September 2025 Patch Tuesday update, addressing 86 security issues in products like Microsoft Windows, Microsoft Office etc.

This includes two publicly known zero-day bugs in the Windows SMB Server and another in Newtonsoft.Json. Here are the CVE addressed for Microsoft & non-Microsoft.

Organizations are strongly encouraged to prioritize patching of systems tied to network services, virtualization and productivity tools to mitigate risks of exploitation. 

OEM	Microsoft
Severity	Critical
Date of Announcement	2025-09-09
No. of Patches	86
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview 

Here are the CVE addressed for Microsoft & non-Microsoft 

• 81 Microsoft CVEs addressed 

• 5 non-Microsoft CVEs addressed 

Breakdown of September 2025 Vulnerabilities 

• 41 Elevation of Privilege (EoP) 

• 22 Remote Code Execution (RCE) 

• 16 Information Disclosure 

• 4 Denial of Service (DoS) 

• 2 Security Feature Bypass 

• 1 Spoofing  

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Windows SMB Elevation of Privilege Vulnerability	CVE-2025-55234	Windows Server, Windows 10, 11	High	8.8
Improper Handling of Exceptional Conditions in Newtonsoft.Json	CVE-2024-21907	Microsoft SQL Server	High	7.5

Technical Summary 

September 2025 Patch Tuesday includes security updates addressing denial-of-service and privilege escalation vulnerabilities in commonly used libraries and services.

One of the publicly disclosed zero-day CVE-2024-21907 affects the popular .NET library Newtonsoft.Json, where deserialization of crafted JSON can lead to application crashes.

Additionally, CVE-2025-55234 highlights a potential for relay attacks in SMB Server configurations that lack hardening measures such as signing and Extended Protection for Authentication (EPA). Microsoft advises assessing current SMB deployments using new audit capabilities introduced in this month’s updates. 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-55234	Microsoft SMB Server	Lack of hardening (signing & EPA) in SMB Server can allow attackers to perform relay attacks, potentially resulting in elevation of privilege.	Privilege Escalation
CVE-2024-21907	Newtonsoft.Json < 13.0.1	Improper handling of crafted input to JsonConvert.DeserializeObject may trigger a StackOverflowException, leading to a denial-of-service condition.	Denial of Service

Source: Microsoft and NVD 

In addition to the publicly disclosed zero day vulnerability, several other Critical & High severity issues were addressed 

• CVE‑2025‑55232: Microsoft High Performance Compute Pack (HPC), deserialization of untrusted data vulnerability enabling unauthorized remote code execution over a network interface. 

• CVE‑2025‑54918: Windows NTLM, improper authentication vulnerability that enables elevation of privilege over a network, with potential for lateral movement across enterprise systems. 

• CVE‑2025‑54110: Windows Kernel, integer overflow vulnerability allowing local privilege escalation through exploitation of kernel memory operations. 

• CVE‑2025‑54098: Windows Hyper-V, improper access control flaw permitting local privilege escalation from guest to host in virtualized environments. 

• CVE‑2025‑54916: Windows NTFS, stack-based buffer overflow vulnerability enabling local attackers to execute arbitrary code with elevated privileges. 

Key Affected Products and Services 

The September 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services: 

• Windows Core and Security Components 

Includes updates for Windows Kernel, NTFS, TCP/IP, Defender Firewall, LSASS, BitLocker, NTLM, Win32K, and RRAS (Routing and Remote Access Service), with several vulnerabilities rated CVSS 8.8 or higher. 

• Microsoft Office Suite 

Patches released for Excel, Word, PowerPoint, Visio, and SharePoint addressing RCE and information disclosure issues, especially through Preview Pane vectors. 

• Azure and Cloud Services 

Fixes affect Azure Virtual Machine Agent, Azure Arc, and High-Performance Compute Pack (HPC). 

• Virtualization and Hyper-V 

Multiple vulnerabilities in Hyper‑V and Virtual Hard Drive components, including privilege escalation and denial-of-service risks. 

• Developer and Management Tools 

Patches applied to PowerShell, AutoZone, Windows Management Services and Capability Access Management, addressing local privilege escalation. 

• Communication & File Services 

Updates cover SMB, SMBv3, MSMQ and Connected Devices Platform, with critical RCE and lateral movement vectors in enterprise environments. 

• Browsers and Web Technologies 

Microsoft Edge (Chromium-based) updates, along with republished Chrome CVEs for continued coverage of known browser threats. 

Remediation: 

Apply Patches Promptly: Install the September 2025 security updates immediately to mitigate risks. 

Conclusion: 
Microsoft’s September 2025 Patch Tuesday addresses 86 vulnerabilities, including several critical and high rated issues across Windows, Office, Hyper-V and Azure components etc.

Notably, multiple flaws affect Windows Routing and Remote Access Service (RRAS), SQL Server, and Microsoft High Performance Compute Pack (HPC), with potential for remote code execution (RCE) and privilege escalation.

Microsoft fixed an elevation of privileges flaw in SMB Server that is exploited through relay attacks.

“SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks,” explains Microsoft.

References: 

• https://msrc.microsoft.com/update-guide/releaseNote/2025-Sep 

• https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2025-patch-tuesday-fixes-81-flaws-two-zero-days/