Microsoft has released its September 2025 Patch Tuesday security updates, addressing 81 vulnerabilities, including two publicly disclosed zero-day flaws and nine critical vulnerabilities. The updates fix various issues, including remote code execution and elevation of privilege vulnerabilities.
The vulnerabilities fixed in this Patch Tuesday are categorized as follows: 41 Elevation of Privilege Vulnerabilities, 2 Security Feature Bypass Vulnerabilities, 22 Remote Code Execution Vulnerabilities, 16 Information Disclosure Vulnerabilities, 3 Denial of Service Vulnerabilities, and 1 Spoofing Vulnerability. It’s worth noting that the count of 81 vulnerabilities includes only those released on Patch Tuesday and does not encompass other vulnerabilities addressed earlier in September, such as three Azure, one Dynamics 365 FastTrack Implementation Assets, two Mariner, five Microsoft Edge, and one Xbox vulnerabilities.
This month’s Patch Tuesday addresses two publicly disclosed zero-day vulnerabilities. The first, CVE-2025-55234, is a Windows SMB Elevation of Privilege Vulnerability that can be exploited through relay attacks, allowing attackers to perform elevation of privilege attacks. Microsoft explains that “SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks.” To mitigate this, Windows includes settings such as enabling SMB Server Signing and SMB Server Extended Protection for Authentication (EPA), although this may cause compatibility issues with older devices.
The second zero-day vulnerability, CVE-2024-21907, involves improper handling of exceptional conditions in Newtonsoft.Json within Microsoft SQL Server. Microsoft states that “CVE-2024-21907 addresses a mishandling of exceptional conditions vulnerability in Newtonsoft.Json before version 13.0.1. Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition.” The SQL Server updates incorporate updates in Newtonsoft.Json to address this issue, which was publicly disclosed in 2024.
Several other vendors have also released security updates and advisories in September 2025. Adobe released security updates for a “SessionReaper” flaw impacting Magento eCommerce stores. Argo fixed an Argo CD vulnerability enabling low-privileged API tokens to access API endpoints and retrieve all repository credentials associated with the project. Cisco released patches for WebEx, Cisco ASA, and other products. Google released the September Android security updates addressing 84 vulnerabilities, including two actively exploited flaws. SAP released September security updates for multiple products, including a fix for a maximum severity command execution bug in Netweaver. Sitecore released security updates for a zero-day vulnerability tracked as CVE-2025-53690 that was actively exploited in attacks. TP-Link confirmed a new zero-day exists in some of its routers, with the company exploring its exploitability and creating patches for US customers.
The comprehensive list of resolved vulnerabilities in the Microsoft September 2025 Patch Tuesday updates includes various products such as Azure, Azure Arc, Azure Bot Service, Azure Entra, and more. Some of the notable vulnerabilities fixed include CVE-2025-54914, an Azure Networking Elevation of Privilege Vulnerability rated as Critical, and CVE-2025-55244, an Azure Bot Service Elevation of Privilege Vulnerability also rated as Critical.
A detailed list of the vulnerabilities fixed includes: Azure – Networking | CVE-2025-54914 | Azure Networking Elevation of Privilege Vulnerability | Critical, Azure Arc | CVE-2025-55316 | Azure Arc Elevation of Privilege Vulnerability | Important, Azure Bot Service | CVE-2025-55244 | Azure Bot Service Elevation of Privilege Vulnerability | Critical, and many others across various Microsoft products.
