320
Microsoft has recently released the Patch Tuesday updates for September 2025, addressing a total of 81 security vulnerabilities across various products. Among these are two zero-day vulnerabilities, one of which was publicly disclosed in 2024.
September Patch Tuesday: Addressing Zero-Day Vulnerabilities
The highlight of this month’s security fixes is the resolution of two zero-day vulnerabilities. While it’s not uncommon for Microsoft to patch zero-day flaws on Patch Tuesday, what sets this update apart is the closure of a year-old vulnerability. Let’s delve into the details of these zero-day vulnerabilities:
- CVE-2024-21907: This vulnerability, first identified in January 2024, pertains to a stack overflow vulnerability in Newtonsoft.Json. It could lead to denial of service on the target system when manipulated data is passed to the JsonConvert.DeserializeObject method. Microsoft acknowledged the public disclosure of this vulnerability and has rectified it in the latest SQL Server version.
- CVE-2025-55234 (important severity; CVSS 8.8): This privilege escalation vulnerability in SMB Server could potentially enable relay attacks. While Microsoft confirms the public disclosure of this flaw, no active exploitation attempts have been detected. Admins are advised to assess systems for compatibility issues before implementing SMB Server hardening measures.
Critical and Important Severity Vulnerabilities Addressed
In addition to the zero-day fixes, Microsoft has also patched eight critical vulnerabilities spanning six products and 71 important severity flaws. These include denial of service vulnerabilities, privilege escalation issues, information disclosure concerns, remote code execution risks, spoofing vulnerabilities, and security feature bypasses. Some of the notable vulnerabilities include:
- CVE-2025-54918 (critical severity; CVSS 8.8): A privilege escalation flaw in Windows NTLM due to authentication lapses, potentially granting SYSTEM privileges to unauthorized adversaries.
- CVE-2025-54910 (critical severity; CVSS 8.4): A heap-based buffer overflow vulnerability in Microsoft Office, allowing remote attackers to execute arbitrary code locally. The Preview Pane serves as an attack vector for this vulnerability.
- CVE-2025-55232 (important severity; CVSS 9.8): A remote code execution flaw in Microsoft High Performance Compute Pack (HPC) stemming from untrusted data deserialization. Proper network protection is advised for HPC Pack clusters to mitigate risks.
- CVE-2025-53799 (critical severity; CVSS 5.5): An information disclosure vulnerability in Windows Imaging Component, triggered by maliciously crafted files. Microsoft confirms that the Preview Pane is not a vector for this vulnerability.
Microsoft ensures automatic distribution of these updates to eligible systems. However, users are advised to manually check for updates to stay ahead of potential threats and ensure timely security fixes.
We welcome your feedback in the comments section.
