News

Microsoft September Security Patch: 8 Critical Bugs, 2 Publicly Disclosed Zero-Days

• By Chris Paoli
• 09/10/2025

Microsoft's September 2025 Patch Tuesday rollout addresses more than 80 vulnerabilities across its product suite, including eight rated critical and two zero-day issues that were publicly disclosed ahead of the update.

While none of the critical flaws have been confirmed as exploited in the wild, public proof-of-concept code exists for several, raising the urgency for enterprise IT teams to prioritize remediation efforts.

One of the two zero-day vulnerabilities, tracked as CVE-2025-55234, affects the SMB protocol with an elevation-of-privilege flaw. If unpatched, it could enable attackers to perform relay-style exploits over SMB, effectively impersonating users under certain network conditions. Although Microsoft hasn't confirmed in-the-wild exploitation, public details of the flaw were released ahead of the patch, increasing the likelihood of future attacks.

The other disclosed issue, CVE-2024-21907, is a vulnerability in the Newtonsoft.Json library, which Microsoft uses in SQL Server. It was publicly disclosed over a year ago but is only now being patched. While details have been known for a while, it's still important to patch as soon as possible, as the damage can be severe if exploited, according to Alex Vowk, CEO of security firm Action1.

"This vulnerability highlights a critical but often overlooked aspect of application security: how deeply nested data structures are handled during parsing," said Vowk. "It is especially concerning because Newtonsoft.Json is widely adopted, practically the standard JSON library in the .NET ecosystem, and used in countless applications and services. Exploitation is relatively simple, requiring only a maliciously crafted JSON payload with the right nesting. Successful attacks can cause complete service disruption, as StackOverflow exceptions crash the process and require a restart."

September Critical Items
This month's patch batch includes eight critical flaw fixes, primarily tied to remote code execution and elevation-of-privilege risks. These vulnerabilities span both user-level and infrastructure components, including NTLM, Hyper-V, SMB, and SharePoint. Here's this month's critical items:

• CVE-2025-54918: Windows NTLM Elevation of Privilege Vulnerability. A flaw in NTLM that could allow attackers to elevate privileges to SYSTEM level. Exploitation is considered more likely.
• CVE-2025-55226: Microsoft Azure Kubernetes Service Confidential Containers Elevation of Privilege Vulnerability. A vulnerability that could allow attackers to escalate privileges within AKS confidential container workloads.
• CVE-2025-55228:  Windows Internet Connection Sharing (ICS) Remote Code Execution Vulnerability. Exploitable via specially crafted network packets. Allows RCE on systems where ICS is enabled.
• CVE-2025-55236: Windows Graphics Component Remote Code Execution Vulnerability. Triggered when a user opens a malicious file or visits a compromised site. Enables code execution in the context of the user.
• CVE-2025-53799: Windows Hyper-V Remote Code Execution Vulnerability. Affects guest-to-host isolation; could allow a VM to execute code on the host system.
• CVE-2025-53800: Windows Hyper-V Remote Code Execution Vulnerability. Another critical flaw in Hyper-V with similar guest-to-host execution risks.
• CVE-2025-54910: Microsoft Office Remote Code Execution Vulnerability. Malicious Office documents could trigger code execution when opened or previewed.
• CVE-2025-55224: Windows Hyper-V Remote Code Execution Vulnerability. A third critical vulnerability in Hyper-V this month, underscoring virtualization risks.

A list of all of September's bulletins can be found here.