Skip to main content
Blog
Reading time: 
5
min

Patch Tuesday September 2025

September 19, 2025
Omega Threat Intelligence
Table of Contents
Share this article

Overview

Microsoft released security updates in September 2025 addressing 84 vulnerabilities across Windows, Office, Azure, SQL Server, and other product families. The patches include 13 Critical, 72 Important, and 1 Moderate severity issues. The scope covers both core operating system components and higher-level applications, with multiple classes of flaws that directly impact enterprise, cloud, and endpoint environments.

  • Severity distribution
    • 12 Critical
    • 71 Important
    • 1 Moderate
  • Attack categories
    • Elevation of Privilege
    • Remote Code Execution
    • Information Disclosure
    • Security Feature Bypass
    • Denial of Service
  • Primary product families impacted
    • Windows Core OS: NTLM, SMB, BitLocker, Kernel, Win32K, TCP/IP, Defender Firewall
    • Microsoft Office Suite: Word, Excel, PowerPoint, Visio, SharePoint
    • Cloud and Enterprise: Azure Entra, Arc, Bot Service, MAU, Dynamics 365, SQL Server
    • Virtualization: Hyper-V and HPC Pack
    • Consumer and Peripheral: Xbox Gaming Services, UI components, graphics and imaging subsystems

The majority of vulnerabilities this month are in the Elevation of Privilege and Remote Code Execution categories. These include flaws in NTLM, SMB, and SQL Server, along with multiple memory corruption issues in Office applications and Windows graphics components. Several critical patches affect virtualization and cloud identity services such as Hyper-V and Azure Entra, reflecting the distribution of flaws across both local and cloud environments. The update also addresses security issues in less visible areas such as the Windows Routing and Remote Access Service (RRAS), BitLocker, and Defender Firewall, adding depth to the patch coverage beyond the highest-profile components.

 

Focus/Notable Highlight CVEs

CVE-2025-55232 is a remote code execution vulnerability in the Microsoft High Performance Compute Pack with a CVSS score of 9.8. The flaw arises from the deserialization of untrusted data and allows unauthenticated remote attackers to execute arbitrary code without user interaction. Exploitation is possible over TCP port 5999, and Microsoft has recommended that HPC Pack clusters be deployed only in secured network enclaves with strict access controls.

CVE-2025-54918 is an elevation of privilege vulnerability in Windows NTLM with a CVSS score of 8.8. It stems from improper authentication handling and allows authenticated attackers to escalate privileges to SYSTEM level over the network. Microsoft identified this vulnerability as more likely to be exploited, with low attack complexity, making it a high-priority issue for environments relying on NTLM authentication.

CVE-2025-55234 is an elevation of privilege vulnerability in Windows SMB with a CVSS score of 8.8. The flaw allows relay attacks in improperly configured SMB servers, where authentication traffic can be captured and reused. Microsoft confirmed the vulnerability was publicly disclosed prior to patch release, classifying it as a zero-day, although there was no evidence of active exploitation at the time of disclosure.

CVE-2025-54897 is a remote code execution vulnerability in Microsoft SharePoint Server with a CVSS score of 8.8. The flaw results from unsafe deserialization of untrusted data, enabling authenticated users with site owner privileges to execute arbitrary code remotely. The vulnerability affects multiple versions of SharePoint, including Subscription Edition, 2019, and Enterprise Server 2016.

CVE-2025-55227 is an elevation of privilege vulnerability in Microsoft SQL Server with a CVSS score of 8.8. The issue occurs through improper neutralization of SQL elements during table creation, allowing authenticated users to inject code and elevate privileges to sysadmin. The vulnerability affects SQL Server versions from 2016 through 2022, requiring careful version verification and patch application.

CVE-2025-54910 is a remote code execution vulnerability in Microsoft Office with a CVSS score of 8.4. The flaw is caused by a heap-based buffer overflow, which can be triggered by malicious files and exploited through the Outlook Preview Pane. Successful exploitation allows arbitrary code execution in the context of the current user without requiring direct file interaction, increasing the exposure risk in enterprise environments.

CVE-2025-54113 is a remote code execution vulnerability in Windows Routing and Remote Access Service (RRAS) with a CVSS score of 8.8. It results from integer overflow and wraparound conditions, allowing unauthenticated attackers to trick users into connecting to malicious servers. The vulnerability affects multiple Windows Server versions as well as Windows 10 and 11 systems, with Microsoft noting ten RRAS flaws patched this month, of which this is one of the two RCE-class issues.

CVE-2025-55224 is a remote code execution vulnerability in Windows Hyper-V with a CVSS score of 7.8. The flaw arises from a race condition in the Win32K graphics subsystem that could allow guest-to-host code execution. Microsoft’s September update addressed five Hyper-V vulnerabilities, with CVE-2025-55224 being the only one categorized as critical, highlighting the importance of patching in virtualization-heavy environments.

CVE-2025-54916 is a remote code execution vulnerability in Windows NTFS with a CVSS score of 7.8. The flaw is due to a stack-based buffer overflow in the NTFS driver, which parses file system structures. An authenticated attacker could craft specific disk layouts or directories to trigger the overflow, resulting in code execution with SYSTEM-level privileges. Microsoft listed this vulnerability as more likely to be exploited in the near term.

CVE-2025-55228 is a remote code execution vulnerability in the Windows Graphics Component, specifically within the Win32K subsystem, with a CVSS score of 7.8. The flaw is linked to a race condition and improper synchronization, allowing local attackers to execute arbitrary code. It is part of a cluster of critical graphics-related vulnerabilities disclosed this month, reflecting recurring memory safety weaknesses in the Windows graphics stack.

 

All Microsoft Patch Tuesday CVEs

CVSS 9.8

  • Microsoft HPC Pack
    • CVE-2025-55232 – Remote code execution via deserialization of untrusted data

CVSS 8.8

  • Windows / Authentication
    • CVE-2025-54918 – Windows NTLM elevation of privilege due to improper authentication
    • CVE-2025-55234 – Windows SMB elevation of privilege through relay attacks
  • Office / Enterprise Apps
    • CVE-2025-54897 – Microsoft SharePoint remote code execution via unsafe deserialization
    • CVE-2025-55227 – Microsoft SQL Server elevation of privilege via SQL command injection
  • Windows Core / Networking
    • CVE-2025-54113 – Windows RRAS remote code execution through integer overflow

CVSS 8.4

  • Microsoft Office
    • CVE-2025-54910 – Heap-based buffer overflow enabling remote code execution, exploitable via Outlook Preview Pane

CVSS 7.8

  • Windows Graphics / Hyper-V
    • CVE-2025-55224 – Windows Hyper-V remote code execution via race condition in Win32K
    • CVE-2025-55228 – Windows Graphics Component remote code execution via race condition
    • CVE-2025-53800 – Windows Graphics Component elevation of privilege from improper resource initialization
  • Windows File System
    • CVE-2025-54916 – Windows NTFS remote code execution via stack-based buffer overflow
  • Windows / Crypto / Storage
    • CVE-2025-54912 – Windows BitLocker elevation of privilege (use-after-free)
    • CVE-2025-54111 – Windows UI XAML Phone DatePickerFlyout elevation of privilege
    • CVE-2025-54112 – Microsoft Virtual Hard Disk elevation of privilege
    • CVE-2025-54098 – Windows Hyper-V elevation of privilege
    • CVE-2025-54092 – Windows Hyper-V elevation of privilege
    • CVE-2025-54091 – Windows Hyper-V elevation of privilege
    • CVE-2025-54913 – Windows UI XAML Maps MapControlSettings elevation of privilege
    • CVE-2025-54911 – Windows BitLocker elevation of privilege
    • CVE-2025-54895 – SPNEGO Extended Negotiation elevation of privilege
    • CVE-2025-54099 – Windows Ancillary Function Driver for WinSock elevation of privilege
    • CVE-2025-54093 – Windows TCP/IP elevation of privilege
  • Microsoft Office Apps
    • CVE-2025-54908 – Microsoft PowerPoint remote code execution
    • CVE-2025-54907 – Microsoft Visio remote code execution
    • CVE-2025-54906 – Microsoft Office remote code execution
    • CVE-2025-54899 – Microsoft Excel remote code execution
    • CVE-2025-54904 – Microsoft Excel remote code execution
    • CVE-2025-54903 – Microsoft Excel remote code execution
    • CVE-2025-54898 – Microsoft Excel remote code execution
    • CVE-2025-54896 – Microsoft Excel remote code execution
    • CVE-2025-54900 – Microsoft Excel remote code execution
    • CVE-2025-54902 – Microsoft Excel remote code execution

CVSS 7.5

  • Microsoft Office
    • CVE-2025-55243 – Microsoft OfficePlus spoofing vulnerability

CVSS 7.3

  • Windows File System / Encryption
    • CVE-2025-54911 – Windows BitLocker privilege escalation (use-after-free)
  • Windows Services
    • CVE-2025-54116 – Windows MultiPoint Services elevation of privilege

CVSS 7.1

  • Microsoft Office
    • CVE-2025-54905 – Microsoft Word information disclosure via pointer dereference

CVSS 7.0

  • Windows Graphics / Core
    • CVE-2025-55223 – DirectX Graphics Kernel elevation of privilege
    • CVE-2025-54115 – Windows Hyper-V race condition elevation of privilege
    • CVE-2025-54114 – Windows Connected Devices Platform Service denial of service
    • CVE-2025-54108 – Capability Access Management Service (camsvc) elevation of privilege
    • CVE-2025-54105 – Microsoft Brokering File System elevation of privilege

CVSS 6.7

  • Windows Graphics / Kernel
    • CVE-2025-55226 – Graphics Kernel remote code execution
  • Windows Firewall
    • CVE-2025-54915 – Windows Defender Firewall elevation of privilege
    • CVE-2025-54109 – Windows Defender Firewall elevation of privilege
    • CVE-2025-54104 – Windows Defender Firewall elevation of privilege
    • CVE-2025-54094 – Windows Defender Firewall elevation of privilege
    • CVE-2025-53810 – Windows Defender Firewall elevation of privilege
    • CVE-2025-53808 – Windows Defender Firewall elevation of privilege

CVSS 6.5

  • Windows RRAS
    • CVE-2025-54095 – Information disclosure
    • CVE-2025-54096 – Information disclosure
    • CVE-2025-53797 – Information disclosure
    • CVE-2025-53796 – Information disclosure
    • CVE-2025-54097 – Information disclosure
    • CVE-2025-53798 – Information disclosure
    • CVE-2025-55225 – Information disclosure
    • CVE-2025-53806 – Information disclosure
  • Windows LSASS
    • CVE-2025-53809 – LSASS denial of service
  • SQL Server
    • CVE-2025-47997 – SQL Server information disclosure

CVSS 5.5

  • Windows Kernel
    • CVE-2025-53803 – Windows Kernel memory information disclosure
    • CVE-2025-53804 – Windows Kernel-mode driver information disclosure
  • Office
    • CVE-2025-54901 – Microsoft Excel buffer over-read information disclosure
  • Windows Imaging
    • CVE-2025-53799 – Windows Imaging Component information disclosure

CVSS 4.8

  • Windows SMBv3
    • CVE-2025-54101 – Windows SMB Client remote code execution

CVSS 4.7

  • Microsoft Edge (Chromium)
    • CVE-2025-53791 – Security feature bypass

CVSS 4.3

  • Windows MapUrlToZone
    • CVE-2025-54917 – Security feature bypass
    • CVE-2025-54107 – Security feature bypass
A black and white logo for the AICPA.
© 2025 All rights are reserved
PRIVACY POLICY
TERMS OF SERVICE
© 2025 All rights are reserved
PRIVACY POLICY
TERMS OF SERVICE