Microsoft has rolled out its September 2025 Patch Tuesday updates, delivering fixes for 81 security vulnerabilities across its product ecosystem. The release includes two publicly disclosed zero-day flaws and nine critical-rated issues, underscoring the urgency for administrators to apply updates promptly.
The breakdown of vulnerabilities highlights the scope of the fixes: 41 elevation of privilege bugs, 22 remote code execution flaws, 16 information disclosure issues, 3 denial of service vulnerabilities, 2 security feature bypasses, and 1 spoofing bug. Notably, these counts only reflect fixes released as part of Patch Tuesday itself and do not include earlier patches for Azure, Edge, Xbox, Dynamics 365, or Mariner.
The most significant updates center on two zero-days. The first, CVE-2025-55234, is an elevation of privilege vulnerability in the Windows SMB Server. It can be exploited through relay attacks, enabling adversaries to escalate privileges. Microsoft has recommended enabling SMB Server Signing and Extended Protection for Authentication (EPA) to mitigate risks, though the company cautions these settings could create compatibility issues with older systems. As part of this month’s updates, new auditing features have been introduced to help admins assess potential impacts before enforcement.
The second zero-day, CVE-2024-21907, involves improper handling of exceptional conditions in the Newtonsoft.Json library, which is bundled with Microsoft SQL Server. The flaw could allow attackers to cause denial-of-service conditions via specially crafted data. While it was publicly disclosed in 2024, Microsoft has now incorporated the fix into SQL Server through updated Newtonsoft.Json libraries.
Alongside Microsoft’s updates, several other major vendors released September security advisories. Adobe issued an emergency fix for the critical SessionReaper flaw in Magento, SAP patched a maximum-severity bug in NetWeaver, Google addressed 84 Android vulnerabilities (including two under active attack), and Cisco, Argo, Sitecore, and TP-Link also disclosed significant issues. This clustering of high-profile fixes highlights a busy month for defenders.
Administrators are urged to prioritize testing and deployment of Microsoft’s September patches, particularly for systems running SMB services or SQL Server. Hardening SMB configurations, enabling auditing, and ensuring updated libraries are in place will help reduce exposure to exploitation attempts.
With 81 vulnerabilities addressed — including two zero-days and multiple critical flaws — this month’s Patch Tuesday represents a high-priority update cycle. Organizations should act quickly to secure Windows environments, while also monitoring advisories from other vendors to avoid leaving gaps in multi-vendor ecosystems.
