Microsoft’s September 2025 Patch Tuesday delivers fixes for 81 vulnerabilities, including two publicly disclosed zero-days. Nine flaws are classified as critical, with five involving remote code execution, one tied to information disclosure, and two to elevation of privilege.
Breakdown of Vulnerabilities
- 41 Elevation of Privilege vulnerabilities
- 22 Remote Code Execution vulnerabilities
- 16 Information Disclosure vulnerabilities
- 2 Security Feature Bypass vulnerabilities
- 3 Denial of Service vulnerabilities
- 1 Spoofing vulnerability
These totals do not include earlier fixes for three Azure flaws, one Dynamics 365 FastTrack Implementation Assets flaw, two Mariner bugs, five Microsoft Edge issues, and one Xbox vulnerability. Non-security updates released this month include Windows 11 KB5065426 and KB5065431, and Windows 10 KB5065429.
Zero-Day Vulnerability
CVE-2025-55234 | Windows SMB Elevation of Privilege Vulnerability
This vulnerability can be exploited through relay attacks. Depending on configuration, an attacker could relay SMB sessions and gain elevated privileges. Microsoft recommends enabling SMB Server Signing and Extended Protection for Authentication (EPA) to mitigate risk, though both may introduce compatibility issues with older devices. September updates introduce new auditing capabilities to help administrators assess client compatibility with SMB hardening.
CVE-2024-21907 | Newtonsoft.Json Denial of Service Vulnerability in SQL Server
This flaw arises from mishandling exceptional conditions in Newtonsoft.Json prior to version 13.0.1. Passing crafted data to the JsonConvert.DeserializeObject method can trigger a StackOverflow exception, causing denial of service. Updates for SQL Server now integrate the patched Newtonsoft.Json library. This vulnerability was originally disclosed in 2024.
Other Critical Vulnerabilities
Microsoft also patched multiple remote code execution flaws across Windows components and Microsoft Office, as well as high-severity information disclosure and privilege escalation vulnerabilities. These issues remain attractive targets for attackers and should be prioritized in patching schedules.
Adobe and Other Vendor Updates
Other vendors issuing security updates in September 2025 include:
- Adobe: Patched a Magento flaw called “SessionReaper” impacting eCommerce sites
- Argo: Fixed an Argo CD bug allowing low-privileged tokens to access repository credentials
- Cisco: Released updates for WebEx, Cisco ASA, and related products
- Google: Issued September Android updates addressing 84 flaws, including two zero-days under active exploitation
- SAP: Released updates across multiple products, including a maximum-severity command execution flaw in NetWeaver
- Sitecore: Addressed an actively exploited zero-day tracked as CVE-2025-53690
- TP-Link: Confirmed a zero-day in certain router models, with patches in development for US customers
Recommendations for Users and Administrators
Organizations should prioritize applying patches for systems using SMB Server and SQL Server given the public disclosure of both zero-days. Administrators are advised to test and enable SMB Server Signing and EPA where possible and use the new auditing capabilities to prepare for enforcement. SQL Server deployments should be updated to versions incorporating Newtonsoft.Json 13.0.1 or later.
Security teams should also review vendor advisories from Adobe, Cisco, Google, SAP, and Sitecore, particularly where vulnerabilities are confirmed to be under active attack.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
