Microsoft Fixed 2 Zero-Days With September 2025 Patch Tuesday

852

Microsoft has released the scheduled Patch Tuesday updates for September 2025, addressing 81 security vulnerabilities across different products. These include two zero-day vulnerabilities as well, one of which was publicly disclosed in 2024.

Zero-Day Vulnerabilities Addressed With September Patch Tuesday From Microsoft

The most noteworthy security fixes released this month address two zero-days. While patching zero-day flaws with Patch Tuesday isn’t new for Microsoft, an interesting aspect in this month’s update bundle is fixing a year-old vulnerability. Below, we describe the two zero-day vulnerabilities in detail.

• CVE-2024-21907: This vulnerability first surfaced online in January 2024, identified as a stack overflow vulnerability in Newtonsoft.Json that existed due to mishandling of exceptional conditions. An attacker could exploit this vulnerability to trigger denial of service on the target system when crafted data is passed to the JsonConvert.DeserializeObject method. In its advisory, Microsoft confirmed the publicly disclosed status of this vulnerability, releasing the fix with the latest SQL Server version.
• CVE-2025-55234 (important severity; CVSS 8.8): A privilege escalation vulnerability in SMB Server that an attacker could exploit to perform relay attacks. Microsoft confirmed public disclosure of the vulnerability, but no active exploitation attempts have been detected. According to the tech giant, Windows already protects against relay attacks; however, deploying these measures might trigger incompatibility issues with older devices. Hence, it advised admins to audit systems for potential incompatibility issues before deploying SMB Server hardening measures.

8 Critical And 71 Important Severity Vulnerabilities Also Addressed

Besides the two zero-day flaws, Microsoft also patched eight critical vulnerabilities across six different products and 71 important severity flaws. These include 3 denial of service vulnerabilities, 37 privilege escalation flaws, 14 information disclosure issues, 22 remote code execution vulnerabilities, 1 spoofing vulnerability, and 2 security feature bypass. Some of the most severe vulnerabilities include the following:

• CVE-2025-54918 (critical severity; CVSS 8.8): A privilege escalation vulnerability in Windows NTLM that existed due to improper authentication. An authorized adversary could trigger the flaw to gain SYSTEM privileges on the target network.
• CVE-2025-54910 (critical severity; CVSS 8.4): A heap-based buffer overflow vulnerability in Microsoft Office could allow an unauthorized remote attacker to execute arbitrary code locally on a target device. According to the firm, the Preview Pane is an attack vector for this flaw. Microsoft credited the researchers Li Shuang, willJ and Guang Gong for reporting this vulnerability.
• CVE-2025-55232 (important severity; CVSS 9.8): A remote code execution vulnerability existed in the Microsoft High Performance Compute Pack (HPC) due to deserialization of untrusted data. Exploiting the flaw could execute arbitrary codes on the target network without user interaction. Microsoft advised users to protect HPC Pack clusters behind a secure network, especially with firewall rules for the TCP port 5999.
• CVE-2025-53799 (critical severity; CVSS 5.5): An information disclosure vulnerability in Windows Imaging Component existed due to the use of uninitialized resource. An unauthorized attacker could trigger the flaw by tricking the victim user into opening a maliciously crafted file. Consequently, it allows the attacker to “read small portions of heap memory”. Microsoft confirmed that the Preview Pane isn’t an attack vector for this vulnerability.

Microsoft ensures that these updates automatically reach all eligible systems. However, users should still review their systems for updates manually so as to ensure receiving all security fixes in time and avoid potential threats.

Let us know your thoughts in the comments.