Microsoft September 2025 Patch Tuesday Fixes 81 Flaws, Two Zero-Days
Summary:
Today, as part of its September 2025 Patch Tuesday, Microsoft released security updates for 81 vulnerabilities. This total includes fixes for two publicly disclosed zero-day vulnerabilities and nine critical flaws, with five of these being remote code execution (RCE) vulnerabilities. The other critical vulnerabilities are one information disclosure and two elevation of privileges. The majority of the flaws are elevation of privilege (41), followed by remote code execution (22), and information disclosure (16). The remaining vulnerabilities include security feature bypass (2), denial of service (3), and spoofing (1). The count of 81 vulnerabilities only includes those released on Patch Tuesday and excludes other security updates for products like Azure and Microsoft Edge released earlier in the month. The two publicly disclosed zero-days fixed this month were CVE-2025-55234, an elevation of privilege vulnerability in Windows SMB Server, and CVE-2024-21907, an improper handling of exceptional conditions in Newtonsoft.Json, which is part of Microsoft SQL Server. The SMB Server flaw is related to relay attacks, and Microsoft has offered guidance on hardening systems with features like SMB Server Signing and Extended Protection for Authentication (EPA), noting that these might cause compatibility issues. The SQL Server vulnerability, previously known, could be exploited by an attacker to cause a denial of service.
In addition to Microsoft, other vendors also released security updates or advisories in September 2025:
Microsoft's September 2025 Patch Tuesday is notable for its volume, addressing 81 vulnerabilities, and the inclusion of two publicly disclosed zero-days. The presence of nine critical flaws, particularly the five RCE vulnerabilities, underscores the importance of a swift patching cycle for all users and organizations. The fix for the SMB Server zero-day (CVE-2025-55234) is particularly critical given its potential for relay attacks and elevation of privilege, making it a prime target for attackers. While Microsoft offers hardening recommendations, the potential for compatibility issues with older systems means organizations must carefully assess and audit their environments. The high number of elevation of privilege flaws (41) also reinforces the notion of a persistent threat landscape where attackers seek to gain higher access on compromised systems.
Suggested Corrections:
Organizations should review the list of vulnerabilities resolved and apply the relevant patches as needed. To access the full list of vulnerabilities addressed, please use the link below:
https://www.bleepingcomputer.com/microsoft-patch-tuesday-reports/Microsoft-Patch-Tuesday-September-2025.html
Link(s):
https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2025-patch-tuesday-fixes-81-flaws-two-zero-days/
Today, as part of its September 2025 Patch Tuesday, Microsoft released security updates for 81 vulnerabilities. This total includes fixes for two publicly disclosed zero-day vulnerabilities and nine critical flaws, with five of these being remote code execution (RCE) vulnerabilities. The other critical vulnerabilities are one information disclosure and two elevation of privileges. The majority of the flaws are elevation of privilege (41), followed by remote code execution (22), and information disclosure (16). The remaining vulnerabilities include security feature bypass (2), denial of service (3), and spoofing (1). The count of 81 vulnerabilities only includes those released on Patch Tuesday and excludes other security updates for products like Azure and Microsoft Edge released earlier in the month. The two publicly disclosed zero-days fixed this month were CVE-2025-55234, an elevation of privilege vulnerability in Windows SMB Server, and CVE-2024-21907, an improper handling of exceptional conditions in Newtonsoft.Json, which is part of Microsoft SQL Server. The SMB Server flaw is related to relay attacks, and Microsoft has offered guidance on hardening systems with features like SMB Server Signing and Extended Protection for Authentication (EPA), noting that these might cause compatibility issues. The SQL Server vulnerability, previously known, could be exploited by an attacker to cause a denial of service.
In addition to Microsoft, other vendors also released security updates or advisories in September 2025:
- Adobe released security updates for a "SessionReaper" flaw impacting Magento eCommerce stores.
- Argo fixed an Argo CD vulnerability that allows low-privileged API tokens to access API endpoints and retrieve all repository credentials associated with the project.
- Cisco released patches for WebEx, Cisco ASA, and other products.
- Google released the September Android security updates that address a total of 84 vulnerabilities, including two actively exploited flaws.
- SAP released the September security updates for multiple products, including a fix for a maximum severity command execution bug in Netweaver.
- Sitecore released security updates for a zero day vulnerability tracked as CVE-2025-53690 that was actively exploited in attacks.
- TP-Link confirmed a new zero-day exists in some of its routers, with the company exploring its exploitability and is creating patches for US customers.
Microsoft's September 2025 Patch Tuesday is notable for its volume, addressing 81 vulnerabilities, and the inclusion of two publicly disclosed zero-days. The presence of nine critical flaws, particularly the five RCE vulnerabilities, underscores the importance of a swift patching cycle for all users and organizations. The fix for the SMB Server zero-day (CVE-2025-55234) is particularly critical given its potential for relay attacks and elevation of privilege, making it a prime target for attackers. While Microsoft offers hardening recommendations, the potential for compatibility issues with older systems means organizations must carefully assess and audit their environments. The high number of elevation of privilege flaws (41) also reinforces the notion of a persistent threat landscape where attackers seek to gain higher access on compromised systems.
Suggested Corrections:
Organizations should review the list of vulnerabilities resolved and apply the relevant patches as needed. To access the full list of vulnerabilities addressed, please use the link below:
https://www.bleepingcomputer.com/microsoft-patch-tuesday-reports/Microsoft-Patch-Tuesday-September-2025.html
Link(s):
https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2025-patch-tuesday-fixes-81-flaws-two-zero-days/