ensure that access controls are properly enforced on API tokens.
  • Sitecore – Sitecore, a digital experience and content management platform, addressed a zero-day vulnerability (CVE-2025-53690) that was being actively exploited. Details are limited, but this flaw likely allowed attackers to compromise Sitecore installations prior to the patch. Companies using Sitecore should install the latest security update to mitigate any ongoing exploitation and protect their web infrastructure.
  • TP-Link – Networking hardware maker TP-Link confirmed a new zero-day vulnerability affecting some of its router models. While specifics on the flaw are still under investigation as of September 2025, TP-Link acknowledged the issue and is assessing exploitability. The company is preparing patches, initially focusing on U.S. models. Users of TP-Link routers should keep an eye out for firmware updates and apply them as soon as they become available, and in the meantime, ensure their router’s security settings are hardened (e.g., disabling remote administration if not needed).

Finally, within the Microsoft ecosystem, it’s worth noting that only two months remain until the end of free support for Windows 10 (scheduled for October 2025). The September 2025 Patch Tuesday is among the last batches of security updates that Windows 10 systems will receive without extended support contracts. Organizations should factor this into their patch management planning: upgrading systems to a supported OS (such as Windows 11 or enterprise LTSC versions), purchasing Extended Security Updates (ESU) if offered, or implementing additional security controls for legacy Windows 10 machines that will no longer get patches. In the meantime, it is highly recommended to apply all September 2025 updates to ensure systems are protected against the vulnerabilities discussed above, and to continue a regular patch cadence to maintain a robust security posture.

Sources:

https://blog.talosintelligence.com/microsoft-patch-tuesday-september-2025/
https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2025-patch-tuesday-fixes-81-flaws-two-zero-days/
https://krebsonsecurity.com/2025/09/microsoft-patch-tuesday-september-2025-edition/