Microsoft Patch Tuesday, September 2025 Security Update Review

Diksha Ojha, Technical Content Developer, Qualys

September 9, 2025- 7 min read

Table of Contents

• Microsoft Patch Tuesday for September 2025
• Zero-day Vulnerabilities Patched in August Patch Tuesday Edition
• Critical Severity Vulnerabilities Patched in September Patch Tuesday Edition
• Other Microsoft Vulnerability Highlights
• Microsoft Release Summary
• EVALUATE Vendor-Suggested Mitigation withPolicy Audit
• Qualys Monthly Webinar Series

It's the second Tuesday of September, and Microsoft has rolled out its latest security updates. Microsoft's September 2025 Patch Tuesday has arrived, bringing a fresh wave of security fixes to help organizations stay ahead of evolving threats. Here's a quick breakdown of what you need to know.

Microsoft Patch Tuesday for September 2025

In this month's Patch Tuesday, the September 2025 edition, Microsoft addressed 86 vulnerabilities. The updates include nine critical and 72 important severity vulnerabilities.

In this month's updates, Microsoft has addressed two zero-day vulnerabilities that are being publicly disclosed.

Microsoft has addressed four vulnerabilities in Microsoft Edge (Chromium-based) in this month's updates.

Microsoft Patch Tuesday, September edition, includes updates for vulnerabilities in Windows Hyper-V, SQL Server, Windows Kernel, Windows NTLM, Windows PowerShell, Windows TCP/IP, Windows NTFS, and more.

Microsoft has fixed several flaws in multiple software, including Spoofing, Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, and Remote Code Execution (RCE).

The September 2025 Microsoft vulnerabilities are classified as follows:

Vulnerability Category	Quantity	Severities
Spoofing Vulnerability	1	Important: 1
Security Feature Bypass	2	Important: 2
Denial of Service Vulnerability	3	Important: 3
Elevation of Privilege Vulnerability	38	Critical: 2 Important: 32
Information Disclosure Vulnerability	14	Critical: 2 Important: 12
Remote Code Execution Vulnerability	22	Critical: 5 Important: 17

Zero-day Vulnerabilities Patched in August Patch Tuesday Edition

CVE-2025-55234: Windows SMB Elevation of Privilege Vulnerability

An improper authentication flaw in the Windows SMB may allow an authenticated attacker to elevate network privileges. Upon successful exploitation of the vulnerability, an attacker could gain administrator privileges.

VulnCheck: CVE-2024-21907 Improper Handling of Exceptional Conditions in Newtonsoft.Json

Microsoft has fixed a previously known vulnerability in Newtonsoft.Json, which is included as part of Microsoft SQL Server.

Microsoft mentioned in the advisory, "CVE-2024-21907 addresses a mishandling of exceptional conditions vulnerability in Newtonsoft.Json before version 13.0.1. Crafted data passed to JsonConvert.The DeserializeObject method may trigger a Stack Overflow exception, resulting in denial of service. Depending on the usage of the library, an unauthenticated remote attacker may cause a denial of service condition."

Critical Severity Vulnerabilities Patched in September Patch Tuesday Edition

CVE-2025-54918: Windows NTLM Elevation of Privilege Vulnerability

An improper authentication flaw in Windows NTLM may allow an authenticated attacker to elevate privileges over a network. Upon successful exploitation, an attacker could gain SYSTEM privileges.

CVE-2025-55226: Graphics Kernel Remote Code Execution Vulnerability

Successful exploitation of the vulnerability may allow an authenticated attacker to achieve remote code execution.

CVE-2025-55228: Windows Graphics Component Remote Code Execution Vulnerability

An attacker must win a race condition to exploit the vulnerability. Successful exploitation of the vulnerability may allow an authenticated attacker to achieve remote code execution.

CVE-2025-55236: DirectX Graphics Kernel Remote Code Execution Vulnerability

Successful exploitation of the vulnerability may allow an authenticated attacker to achieve remote code execution.

CVE-2025-53799: Windows Imaging Component Information Disclosure Vulnerability

Use of an uninitialized resource in the Windows Imaging Component may allow an unauthenticated attacker to disclose information locally. Upon successful exploitation, an attacker could read small portions of heap memory.

CVE-2025-53800: Windows Graphics Component Elevation of Privilege Vulnerability

Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges.

CVE-2025-54910: Microsoft Office Remote Code Execution Vulnerability

A heap-based buffer overflow flaw in Microsoft Office may allow an unauthenticated attacker to achieve remote code execution.

CVE-2025-55224: Windows Hyper-V Remote Code Execution Vulnerability

Successful exploitation of the vulnerability may allow an authenticated attacker to achieve remote code execution.

CVE-2025-54914: Azure Networking Elevation of Privilege Vulnerability

Upon successful exploitation, an attacker could elevate privileges.

Other Microsoft Vulnerability Highlights

• CVE-2025-54110 is an elevation of privilege vulnerability in the Windows Kernel. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges.
• CVE-2025-54916 is a remote code execution vulnerability in Windows NTFS. A stack-based buffer overflow flaw in Windows NTFS may allow an authenticated attacker to execute code over a network.
• CVE-2025-53803 is an information disclosure vulnerability in Windows Kernel Memory. Successful exploitation of the vulnerability may allow an authenticated attacker to disclose information locally.
• CVE-2025-53804 is an information disclosure vulnerability in the Windows Kernel-Mode Driver. Successful exploitation of the vulnerability may allow an authenticated attacker to disclose information locally.
• CVE-2025-54093 is an elevation of privilege vulnerability in the Windows TCP/IP Driver. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges.
• CVE-2025-54098 is an elevation of privilege vulnerability in Windows Hyper-V. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges.

Microsoft Release Summary

This month's release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, Azure Windows Virtual Machine Agent, Microsoft Edge (Chromium-based), Windows Routing and Remote Access Service (RRAS), Windows Imaging Component, Microsoft Graphics Component, Windows DWM, Windows Bluetooth Service, Windows Internet Information Services, Windows Defender Firewall Service, Windows Local Security Authority Subsystem Service (LSASS), Windows Ancillary Function Driver for WinSock, Windows SMBv3 Client, Windows Connected Devices Platform Service, Windows Management Services, Microsoft Brokering File System, Windows MapUrlToZone, Capability Access Management Service (camsvc), Windows UI XAML Phone DatePickerFlyout, Microsoft Virtual Hard Drive, Windows MultiPoint Services, Windows SPNEGO Extended Negotiation, Microsoft Office Excel, Microsoft Office SharePoint, Microsoft Office Word, Microsoft Office, Microsoft Office Visio, Microsoft Office PowerPoint, Windows BitLocker, Windows UI XAML Maps MapControlSettings, Windows Win32K - GRFX, Graphics Kernel, Microsoft High Performance Compute Pack (HPC), Windows SMB, Xbox, Azure Arc, and Microsoft AutoUpdate (MAU).

EVALUATE Vendor-Suggested Mitigation with Policy Audit

With Qualys Policy Audit's Out-of-the-Box Mitigation or Compensatory Controls, reduce the risk of a vulnerability being exploited because the remediation (fix/patch) cannot be done now; these security controls are not recommended by any industry standards, such as CIS, DISA-STIG.

Qualys Policy Audit team releases these exclusive controls based on Vendor-suggested Mitigation/Workaround.

Mitigation refers to a setting, common configuration, or general best practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability.

A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn't working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned.

The following Qualys Policy Audit Control IDs (CIDs) and System Defined Controls (SDC) have been updated to support Microsoft recommended mitigation(s) for this Patch Tuesday:

CVE-2025-55232: Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability

This vulnerability has a CVSS: 3.1 9.8 / 8.5

Policy Compliance Control IDs (CIDs):

• 18707 List of 'Inbound Rules' configured in Windows Firewall via Firewall Application
• 18731 List of 'Outbound Rules' configured in Windows Firewall via Firewall Application

The following QQL will return a posture assessment for the CIDs for this Patch Tuesday:

control.id: [18707, 18731]

The next Patch Tuesday falls on October 14, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to 'This Month in Vulnerabilities and Patch's webinar.'

Qualys Monthly Webinar Series

The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management Detection Response (VMDR) and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities.

During the webcast, we will discuss this month's high-impact vulnerabilities, including those that are a part of this month's Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.

Join the webinar

This Month in Vulnerabilities & Patches

Diksha Ojha, Technical Content Developer, Qualys

Microsoft, Patch Tuesday

Name

Email