Microsoft’s September 2025 Patch Tuesday: 81 Security Flaws and Two Critical Zero-Days Fixed

Microsoft’s September 2025 Patch Tuesday: All 81 Flaws and Two Critical Zero-Days Explained

Microsoft’s September 2025 Patch Tuesday has landed, and it’s one of the most vital security events of the year for enterprise, education, and home users relying on Windows, Microsoft 365, Azure, SQL Server, and Xbox. This month’s update, expertly detailed by Lawrence Abrams at BleepingComputer, fixes 81 unique vulnerabilities and addresses two critical zero-day flaws—threats that were publicly disclosed and, until yesterday, left unpatched.

Full Breakdown of Vulnerabilities

This Patch Tuesday’s comprehensive security bundle covers threat categories impacting mainstream Windows installations, Azure, Microsoft Office apps, enterprise cloud services, and Xbox gaming environments:

• 41 Elevation of Privilege Vulnerabilities
  Impacts authentication, access control, and system integrity. These issues can allow attackers to gain unauthorized system privileges, a common target for ransomware and advanced persistent threats.

• 2 Security Feature Bypass Vulnerabilities
  These flaws could let attackers circumvent security settings and protections, such as authentication layers or crypto enforcement.

• 22 Remote Code Execution Vulnerabilities
  These are the most critical flaws, as they allow attackers to run malicious code from remote locations. Five of the nine “Critical” bugs fall into this category, affecting everything from graphics kernel drivers to office suites and cloud services.

• 16 Information Disclosure Vulnerabilities
  Risk for sensitive data leaks and privacy breaches.

• 3 Denial of Service Vulnerabilities
  Can crash systems or services, disrupting business-critical operations.

• 1 Spoofing Vulnerability
  Allows attackers to mimic trusted users or components, undermining integrity and trust.

Notably, BleepingComputer’s count does not include several Azure, Microsoft Edge, Mariner, Dynamics 365, or Xbox vulnerabilities that were fixed earlier in September 2025.

The Two Publicly Disclosed Zero-Days

1. Windows SMB Elevation of Privilege Vulnerability (CVE-2025-55234)

• Link: CVE-2025-55234 Details

• This zero-day exploit targets Windows SMB Server. Attackers could perform relay attacks, tricking authentication mechanisms and escalating their privileges, which potentially opens up organizations to major breaches.

• Why it matters: SMB relay attacks are a favored technique for lateral movement in ransomware and data theft campaigns.

• Windows includes settings to harden SMB servers via signing and EPA, but these enhancements can introduce compatibility issues with legacy devices.

• Microsoft advises admins to enable auditing first to test compatibility before fully enforcing extra security. New update features allow for auditing SMB client compatibility for signing and EPA—a major step for network safety.

2. Newtonsoft.Json Vulnerability in SQL Server (CVE-2024-21907)

• Link: CVE-2024-21907 Details

• This zero-day exists in the popular Newtonsoft.Json library embedded in SQL Server. Improper exception handling allowed crafted data to trigger a StackOverflow exception, resulting in denial of service—a risk for remote or unauthenticated attackers.

• The flaw, publicly disclosed in 2024, required immediate updates for SQL Server deployments leveraging the affected library.

Why This Patch Tuesday Matters

This month’s release is critical for organizations running large networks, mixed device fleets, and cloud workloads:

• Elevation of privilege vulnerabilities are the top threat, representing half of all patched flaws. These bugs let attackers jump from normal user to admin—a classic move in cyberattacks.

• Remote code execution vulnerabilities require attention because Internet-facing and internal services (including Hyper-V and key graphics components) are directly impacted.

• Information disclosure and feature bypass flaws can add stealth threats and stealthy data leaks if left unpatched.

What Should IT Pros and Everyday Users Do?

• Patch All Devices Promptly:
  September’s updates affect Windows 10, Windows 11, Server editions, Office products, Azure, SQL Server, and even Xbox gaming environments.

• Always test patches in lab environments before organization-wide deployments—some security enhancements (especially SMB and EPA signing) may affect legacy and third-party device compatibility.

• Enable SMB Auditing:
  Before flipping on advanced SMB security features, review log output for compatibility or performance issues.

• Review SQL Server Libraries:
  Update to the latest Newtonsoft.Json version included with SQL Server patches to prevent exploitation.

Complete List of Patched Vulnerabilities

A full rundown of every vulnerability—from Azure privilege elevation to information disclosures in Xbox Gaming Services—is available in Microsoft’s Security Update Guide and BleepingComputer’s database:

• September 2025 Patch Tuesday Complete Report

For more information

• Microsoft CVE-2025-55234 – SMB Zero-Day Details

• Microsoft CVE-2024-21907 – Newtonsoft.Json Details

• SMB Hardening Support

Microsoft’s September 2025 Patch Tuesday demonstrates the company’s ongoing effort to respond to rapidly evolving security threats. The update’s focus on privilege escalation, remote code execution, and critical infrastructure flaws makes it a must-install for all organizations and individuals who manage Microsoft-based environments.

Organizations large and small should patch immediately, audit for compatibility, and stay up to date with best practices as cyber threats continue to evolve.