208
Microsoft has launched the scheduled Patch Tuesday updates for September 2025, addressing 81 safety vulnerabilities throughout completely different merchandise. These embrace two zero-day vulnerabilities as nicely, one among which was publicly disclosed in 2024.
Zero-Day Vulnerabilities Addressed With September Patch Tuesday From Microsoft
Essentially the most noteworthy safety fixes launched this month handle two zero-days. Whereas patching zero-day flaws with Patch Tuesday isn’t new for Microsoft, an attention-grabbing side on this month’s replace bundle is fixing a year-old vulnerability. Under, we describe the 2 zero-day vulnerabilities intimately.
- CVE-2024-21907: This vulnerability first surfaced on-line in January 2024, recognized as a stack overflow vulnerability in Newtonsoft.Json that existed as a consequence of mishandling of outstanding circumstances. An attacker might exploit this vulnerability to set off denial of service on the goal system when crafted information is handed to the
JsonConvert.DeserializeObjecttechnique. In its advisory, Microsoft confirmed the publicly disclosed standing of this vulnerability, releasing the repair with the most recent SQL Server model. - CVE-2025-55234 (essential severity; CVSS 8.8): A privilege escalation vulnerability in SMB Server that an attacker might exploit to carry out relay assaults. Microsoft confirmed public disclosure of the vulnerability, however no lively exploitation makes an attempt have been detected. In accordance with the tech large, Home windows already protects towards relay assaults; nonetheless, deploying these measures would possibly set off incompatibility points with older units. Therefore, it suggested admins to audit techniques for potential incompatibility points earlier than deploying SMB Server hardening measures.
8 Essential And 71 Necessary Severity Vulnerabilities Additionally Addressed
Moreover the 2 zero-day flaws, Microsoft additionally patched eight essential vulnerabilities throughout six completely different merchandise and 71 essential severity flaws. These embrace 3 denial of service vulnerabilities, 37 privilege escalation flaws, 14 data disclosure points, 22 distant code execution vulnerabilities, 1 spoofing vulnerability, and a pair of safety function bypass. Among the most extreme vulnerabilities embrace the next:
- CVE-2025-54918 (essential severity; CVSS 8.8): A privilege escalation vulnerability in Home windows NTLM that existed as a consequence of improper authentication. A certified adversary might set off the flaw to realize SYSTEM privileges on the goal community.
- CVE-2025-54910 (essential severity; CVSS 8.4): A heap-based buffer overflow vulnerability in Microsoft Workplace might enable an unauthorized distant attacker to execute arbitrary code regionally on a goal system. In accordance with the agency, the Preview Pane is an assault vector for this flaw. Microsoft credited the researchers Li Shuang, willJ and Guang Gong for reporting this vulnerability.
- CVE-2025-55232 (essential severity; CVSS 9.8): A distant code execution vulnerability existed within the Microsoft Excessive Efficiency Compute Pack (HPC) as a consequence of deserialization of untrusted information. Exploiting the flaw might execute arbitrary codes on the goal community with out person interplay. Microsoft suggested customers to guard HPC Pack clusters behind a safe community, particularly with firewall guidelines for the TCP port 5999.
- CVE-2025-53799 (essential severity; CVSS 5.5): An data disclosure vulnerability in Home windows Imaging Element existed as a consequence of using uninitialized useful resource. An unauthorized attacker might set off the flaw by tricking the sufferer person into opening a maliciously crafted file. Consequently, it permits the attacker to “learn small parts of heap reminiscence”. Microsoft confirmed that the Preview Pane isn’t an assault vector for this vulnerability.
Microsoft ensures that these updates routinely attain all eligible techniques. Nevertheless, customers ought to nonetheless evaluation their techniques for updates manually in order to make sure receiving all safety fixes in time and keep away from potential threats.
Tell us your ideas within the feedback.
