Patch Tuesday: Microsoft Fixes 86 Flaws, Including 9 Critical and 2 Zero-Days (CVE-2025-55234 & CVE-2024-21907)

Microsoft’s September 2025 Patch Tuesday addresses 86 vulnerabilities across its product ecosystem, including two zero-days and nine rated critical. The updates span Windows, Office, SQL Server, Hyper-V, NTLM, TCP/IP, and graphics components.

In total, Microsoft fixed:

• 41 elevation of privilege vulnerabilities
• 22 remote code execution flaws
• 16 information disclosure issues
• 3 denial of service vulnerabilities
• 2 security feature bypasses
• 1 spoofing vulnerability

With nine critical flaws and two zero-days addressed, administrators should prioritize deploying these updates immediately, especially across enterprise environments reliant on NTLM, Hyper-V, and Microsoft Office.

Two Zero-Days Addressed

Among the most urgent patches is CVE-2025-55234, a Windows SMB elevation of privilege vulnerability. An improper authentication vulnerability in Windows SMB may enable an authenticated attacker to elevate their network privileges, potentially gaining administrator privileges upon successful exploitation. This type of flaw, often affecting protocols like NT LAN Manager (NTLM), could allow an attacker to bypass security controls and move laterally within a network. This is a form of privilege escalation.

Microsoft also patched CVE-2024-21907, a denial-of-service vulnerability in the Newtonsoft.Json library, which is used by SQL Server. The flaw is triggered when a specially crafted data object is passed to the JsonConvert.DeserializeObject method, leading to a Stack Overflow exception that can cause the service to crash. This bug was previously known but is now officially patched in Microsoft’s supported products.

Critical Severity Vulnerabilities

CVE-2025-54918: Windows NTLM Elevation of Privilege

A critical flaw in Windows NTLM authentication could allow attackers to escalate privileges across a network. Microsoft notes that an authenticated attacker may elevate privileges over a network and, upon successful exploitation, could gain SYSTEM privileges. This vulnerability is particularly dangerous in enterprise environments with NTLM still in use.

CVE-2025-55226: Graphics Kernel RCE

Microsoft patched CVE-2025-55226, a remote code execution (RCE) flaw in the Windows Graphics Kernel. An authenticated attacker could exploit this issue to execute arbitrary code, potentially compromising the entire system. Given the widespread use of graphics components across Windows, this vulnerability carries significant risk.

CVE-2025-55228: Race Condition in Windows Graphics Component

Another RCE vulnerability, CVE-2025-55228, affects the Windows Graphics Component. Exploitation requires an attacker to successfully win a race condition, but if achieved, it enables remote code execution. Race conditions are notoriously difficult to defend against since they depend on precise timing during program execution.

CVE-2025-55236: DirectX Graphics Kernel RCE

The DirectX Graphics Kernel received a critical fix with CVE-2025-55236, another RCE vulnerability. Microsoft warns that successful exploitation would allow an attacker with authentication to execute code with elevated privileges, potentially paving the way for full system compromise.

CVE-2025-53799: Windows Imaging Component Information Disclosure

Rated critical for impact, CVE-2025-53799 involves the Windows Imaging Component. Use of an uninitialized resource may allow an unauthenticated attacker to disclose information locally. Upon successful exploitation, an attacker could read small portions of heap memory. While not enabling code execution, this flaw could leak sensitive data from memory.

CVE-2025-53800: Windows Graphics Component EoP

Another elevation of privilege issue, CVE-2025-53800, was patched in the Windows Graphics Component. Microsoft explains: “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges“. This raises the risk of attackers chaining the flaw with others for broader attacks.

CVE-2025-54910: Microsoft Office RCE

CVE-2025-54910 is a critical heap-based buffer overflow in Microsoft Office. The flaw allows an unauthenticated attacker to achieve RCE, potentially via maliciously crafted documents. Given Office’s ubiquity, this vulnerability poses a particularly high risk for widespread phishing campaigns .

CVE-2025-55224: Windows Hyper-V RCE

A critical remote code execution flaw in Windows Hyper-V, tracked as CVE-2025-55224, was also patched. If exploited, attackers could run arbitrary code on virtualized environments, threatening enterprise and cloud infrastructures heavily dependent on Hyper-V.

CVE-2025-54914: Azure Networking EoP

Finally, Microsoft patched CVE-2025-54914, an elevation of privilege vulnerability in Azure Networking. Exploitation could allow an attacker to escalate privileges in cloud-hosted environments, raising significant concerns for organizations running workloads in Azure.

Related Posts:

• Microsoft releases January Patch Tuesday to fix 56 security issues