In September, Microsoft Patched 81 Vulnerabilities in Its Products

This week, Microsoft rolled out its September security updates, addressing 81 vulnerabilities across its products. Among them were two zero-day flaws—issues disclosed publicly before patches were available.

Breakdown of Critical Fixes

Of the 81 vulnerabilities, nine were rated critical:

• Five related to remote code execution (RCE)
• One tied to information disclosure
• Two involving privilege escalation

Microsoft defines zero-day vulnerabilities as those either publicly disclosed before patching or actively exploited in the wild. The two zero-days in this month’s release had been disclosed but, according to Microsoft, had not yet been weaponized by attackers.

Key Zero-Day Vulnerabilities

• CVE-2025-55234 (CVSS 8.8): A privilege escalation flaw in Windows SMB Server, exploitable through relay attacks.
  • Microsoft explained: “SMB Server may be vulnerable to relay attacks depending on its configuration. An attacker who successfully exploited this vulnerability could conduct relay attacks and target users with privilege escalation attempts.”
  • The company recommends enabling SMB Server Signing and Extended Protection for Authentication (EPA), though it warned these may cause compatibility issues with older devices. Administrators are advised to audit SMB server configurations before making changes.
  • Microsoft has not disclosed who discovered this vulnerability or when the information first surfaced.
• CVE-2024-21907 (CVSS 7.5): A flaw in Newtonsoft.Json, used by Microsoft SQL Server, tied to improper exception handling. Publicly disclosed in 2024, this bug allows specially crafted data passed to the JsonConvert.DeserializeObject method to trigger a StackOverflow exception, leading to denial-of-service (DoS). An unauthenticated remote attacker could exploit it depending on how the library is implemented.

Other High-Severity Fixes

One of the most serious issues addressed was CVE-2025-54914 (CVSS 10.0), a critical bug in Azure network services that could enable privilege escalation. Microsoft clarified that customers do not need to take action, as the fix was applied within its cloud infrastructure.

Two additional vulnerabilities stood out:

• CVE-2025-55232 (CVSS 9.8): Remote code execution in the Microsoft High Performance Compute (HPC) Pack. Microsoft advised: “Customers should ensure HPC Pack clusters operate in a trusted network protected by firewall rules, especially for TCP port 5999.”
• CVE-2025-54918 (CVSS 8.8): A privilege escalation issue in Windows NTLM that could allow attackers to obtain SYSTEM-level privileges.