Microsoft Patch Tuesday – September 2025

---

Microsoft’s September 2025 Patch Tuesday is one of the year’s largest update releases, remediating 81 security vulnerabilities in Windows, Office, Azure, SQL Server, and more—including two critical zero-day disclosures and several high-impact remote code execution flaws. Below is a detailed breakdown for enterprise defenders, vulnerability analysts, and cybersecurity professionals.

Key Stats

• Total CVEs Addressed: 81 (excluding Edge, Xbox, Azure, Mariner patches released separately)
• Zero-days Remediated: 2 (CVE-2025-55234, CVE-2024-21907)
• Critical Vulnerabilities: 9
• 5 Remote Code Execution (RCE)
• 2 Elevation of Privilege
• 1 Information Disclosure
• 1 Security Feature Bypass[1]
• Top Categories: 41 Elevation of Privilege, 22 RCE, 16 Info Disclosure, 3 DoS, 1 Spoofing

Here are the details of all important vulnerabilities from Microsoft Patch Tuesday September 2025, including critical CVEs, zero-days, and vulnerabilities rated as “Exploitation More Likely” by Microsoft.

Most Important September 2025 CVEs

CVE-2025-55234 — Windows SMB Elevation of Privilege (Zero-Day)

• Component: Windows Server Message Block (SMB)
• Severity: Important, CVSS 8.8
• Attack Vector: Unauthenticated attacker exploits SMB to elevate privileges to the compromised user’s account.
• Public Disclosure: Yes, prior to patch release.
• Impact: Aids in assessing legacy SMB security; fifth SMB flaw in 2025 and third EoP.

CVE-2025-54918 — Windows NTLM Elevation of Privilege

• Component: NT LAN Manager (NTLM)
• Severity: Critical, CVSS 8.8, Exploitation More Likely
• Attack Vector: Allows privilege escalation to SYSTEM by abusing NTLM, a core Windows authentication protocol.
• Relevance: Third NTLM EoP in 2025. Builds on previous zero-days patched in earlier months.

CVE-2025-54916 — Windows NTFS Remote Code Execution

• Component: New Technology File System (NTFS)
• Severity: Important, CVSS 7.8, Exploitation More Likely
• Attack Vector: Any authenticated attacker could trigger RCE via NTFS driver flaws.
• Context: Second NTFS RCE of 2025

CVE-2025-54910 — Microsoft Office Remote Code Execution

• Component: Microsoft Office (all platforms)
• Severity: Critical, CVSS 8.4, Exploitation Less Likely
• Attack Vector: User opens malicious Office file or previews it in Outlook, attacker gains RCE.
• Special Note: Mac and LTSC versions awaiting update.

CVE-2025-54897 — Microsoft SharePoint Remote Code Execution

• Component: Microsoft SharePoint
• Severity: Important, CVSS 8.8, Exploitation Less Likely
• Attack Vector: Any authenticated SharePoint user could inject and execute code.
• Risk: RCE possible without admin privileges.

CVE-2025-55224 — Windows Hyper-V Remote Code Execution

• Component: Hyper-V virtualizer
• Severity: Critical, CVSS 7.8, Exploitation Less Likely
• Attack Vector: Race condition lets attacker break out of guest VM to execute code on Hyper-V host.
• Complexity: High, but impact significant for successful exploitation.

Additional Hyper-V EoP Vulnerabilities

• CVE-2025-54091, CVE-2025-54092, CVE-2025-54098, CVE-2025-54115
• Component: Windows Hyper-V
• Severity: CVSS 7.0–7.8, Exploitation More/Less Likely
• Attack Vector: Local authenticated user achieves SYSTEM. Some require complex conditions like race wins.

Vulnerability Cluster by Risk Type

• Elevation of Privilege: Nearly half of all addressed CVEs; enables attackers to gain system or administrative access for further exploitation.
• Remote Code Execution: RCE flaws in Office, SharePoint, Hyper-V, and NTFS allow attackers to run arbitrary code, often leading to full compromise.
• Publicly Known & Exploited: CVE-2025-55234 is a zero-day and was detailed by researchers prior to patch release, heightening urgency.

Severity Distribution

• Elevation of Privilege: 41
• Remote Code Execution: 22
• Info Disclosure: 16
• Denial of Service: 3
• Security Feature Bypass: 2
• Spoofing: 1

Noteworthy Exploitation Scenarios

• SMB Relay Attacks: Where legacy authentication remains, attackers could escalate privileges via network relay.
• Office & Excel RCEs: Multiple vulnerabilities allow remote code execution via maliciously-crafted files.
• NTFS and Hyper-V: RCE and privilege escalation can enable lateral movement in multi-user and virtualized environments.

Recommendations

• Prioritize: Patch all critical and zero-day vulnerabilities, focusing on Windows SMB, Office, and exposed server infrastructure.
• Audit: Enable SMB hardening features and perform compatibility audits in large or diverse networks.
• Continuous Monitoring: Monitor new advisories for updates connected to these CVEs.

Stay vigilant and patch quickly—these vulnerabilities pose a real and immediate risk to enterprise assets, endpoint devices, and cloud infrastructure.

For a full list of vulnerabilities, see the official Microsoft Security Update Guide and your vulnerability management tools