Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days

Today is Microsoft's September 2025 Patch Tuesday, which includes security updates for 81 flaws, including two publicly disclosed zero-day vulnerabilities. This Patch Tuesday also fixes nine "Critical" vulnerabilities, five of which are remote code execution vulnerabilities, 1 is information disclosure, and 2 are elevation of privileges. The number of bugs in each vulnerability category is listed below: 41 Elevation of Privilege Vulnerabilities 2 Security Feature Bypass Vulnerabilities 22 Remote Code Execution Vulnerabilities 16 Information Disclosure Vulnerabilities 3 Denial of Service Vulnerabilities 1 Spoofing Vulnerabilities When BleepingComputer reports on the Patch Tuesday security updates, we only count those released on Patch Tuesday. Therefore, the number of flaws does not include three Azure, one Dynamics 365 FastTrack Implementation Assets, two Mariner, five Microsoft Edge, and 1 Xbox vulnerabilities fixed earlier this month. To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5065426 & KB5065431 cumulative updates and the Windows 10 KB5065429 update. Two publicly disclosed zero-days fixed This month's Patch Tuesday fixes two publicly disclosed zero-day flaws in Windows SMB Server and Microsoft SQL Server. Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited while no official fix is available. The two publicly disclosed zero-days are: CVE-2025-55234 - Windows SMB Elevation of Privilege Vulnerability Microsoft fixed an elevation of privileges flaw in SMB Server that is exploited through relay attacks. "SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks," explains Microsoft. Microsoft says that Windows already includes settings to harden the SMB Server against relay attacks, including enabling SMB Server Signing and SMB Server Extended Protection for Authentication (EPA). However, enabling these features could cause compatibility issues with older devices and implementations. Microsoft recommends that admins enable auditing on SMB servers to determine if they will encounter any issues when those hardening features are fully enforced. "As part of the Windows updates released on and after September 9, 2025 (CVE-2025-55234), support is enabled for auditing SMB client compatibility for SMB Server signing as well as SMB Server EPA," explains Microsoft. Microsoft has not attributed the flaw to any researchers, and it is unclear where it was disclosed. CVE-2024-21907 - VulnCheck: CVE-2024-21907 Improper Handling of Exceptional Conditions in Newtonsoft.Json Microsoft has fixed a previously known vulnerability in Newtonsoft.Json that is included as part of Microsoft SQL Server. "CVE-2024-21907 addresses a mishandling of exceptional conditions vulnerability in Newtonsoft.Json before version 13.0.1," explains Microsoft. "Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition." "The documented SQL Server updates incorporate updates in Newtonsoft.Json which address this vulnerability." This flaw was publicly disclosed in 2024. Recent updates from other companies Other vendors who released updates or advisories in September 2025 include: The September 2025 Patch Tuesday Security Updates Below is the complete list of resolved vulnerabilities in the September 2025 Patch Tuesday updates. To access the full description of each vulnerability and the systems it affects, you can view the full report here.