Microsoft’s September Patch Tuesday: Two Zero-Days and 81 Fixes

In its September Patch Tuesday release, Microsoft delivered a sweeping package of updates, addressing 81 vulnerabilities across its products and services. Among them were nine critical flaws, including two zero-day vulnerabilities, which drew the greatest attention from security professionals as they had already been actively exploited or publicly disclosed prior to the patches.

The first, identified as CVE-2025-55234, affects the SMB server and enables adversaries to carry out Relay Attacks that result in privilege escalation. Microsoft noted that the system already incorporates defensive mechanisms — SMB Server Signing and Extended Protection for Authentication — but enabling them may cause compatibility issues with legacy devices. Administrators are therefore advised to activate auditing and carefully review configurations before enforcing stricter policies.

The second flaw, CVE-2024-21907, resides in the Newtonsoft.Json library used within SQL Server. Exploitation occurs during the handling of specially crafted data via the JsonConvert.DeserializeObject method, triggering a stack overflow that can cause denial of service. Although disclosed back in 2024, the issue has only now been formally included in Microsoft’s patch cycle.

Beyond these two zero-days, the September release remedied dozens of other critical and important vulnerabilities. In Microsoft Office, multiple flaws in Excel, PowerPoint, Visio, and SharePoint were corrected, which had previously allowed remote code execution through maliciously crafted documents. For Windows, fixes targeted flaws in the graphics component, Hyper-V subsystem, and NTLM — the latter being particularly dangerous as it could facilitate credential compromise in domain infrastructures. Additional patches resolved privilege escalation bugs in BitLocker and LSASS, along with issues affecting Defender Firewall, Bluetooth, and Connected Devices.

One highlight was a flaw in Windows NTFS that could lead to remote code execution, as well as critical bugs in DirectX drivers and Win32K components, both of which potentially enabled attackers to bypass kernel protections and execute malicious code at the system level.

Microsoft also emphasized the expanded SMB client auditing capabilities included in this update cycle, designed to help administrators assess compatibility in advance of upcoming mandatory security policies.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy