Microsoft September 2025 Patch Tuesday: Analysis of 81 Flaws and Two Zero-Days

Microsoft’s September 2025 Patch Tuesday has been released, addressing a total of 81 security vulnerabilities across its extensive product portfolio. This security update includes patches for two publicly disclosed zero-day vulnerabilities, demanding immediate attention from security and IT professionals. The release, while smaller than the previous month’s substantial update, contains several critical-severity issues that pose significant risks to enterprise environments, particularly those involving core networking protocols and cloud services¹.

A comparative analysis with the August 2025 release provides context for the current patch cycle. Last month, Microsoft addressed 119 vulnerabilities, which included 13 rated as Critical and 91 as Important, alongside one publicly disclosed zero-day tracked as CVE-2025-53779 in Windows Kerberos⁴. The breakdown for August included 34 Remote Code Execution (RCE), 42 Elevation of Privilege (EoP), 16 Information Disclosure, 4 Denial of Service (DoS), and 4 Spoofing flaws. The September release, with its 81 flaws, represents a focused set of updates targeting specific high-risk areas.

Key Statistics and Vulnerability Breakdown

The September 2025 Patch Tuesday addresses vulnerabilities with varying severity levels and attack vectors. Of the 81 vulnerabilities patched, 9 are rated as Critical while 72 are classified as Important. The distribution by vulnerability type shows 22 Remote Code Execution flaws, 41 Elevation of Privilege vulnerabilities, 16 Information Disclosure issues, 3 Denial of Service weaknesses, 2 Security Feature Bypass problems, and 1 Spoofing vulnerability¹. This distribution indicates a continued focus on privilege escalation attacks, which often follow initial access in attack chains.

The affected products span Microsoft’s entire ecosystem, with significant updates for Windows components, Microsoft Office applications, Azure cloud services, SQL Server, and the Chromium-based Edge browser. Core Windows components received the majority of patches, addressing vulnerabilities in the Windows Kernel, Hyper-V, Graphics Kernel, SMB client/server, Win32K, and the Routing and Remote Access Service (RRAS). Office applications including Excel, PowerPoint, Word, and SharePoint received multiple RCE patches that typically require user interaction through malicious files.

Analysis of Publicly Disclosed Zero-Day Vulnerabilities

The September update addresses two publicly disclosed zero-day vulnerabilities that require immediate patching priority. The first, tracked as CVE-2025-55234, is an Elevation of Privilege vulnerability in the Windows Server Message Block (SMB) Server component. According to the Microsoft Security Response Center (MSRC) guide, this flaw is exploitable through relay attacks where an attacker could perform relay attacks to subject users to privilege escalation³.

Microsoft recommends enabling SMB Server Signing and SMB Server Extended Protection for Authentication (EPA) as mitigation measures, though these may cause compatibility issues with older systems. Notably, the September 2025 update enables auditing support to help administrators test compatibility before fully enforcing these hardening features. The exploitation status of this vulnerability remains unclear despite public disclosure.

The second zero-day, CVE-2024-21907, affects the Newtonsoft.Json library bundled with Microsoft SQL Server. This vulnerability, originally disclosed in 2024, has now been patched in SQL Server updates. The flaw exists in versions of Newtonsoft.Json before v13.0.1, where crafted data passed to the `JsonConvert.DeserializeObject` method can trigger a `StackOverflow` exception, causing a denial-of-service condition. An unauthenticated, remote attacker could potentially exploit this vulnerability to cause a DoS condition in affected SQL Server instances³.

Critical Vulnerabilities and Their Impact

Among the nine Critical-rated vulnerabilities patched this month, several stand out due to their potential impact on cloud infrastructure and core operating system components. CVE-2025-55241 represents a critical elevation of privilege vulnerability in Azure Entra, Microsoft’s cloud-based identity and access management service. Similarly, CVE-2025-55244 addresses a critical elevation of privilege vulnerability in the Azure Bot Service, which could potentially compromise automated conversation infrastructure.

The update includes two Critical remote code execution vulnerabilities in the Graphics Kernel component, tracked as CVE-2025-55226 and CVE-2025-55236, both stemming from race conditions. These vulnerabilities could allow attackers to execute arbitrary code in the context of the current user. Another significant Critical vulnerability, CVE-2025-54910, affects Microsoft Office and involves a heap-based buffer overflow that allows local code execution, typically triggered through specially crafted documents.

A particularly noteworthy Critical vulnerability, CVE-2025-54918, affects the Windows NTLM authentication protocol and could allow an authorized attacker to elevate privileges over the network. This follows a similar critical NTLM flaw (CVE-2025-53778) that was patched just last month, indicating continued attention to this legacy authentication protocol⁴. The persistence of critical vulnerabilities in NTLM underscores the importance of migrating to more modern authentication protocols where possible.

Broader Industry Context and Additional Vendor Updates

Microsoft’s security updates occur amidst other significant developments within the company and the broader technology industry. Microsoft announced the general availability of Microsoft 365 Copilot in Viva Engage, expanding its generative AI assistant deeper into the employee experience platform⁵. Simultaneously, Microsoft Research is testing a prototype analog optical computer that uses light instead of traditional binary electronics, representing a potential future shift in computing architecture.

The National Institute of Standards and Technology (NIST) recently released a concept paper outlining a new cybersecurity framework designed specifically to secure artificial intelligence systems⁶. This development is particularly relevant given Microsoft’s extensive investment in AI-powered services and the increasing integration of AI capabilities across its product ecosystem, including security products.

The September patch cycle also included significant updates from other major vendors, highlighting a particularly busy period for security teams. Adobe patched a critical “SessionReaper” flaw impacting Magento eCommerce stores, while Google released Android security updates addressing 84 vulnerabilities, including two that were actively exploited. SAP fixed a maximum severity command execution bug in NetWeaver, and Sitecore patched a zero-day (CVE-2025-53690) that was actively exploited to deploy backdoors. Additional advisories were released by Cisco, Argo, and TP-Link, emphasizing the need for comprehensive patch management across all enterprise software¹.

Actionable Recommendations for Security Teams

Security teams should prioritize immediate patching for the two publicly disclosed zero-days (CVE-2025-55234 and CVE-2024-21907) due to their public disclosure status and potential for exploitation. The SMB vulnerability (CVE-2025-55234) requires particular attention, with administrators encouraged to utilize the new auditing features to test the impact of enabling SMB Server Signing and EPA before enforcement in production environments.

Critical remote code execution vulnerabilities should receive high priority, especially those affecting Windows core components and Microsoft Office applications. Organizations should ensure that patches for these vulnerabilities are deployed rapidly, particularly on internet-facing systems and endpoints accessible to untrusted users. The large number of Elevation of Privilege flaws (41) should not be overlooked, as these are frequently used by attackers after gaining initial access to expand their control within environments.

Comprehensive patch management should extend beyond Microsoft products to include updates from other vendors, particularly Adobe, Google, and SAP based on organizational software inventory. Enterprises can utilize vulnerability management platforms like Qualys VMDR and Action1 to rapidly discover, prioritize, and remediate these new vulnerabilities across large environments⁴⁷. Regular vulnerability scanning and patch verification processes should be implemented to ensure complete coverage.

The continued appearance of critical vulnerabilities in legacy protocols like NTLM and SMB reinforces the importance of implementing security hardening measures beyond patching. Where possible, organizations should disable unnecessary legacy protocols and implement additional security controls such as network segmentation, monitoring for anomalous authentication attempts, and implementing the principle of least privilege across all systems.

Conclusion

Microsoft’s September 2025 Patch Tuesday addresses a significant number of vulnerabilities despite being smaller in volume than the previous month’s release. The presence of two publicly disclosed zero-days and multiple critical-severity vulnerabilities affecting core Windows components and cloud services necessitates immediate attention from security teams. The ongoing patching requirements for legacy protocols like NTLM and SMB highlight the challenges of maintaining security in complex enterprise environments with mixed protocol support.

The broader vendor patching landscape indicates a particularly active period for security updates, requiring coordinated efforts across multiple technology platforms. Security teams should approach this patch cycle with a risk-based prioritization strategy, focusing initially on the publicly disclosed zero-days and critical RCE vulnerabilities before addressing the larger number of elevation of privilege and information disclosure flaws. Regular vulnerability management processes and comprehensive asset inventory maintenance remain essential components of an effective security posture in light of these ongoing patching requirements.