Analysis of Microsoft Patch Tuesday updates - September 2025
Executive Summary
On Tuesday, 09.09.2025, Microsoft released its monthly security patch addressing 81 vulnerabilities across its products.
By severity:
- Important - 72;
- Moderate - 1;
- Critical - 8.
Exploited (Zero-Days) and Publicly Disclosed Vulnerabilities
Special attention should be paid to the following vulnerability. Fixing it is the highest priority:
- CVE-2025-55234 (CVSS 8.8; Important) - Windows SMB Elevation of Privilege Vulnerability (Elevation of Privilege). An attacker who successfully exploits this vulnerability can obtain SYSTEM-level privileges. To exploit the vulnerability, the attacker needs access to the target system and the ability to run code with low privileges.
Overview and trends
Microsoft's September 2025 Patch Tuesday includes fixes for 81 vulnerabilities, a notable decrease compared to the large summer releases in August (111) and July (130). Despite the smaller volume, the release contains a number of serious vulnerabilities that require prompt action. Key trends observed this month:
- Publicly disclosed SMB vulnerability: The main highlight this month is the fix for the publicly disclosed elevation of privilege vulnerability CVE-2025-55234 in Windows SMB. Since information about this vulnerability is already available to attackers, exploitation is highly likely. This makes the SMB patch the highest priority for all administrators.
- Dominance of elevation of privilege (EoP) vulnerabilities: As in previous months, Elevation of Privilege vulnerabilities make up the overwhelming majority of fixes. This month they affect critical components such as the Windows kernel, NTLM, SQL Server, Hyper-V, and numerous system services, indicating Microsoft's systematic efforts to harden the OS's core security mechanisms.
- Critical vulnerabilities in key components: This month, 8 critical vulnerabilities were fixed. They affect important products such as NTLM, Microsoft Office, Hyper-V, and Windows graphics components. This underscores that even with a smaller total number of vulnerabilities, the risk level remains high due to the potentially severe impact of exploitation.
- Continued focus on Routing and Remote Access Service (RRAS): The RRAS service is again in the spotlight, receiving fixes for several remote code execution (RCE) and information disclosure vulnerabilities. This continues the trend of recent months, indicating that this component remains an attractive target for security researchers and attackers.
Full List of Vulnerabilities
Below is a table with all the vulnerabilities fixed this month.
| CVE | Title | Type | CVSS | Severity | Exploited | Publicly Disclosed |
|---|---|---|---|---|---|---|
| CVE-2025-55234 | Windows SMB Elevation of Privilege Vulnerability | Elevation of Privilege | 8.8 | Important | No | Yes |
| CVE-2025-55232 | Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability | Remote Code Execution | 9.8 | Important | No | No |
| CVE-2025-54106 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Remote Code Execution | 8.8 | Important | No | No |
| CVE-2025-54110 | Windows Kernel Elevation of Privilege Vulnerability | Elevation of Privilege | 8.8 | Important | No | No |
| CVE-2025-54113 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Remote Code Execution | 8.8 | Important | No | No |
| CVE-2025-54897 | Microsoft SharePoint Remote Code Execution Vulnerability | Remote Code Execution | 8.8 | Important | No | No |
| CVE-2025-54918 | Windows NTLM Elevation of Privilege Vulnerability | Elevation of Privilege | 8.8 | Critical | No | No |
| CVE-2025-55227 | Microsoft SQL Server Elevation of Privilege Vulnerability | Elevation of Privilege | 8.8 | Important | No | No |
| CVE-2025-54910 | Microsoft Office Remote Code Execution Vulnerability | Remote Code Execution | 8.4 | Critical | No | No |
| CVE-2025-49692 | Azure Connected Machine Agent Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-53800 | Windows Graphics Component Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Critical | No | No |
| CVE-2025-53801 | Microsoft DWM Core Library Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-54091 | Windows Hyper-V Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-54092 | Windows Hyper-V Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-54098 | Windows Hyper-V Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-54102 | Windows Connected Devices Platform Service Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-54111 | Windows UI XAML Phone DatePickerFlyout Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-54894 | Local Security Authority Subsystem Service Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-54895 | SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-54896 | Microsoft Excel Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Important | No | No |
| CVE-2025-54898 | Microsoft Excel Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Important | No | No |
| CVE-2025-54899 | Microsoft Excel Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Important | No | No |
| CVE-2025-54900 | Microsoft Excel Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Important | No | No |
| CVE-2025-54902 | Microsoft Excel Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Important | No | No |
| CVE-2025-54903 | Microsoft Excel Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Important | No | No |
| CVE-2025-54904 | Microsoft Excel Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Important | No | No |
| CVE-2025-54906 | Microsoft Office Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Important | No | No |
| CVE-2025-54907 | Microsoft Office Visio Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Important | No | No |
| CVE-2025-54908 | Microsoft PowerPoint Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Important | No | No |
| CVE-2025-54912 | Windows BitLocker Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-54913 | Windows UI XAML Maps MapControlSettings Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-54916 | Windows NTFS Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Important | No | No |
| CVE-2025-55224 | Windows Hyper-V Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Critical | No | No |
| CVE-2025-55228 | Windows Graphics Component Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Critical | No | No |
| CVE-2025-55245 | Xbox Gaming Services Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-55316 | Azure Arc Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-55317 | Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-53805 | HTTP.sys Denial of Service Vulnerability | Denial of Service | 7.5 | Important | No | No |
| CVE-2025-54919 | Windows Graphics Component Remote Code Execution Vulnerability | Remote Code Execution | 7.5 | Important | No | No |
| CVE-2025-55243 | Microsoft OfficePlus Spoofing Vulnerability | Spoofing | 7.5 | Important | No | No |
| CVE-2025-54103 | Windows Management Service Elevation of Privilege Vulnerability | Elevation of Privilege | 7.4 | Important | No | No |
| CVE-2025-54116 | Windows MultiPoint Services Elevation of Privilege Vulnerability | Elevation of Privilege | 7.3 | Important | No | No |
| CVE-2025-54911 | Windows BitLocker Elevation of Privilege Vulnerability | Elevation of Privilege | 7.3 | Important | No | No |
| CVE-2025-55236 | Graphics Kernel Remote Code Execution Vulnerability | Remote Code Execution | 7.3 | Critical | No | No |
| CVE-2025-54905 | Microsoft Word Information Disclosure Vulnerability | Information Disclosure | 7.1 | Important | No | No |
| CVE-2025-49734 | PowerShell Direct Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | No | No |
| CVE-2025-53802 | Windows Bluetooth Service Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | No | No |
| CVE-2025-53807 | Windows Graphics Component Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | No | No |
| CVE-2025-54093 | Windows TCP/IP Driver Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | No | No |
| CVE-2025-54099 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | No | No |
| CVE-2025-54105 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | No | No |
| CVE-2025-54108 | Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | No | No |
| CVE-2025-54112 | Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | No | No |
| CVE-2025-54114 | Windows Connected Devices Platform Service (Cdpsvc) Denial of Service Vulnerability | Denial of Service | 7.0 | Important | No | No |
| CVE-2025-54115 | Windows Hyper-V Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | No | No |
| CVE-2025-55223 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | No | No |
| CVE-2025-53808 | Windows Defender Firewall Service Elevation of Privilege Vulnerability | Elevation of Privilege | 6.7 | Important | No | No |
| CVE-2025-53810 | Windows Defender Firewall Service Elevation of Privilege Vulnerability | Elevation of Privilege | 6.7 | Important | No | No |
| CVE-2025-54094 | Windows Defender Firewall Service Elevation of Privilege Vulnerability | Elevation of Privilege | 6.7 | Important | No | No |
| CVE-2025-54104 | Windows Defender Firewall Service Elevation of Privilege Vulnerability | Elevation of Privilege | 6.7 | Important | No | No |
| CVE-2025-54109 | Windows Defender Firewall Service Elevation of Privilege Vulnerability | Elevation of Privilege | 6.7 | Important | No | No |
| CVE-2025-54915 | Windows Defender Firewall Service Elevation of Privilege Vulnerability | Elevation of Privilege | 6.7 | Important | No | No |
| CVE-2025-55226 | Graphics Kernel Remote Code Execution Vulnerability | Remote Code Execution | 6.7 | Critical | No | No |
| CVE-2025-47997 | Microsoft SQL Server Information Disclosure Vulnerability | Information Disclosure | 6.5 | Important | No | No |
| CVE-2025-53796 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Information Disclosure | 6.5 | Important | No | No |
| CVE-2025-53797 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Information Disclosure | 6.5 | Important | No | No |
| CVE-2025-53798 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Information Disclosure | 6.5 | Important | No | No |
| CVE-2025-53806 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Information Disclosure | 6.5 | Important | No | No |
| CVE-2025-53809 | Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability | Denial of Service | 6.5 | Important | No | No |
| CVE-2025-54095 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Information Disclosure | 6.5 | Important | No | No |
| CVE-2025-54096 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Information Disclosure | 6.5 | Important | No | No |
| CVE-2025-54097 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Information Disclosure | 6.5 | Important | No | No |
| CVE-2025-55225 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Information Disclosure | 6.5 | Important | No | No |
| CVE-2025-53799 | Windows Imaging Component Information Disclosure Vulnerability | Information Disclosure | 5.5 | Critical | No | No |
| CVE-2025-53803 | Windows Kernel Memory Information Disclosure Vulnerability | Information Disclosure | 5.5 | Important | No | No |
| CVE-2025-53804 | Windows Kernel-Mode Driver Information Disclosure Vulnerability | Information Disclosure | 5.5 | Important | No | No |
| CVE-2025-54901 | Microsoft Excel Information Disclosure Vulnerability | Information Disclosure | 5.5 | Important | No | No |
| CVE-2025-54101 | Windows SMB Client Remote Code Execution Vulnerability | Remote Code Execution | 4.8 | Important | No | No |
| CVE-2025-53791 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | Security Feature Bypass | 4.7 | Moderate | No | No |
| CVE-2025-54107 | MapUrlToZone Security Feature Bypass Vulnerability | Security Feature Bypass | 4.3 | Important | No | No |
| CVE-2025-54917 | MapUrlToZone Security Feature Bypass Vulnerability | Security Feature Bypass | 4.3 | Important | No | No |
Retrospective vulnerability analysis
- CVE-2025-27480 — Windows Remote Desktop Services Remote Code Execution Vulnerability (Remote Code Execution). This vulnerability is a classic stack buffer overflow. An attacker can send a specially crafted HTTP GET request longer than 256 bytes, causing a buffer overflow on the server. This enables arbitrary code execution on the target machine without requiring authentication or user interaction, potentially resulting in remote access (reverse shell). The vulnerability was fixed in April 2025.
- CVE-2025-32713 — Windows Common Log File System Driver Elevation of Privilege Vulnerability (Elevation of Privilege). A vulnerability in the CLFS file system driver that allows a local attacker to elevate privileges. The issue stems from improper handling of metadata in BLF (Base Log File) files, leading to kernel memory corruption. An attacker can craft a malicious CLFS file whose exploitation results in code execution with SYSTEM-level privileges. The vulnerability was fixed in June 2025.
- CVE-2025-47987 — Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability (Elevation of Privilege). This vulnerability is an integer overflow that leads to a heap-based buffer overflow in tspkg.dll (Terminal Services Security Package). The issue occurs in the TSCreateKerbCertLogonBuffer function when processing authentication data, specifically certificate data. An attacker can craft an authentication request with a very large certificate length value. When calculating the total buffer size, an integer overflow occurs, causing a buffer much smaller than required to be allocated. A subsequent copy of the certificate data into this undersized buffer triggers a heap overflow, crashing lsass.exe and causing a denial of service. The vulnerability was fixed in July 2025.
- CVE-2025-49667 — Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability (Elevation of Privilege). A vulnerability in the Win32 kernel subsystem that allows a local user to elevate privileges to SYSTEM. The exploit triggers a vulnerable system call that forcibly frees an object in kernel memory twice, after which the attacker can overwrite a kernel function pointer and execute their code. A PoC demonstrating this technique is available on GitHub. The vulnerability was fixed in July 2025.
- CVE-2025-50154 — Microsoft Windows File Explorer Spoofing Vulnerability (Spoofing). A vulnerability in Windows File Explorer that allows NTLMv2-SSP password hashes to be leaked without user interaction (zero-click). This is a bypass of a previous security fix. By creating a specially crafted shortcut (.LNK) that points to an executable on a remote SMB server, an attacker causes explorer.exe to automatically attempt to extract the icon from the remote file, which results in the NTLM hash being sent to the attacker's server. The vulnerability was fixed in August 2025.
- CVE-2025-53773 — GitHub Copilot and Visual Studio Remote Code Execution Vulnerability (Remote Code Execution). A prompt injection vulnerability in GitHub Copilot within VS Code that leads to remote code execution. An attacker can embed an instruction into source code or other files that modifies the project configuration (.vscode/settings.json), enabling "YOLO mode" which disables all user confirmation prompts. This allows Copilot to run shell commands and perform other dangerous actions without the developer's knowledge. The vulnerability was fixed in August 2025.
Conclusion
The September 2025 security update, while less extensive than previous ones, is a critical release due to the presence of a publicly disclosed vulnerability and eight critical fixes. IT administrators need to act quickly and strategically. Priority should be given to immediately installing updates for the following vulnerabilities:
- The publicly disclosed CVE-2025-55234 (Windows SMB, EoP) to prevent its imminent exploitation.
- All 8 critical vulnerabilities, especially those affecting NTLM (CVE-2025-54918), Microsoft Office (CVE-2025-54910), Hyper-V (CVE-2025-55224) and graphics components, as they may lead to full system compromise.
It is also recommended to prioritize updating servers with RRAS, SQL Server, and SharePoint roles, given their critical role in enterprise infrastructure. Timely patching remains a key element of defense. Delays in installing updates, especially for publicly disclosed vulnerabilities, create an unacceptable level of risk to the organization's security.
