Microsoft has released its September 2025 Patch Tuesday update, addressing a total of 81 security vulnerabilities across its product portfolio.
This extensive release includes fixes for two zero-day vulnerabilities that are actively being exploited. Among the patched flaws, ten are rated as “Critical,” while the remaining 71 are classified as “Important.”
The updates cover a wide range of products, including Windows, Microsoft Office, Azure, SQL Server, and Windows Defender.
| Impact | Count |
|---|---|
| Elevation of Privilege (EoP) | 38 |
| Remote Code Execution (RCE) | 22 |
| Information Disclosure | 14 |
| Denial of Service (DoS) | 4 |
| Security Feature Bypass | 2 |
| Spoofing | 1 |
| Total | 81 |
Zero-Day Flaws Patched
This month’s security release is particularly significant due to the inclusion of patches for two zero-day vulnerabilities. The first, CVE-2025-55234, is an Elevation of Privilege (EoP) vulnerability in the Windows Server Message Block (SMB) protocol.
According to Microsoft, an attacker who successfully exploits this flaw could execute relay attacks, potentially allowing them to gain elevated privileges on affected systems.
Given the widespread use of SMB for file sharing, this vulnerability poses a considerable risk and should be patched immediately.
The second zero-day, CVE-2024-21907, is a denial-of-service vulnerability in Newtonsoft.Json, a popular JSON framework for .NET.
The flaw stems from improper handling of exceptional conditions, where specially crafted data passed to the JsonConvert.DeserializeObject method can trigger a StackOverflow exception, causing the application to crash.
This vulnerability can be exploited remotely by an unauthenticated attacker, and Microsoft has confirmed it impacts SQL Server installations that use the affected library.
Critical Remote Code Execution and Privilege Escalation Bugs
Beyond the zero-days, Microsoft addressed ten critical vulnerabilities, many of which could lead to Remote Code Execution (RCE) or Elevation of Privilege.
Several critical RCE flaws were discovered in the Windows Graphics Kernel and Component, including CVE-2025-55226, CVE-2025-55228, and CVE-2025-55236.
These vulnerabilities are caused by race conditions, allowing an authorized attacker to execute arbitrary code on a target machine.
Other critical vulnerabilities include a heap-based buffer overflow in Microsoft Office (CVE-2025-54910) and a race condition flaw in Windows Hyper-V (CVE-2025-55224), both of which could permit remote code execution.
A critical Elevation of Privilege vulnerability in Windows NTLM (CVE-2025-54918) was also patched, which could allow an authorized attacker to elevate their privileges over the network through improper authentication.
The high volume of important-rated flaws, spanning products from Microsoft Excel and SharePoint to the Windows Kernel and PowerShell, underscores the broad scope of this month’s update.
Of the 81 vulnerabilities addressed in Microsoft’s September 2025 Patch Tuesday, none were reported as publicly disclosed or actively exploited. The release includes patches for 8 Critical and 73 Important severity flaws.
Below is a comprehensive table of all vulnerabilities fixed in this update, with links to the official Microsoft Security Response Center (MSRC) advisories.
| CVE | Vulnerability Details | Actively Exploited | Type | Severity |
|---|---|---|---|---|
| Critical Vulnerabilities | ||||
| CVE-2025-54918 | Improper authentication in Windows NTLM allows for network-based privilege elevation. | No | Elevation of Privilege | Critical |
| CVE-2025-55226 | A race condition in the Graphics Kernel can be exploited for local code execution. | No | Remote Code Execution | Critical |
| CVE-2025-55228 | A race condition in the Windows Graphics Component allows local code execution. | No | Remote Code Execution | Critical |
| CVE-2025-55236 | A race condition in the Graphics Kernel could lead to local code execution. | No | Remote Code Execution | Critical |
| CVE-2025-53799 | Use of an uninitialized resource in the Windows Imaging Component leads to information disclosure. | No | Information Disclosure | Critical |
| CVE-2025-53800 | A flaw in the Microsoft Graphics Component can be used for local privilege elevation. | No | Elevation of Privilege | Critical |
| CVE-2025-54910 | A heap-based buffer overflow in Microsoft Office allows for local remote code execution. | No | Remote Code Execution | Critical |
| CVE-2025-55224 | A race condition in Windows Hyper-V can be used for local code execution. | No | Remote Code Execution | Critical |
| Important Vulnerabilities | ||||
| CVE-2024-21907 | A flaw in Newtonsoft.Json used by SQL Server can lead to a denial-of-service condition. | No | Denial of Service | Important |
| CVE-2025-49734 | A flaw in PowerShell Direct allows for local privilege escalation. | No | Elevation of Privilege | Important |
| CVE-2025-53797 | A buffer over-read in RRAS allows for information disclosure over a network. | No | Information Disclosure | Important |
| CVE-2025-53798 | A buffer over-read in RRAS allows for information disclosure over a network. | No | Information Disclosure | Important |
| CVE-2025-54095 | An out-of-bounds read in RRAS allows for network-based information disclosure. | No | Information Disclosure | Important |
| CVE-2025-54096 | An out-of-bounds read in RRAS allows for network-based information disclosure. | No | Information Disclosure | Important |
| CVE-2025-54097 | An out-of-bounds read in RRAS allows for network-based information disclosure. | No | Information Disclosure | Important |
| CVE-2025-54099 | A stack-based buffer overflow in the Ancillary Function Driver for WinSock allows privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54101 | A use-after-free flaw in the Windows SMBv3 Client allows for remote code execution. | No | Remote Code Execution | Important |
| CVE-2025-54102 | A use-after-free flaw in the Connected Devices Platform Service can be used for privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54106 | An integer overflow in RRAS could allow an attacker to execute code over the network. | No | Remote Code Execution | Important |
| CVE-2025-54110 | An integer overflow in the Windows Kernel can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54111 | A use-after-free flaw in Windows UI XAML allows for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54894 | A vulnerability in the Local Security Authority Subsystem Service leads to privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54895 | An integer overflow in SPNEGO NEGOEX allows for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54896 | A use-after-free vulnerability in Microsoft Excel allows for local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54897 | Deserialization of untrusted data in SharePoint can lead to remote code execution. | No | Remote Code Execution | Important |
| CVE-2025-54898 | An out-of-bounds read in Microsoft Excel can be used for local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54899 | Freeing memory not on the heap in Microsoft Excel can lead to local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54902 | An out-of-bounds read in Microsoft Excel allows for local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54903 | A use-after-free vulnerability in Microsoft Excel allows for local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54904 | A use-after-free vulnerability in Microsoft Excel allows for local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54905 | An untrusted pointer dereference in Microsoft Word can lead to information disclosure. | No | Information Disclosure | Important |
| CVE-2025-54906 | Freeing memory not on the heap in Microsoft Office can lead to local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54907 | A heap-based buffer overflow in Microsoft Visio allows for local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54908 | A use-after-free vulnerability in Microsoft PowerPoint allows for local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54913 | A race condition in Windows UI XAML Maps can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54916 | A stack-based buffer overflow in Windows NTFS allows for local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54919 | A race condition in the Windows Graphics Component leads to local code execution. | No | Remote Code Execution | Important |
| CVE-2025-55223 | A race condition in the DirectX Graphics Kernel allows for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-55225 | An out-of-bounds read in RRAS allows for network-based information disclosure. | No | Information Disclosure | Important |
| CVE-2025-55232 | Deserialization of untrusted data in HPC Pack can lead to remote code execution. | No | Remote Code Execution | Important |
| CVE-2025-55245 | Improper link resolution in Xbox Gaming Services can lead to local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-55243 | Exposure of sensitive information in Microsoft OfficePlus can lead to spoofing. | No | Spoofing | Important |
| CVE-2025-55316 | External control of a file name or path in Azure Arc allows for privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-55317 | Improper link resolution in Microsoft AutoUpdate can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-49692 | Improper access control in the Azure Connected Machine Agent allows local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-47997 | A race condition in SQL Server can lead to network-based information disclosure. | No | Information Disclosure | Important |
| CVE-2025-53796 | A buffer over-read in RRAS allows for information disclosure over a network. | No | Information Disclosure | Important |
| CVE-2025-53801 | An untrusted pointer dereference in the DWM Core Library can lead to local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-53802 | A use-after-free flaw in the Windows Bluetooth Service can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-53803 | An error message in the Windows Kernel could disclose sensitive information locally. | No | Information Disclosure | Important |
| CVE-2025-53804 | Exposure of sensitive information in a Windows Kernel-Mode Driver can lead to local information disclosure. | No | Information Disclosure | Important |
| CVE-2025-53805 | An out-of-bounds read in HTTP.sys can lead to a denial of service. | No | Denial of Service | Important |
| CVE-2025-53806 | A buffer over-read in RRAS allows for information disclosure over a network. | No | Information Disclosure | Important |
| CVE-2025-53807 | A race condition in the Microsoft Graphics Component allows for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-53808 | A type confusion flaw in the Windows Defender Firewall Service can lead to local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-53809 | Improper input validation in LSASS can lead to a denial of service. | No | Denial of Service | Important |
| CVE-2025-53810 | A type confusion flaw in the Windows Defender Firewall Service can lead to local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54091 | An integer overflow in Windows Hyper-V can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54092 | A race condition in Windows Hyper-V can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54093 | A race condition in the Windows TCP/IP Driver allows for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54094 | A type confusion flaw in the Windows Defender Firewall Service can lead to local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54098 | Improper access control in Windows Hyper-V can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54103 | A use-after-free flaw in Windows Management Service can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54104 | A type confusion flaw in the Windows Defender Firewall Service can lead to local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54105 | A race condition in the Brokering File System can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54107 | Improper path resolution in MapUrlToZone can lead to a security feature bypass. | No | Security Feature Bypass | Important |
| CVE-2025-54108 | A race condition in the Capability Access Management Service allows for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54109 | A type confusion flaw in the Windows Defender Firewall Service can lead to local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54112 | A use-after-free flaw in Microsoft Virtual Hard Disk can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54113 | A heap-based buffer overflow in RRAS allows for remote code execution. | No | Remote Code Execution | Important |
| CVE-2025-54114 | A race condition in the Connected Devices Platform Service can lead to a denial of service. | No | Denial of Service | Important |
| CVE-2025-54115 | A race condition in Windows Hyper-V can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54116 | Improper access control in Windows MultiPoint Services allows for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54900 | A heap-based buffer overflow in Microsoft Excel allows for local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54901 | A buffer over-read in Microsoft Excel can lead to local information disclosure. | No | Information Disclosure | Important |
| CVE-2025-54911 | A use-after-free flaw in Windows BitLocker can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54912 | A use-after-free flaw in Windows BitLocker can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54915 | A type confusion flaw in the Windows Defender Firewall Service can lead to local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54917 | A protection mechanism failure in MapUrlToZone can lead to a security feature bypass. | No | Security Feature Bypass | Important |
| CVE-2025-55227 | A command injection vulnerability in SQL Server allows for network-based privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-55234 | A flaw in Windows SMB could allow an attacker to perform relay attacks, leading to privilege elevation. | No | Elevation of Privilege | Important |
System administrators are strongly urged to review the September 2025 release and apply all relevant security updates promptly to mitigate these risks.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
