Skip to content

Microsoft Patch Tuesday September 2025

News
| 2 minute read

Microsoft has released this month’s Patch Tuesday updates, addressing 81 security flaws across its products. Among these fixes are two publicly disclosed zero-day vulnerabilities, issues already known before a patch was available, which makes them especially important for IT teams to prioritise.

This month’s release also resolves nine “Critical” vulnerabilities, five of which could allow remote code execution. The breakdown looks like this:

  1. 41 Elevation of Privilege vulnerabilities

  2. 2 Security Feature Bypass vulnerabilities

  3. 22 Remote Code Execution vulnerabilities

  4. 16 Information Disclosure vulnerabilities

  5. 3 Denial of Service vulnerabilities

  6. 1 Spoofing vulnerability

It’s worth noting that this tally only covers issues patched on Patch Tuesday itself. Other fixes earlier this month included vulnerabilities in Azure, Dynamics 365, Mariner, Microsoft Edge, and Xbox.

Two Zero-Days Patched

The most urgent updates are the two zero-days now addressed:

  1. Windows SMB Elevation of Privilege (CVE-2025-55234):

    A flaw in the SMB Server could be abused for relay attacks, giving attackers elevated privileges. While Windows already includes options such as SMB Server Signing and Extended Protection for Authentication, turning these on may cause compatibility issues for some older systems. Microsoft recommends enabling auditing on SMB servers to test for potential problems before these hardening features are fully enforced.

  2. Newtonsoft.Json vulnerability in SQL Server (CVE-2024-21907):

    This long-known bug stems from improper handling of exceptional conditions in Newtonsoft.Json before version 13.0.1. Crafted input could trigger a StackOverflow exception, leading to denial of service. The updates to SQL Server now include the patched version of Newtonsoft.Json.

Other Vendor Updates in September

Microsoft isn’t the only company rolling out patches this month. Security updates were also released by:

  1. Adobe, fixing a flaw affecting Magento eCommerce stores.

  2. Argo, resolving an issue in Argo CD where low-privileged tokens could expose repository credentials.

  3. Cisco, patching WebEx, ASA, and other products.

  4. Google, with Android updates covering 84 vulnerabilities, including two under active exploitation.

  5. SAP, addressing issues in several products, including a critical bug in NetWeaver.

  6. Sitecore, releasing a fix for an actively exploited zero-day.

  7. TP-Link, confirming a new zero-day affecting some routers, with patches in progress.

Why This Matters

Zero-day flaws always raise the stakes, but even the less severe vulnerabilities patched this month could become useful stepping stones for attackers if left unaddressed. Organisations running Windows servers or SQL Server should move quickly to apply these updates, while also testing environments for compatibility when enabling SMB hardening.

The full list of resolved vulnerabilities in Microsoft’s September Patch Tuesday updates can be reviewed in Microsoft’s official documentation.

Latest insights and articles

 
Careers

Job Vacancy | SOC Analyst

As part of our ambitious growth plans, we are seeking an experienced SOC Analyst to enhance our dynamic team.

 
Blog
Learn

AI as a Weapon: The New Era of Cyber Threats

Artificial intelligence has become the sharpest double-edged sword in cyber security.

 
Success Stories

CybaVerse Success Stories – Nheil Acoba

See how Nheil Acoba built a cyber security career through SOC experience, continuous learning, and mentoring...

The Future of Cyber Security.

Contact us