Microsoft Patch Tuesday – September 2025

Microsoft Patch Tuesday – September 2025

No Comments

Microsoft’s September 2025 Patch Tuesday is one of the year’s largest update releases, remediating 81 security vulnerabilities in Windows, Office, Azure, SQL Server, and more—including two critical zero-day disclosures and several high-impact remote code execution flaws. Below is a detailed breakdown for enterprise defenders, vulnerability analysts, and cybersecurity professionals.

Key Stats

  • Total CVEs Addressed: 81 (excluding Edge, Xbox, Azure, Mariner patches released separately)
  • Zero-days Remediated: 2 (CVE-2025-55234, CVE-2024-21907)
  • Critical Vulnerabilities: 9
  • 5 Remote Code Execution (RCE)
  • 2 Elevation of Privilege
  • 1 Information Disclosure
  • 1 Security Feature Bypass[1]
  • Top Categories: 41 Elevation of Privilege, 22 RCE, 16 Info Disclosure, 3 DoS, 1 Spoofing

Here are the details of all important vulnerabilities from Microsoft Patch Tuesday September 2025, including critical CVEs, zero-days, and vulnerabilities rated as “Exploitation More Likely” by Microsoft.

Most Important September 2025 CVEs

CVE-2025-55234 — Windows SMB Elevation of Privilege (Zero-Day)

  • Component: Windows Server Message Block (SMB)
  • Severity: Important, CVSS 8.8
  • Attack Vector: Unauthenticated attacker exploits SMB to elevate privileges to the compromised user’s account.
  • Public Disclosure: Yes, prior to patch release.
  • Impact: Aids in assessing legacy SMB security; fifth SMB flaw in 2025 and third EoP.

CVE-2025-54918 — Windows NTLM Elevation of Privilege

  • Component: NT LAN Manager (NTLM)
  • Severity: Critical, CVSS 8.8, Exploitation More Likely
  • Attack Vector: Allows privilege escalation to SYSTEM by abusing NTLM, a core Windows authentication protocol.
  • Relevance: Third NTLM EoP in 2025. Builds on previous zero-days patched in earlier months.

CVE-2025-54916 — Windows NTFS Remote Code Execution

  • Component: New Technology File System (NTFS)
  • Severity: Important, CVSS 7.8, Exploitation More Likely
  • Attack Vector: Any authenticated attacker could trigger RCE via NTFS driver flaws.
  • Context: Second NTFS RCE of 2025

CVE-2025-54910 — Microsoft Office Remote Code Execution

  • Component: Microsoft Office (all platforms)
  • Severity: Critical, CVSS 8.4, Exploitation Less Likely
  • Attack Vector: User opens malicious Office file or previews it in Outlook, attacker gains RCE.
  • Special Note: Mac and LTSC versions awaiting update.

CVE-2025-54897 — Microsoft SharePoint Remote Code Execution

  • Component: Microsoft SharePoint
  • Severity: Important, CVSS 8.8, Exploitation Less Likely
  • Attack Vector: Any authenticated SharePoint user could inject and execute code.
  • Risk: RCE possible without admin privileges.

CVE-2025-55224 — Windows Hyper-V Remote Code Execution

  • Component: Hyper-V virtualizer
  • Severity: Critical, CVSS 7.8, Exploitation Less Likely
  • Attack Vector: Race condition lets attacker break out of guest VM to execute code on Hyper-V host.
  • Complexity: High, but impact significant for successful exploitation.

Additional Hyper-V EoP Vulnerabilities

  • CVE-2025-54091, CVE-2025-54092, CVE-2025-54098, CVE-2025-54115
  • Component: Windows Hyper-V
  • Severity: CVSS 7.0–7.8, Exploitation More/Less Likely
  • Attack Vector: Local authenticated user achieves SYSTEM. Some require complex conditions like race wins.

Vulnerability Cluster by Risk Type

  • Elevation of Privilege: Nearly half of all addressed CVEs; enables attackers to gain system or administrative access for further exploitation.
  • Remote Code Execution: RCE flaws in Office, SharePoint, Hyper-V, and NTFS allow attackers to run arbitrary code, often leading to full compromise.
  • Publicly Known & Exploited: CVE-2025-55234 is a zero-day and was detailed by researchers prior to patch release, heightening urgency.

Severity Distribution

  • Elevation of Privilege: 41
  • Remote Code Execution: 22
  • Info Disclosure: 16
  • Denial of Service: 3
  • Security Feature Bypass: 2
  • Spoofing: 1

Noteworthy Exploitation Scenarios

  • SMB Relay Attacks: Where legacy authentication remains, attackers could escalate privileges via network relay.
  • Office & Excel RCEs: Multiple vulnerabilities allow remote code execution via maliciously-crafted files.
  • NTFS and Hyper-V: RCE and privilege escalation can enable lateral movement in multi-user and virtualized environments.

Recommendations

  • Prioritize: Patch all critical and zero-day vulnerabilities, focusing on Windows SMB, Office, and exposed server infrastructure.
  • Audit: Enable SMB hardening features and perform compatibility audits in large or diverse networks.
  • Continuous Monitoring: Monitor new advisories for updates connected to these CVEs.

Stay vigilant and patch quickly—these vulnerabilities pose a real and immediate risk to enterprise assets, endpoint devices, and cloud infrastructure.

For a full list of vulnerabilities, see the official Microsoft Security Update Guide and your vulnerability management tools

Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.