Today is Microsoft's September 2025 Patch Tuesday, which includes security updates for 81 flaws, including two publicly disclosed zero-day vulnerabilities.

This Patch Tuesday also fixes nine "Critical" vulnerabilities, five of which are remote code execution vulnerabilities, 1 is information disclosure, and 2 are elevation of privileges.

The number of bugs in each vulnerability category is listed below:

• 41 Elevation of Privilege Vulnerabilities
• 2 Security Feature Bypass Vulnerabilities
• 22 Remote Code Execution Vulnerabilities
• 16 Information Disclosure Vulnerabilities
• 3 Denial of Service Vulnerabilities
• 1 Spoofing Vulnerabilities

When BleepingComputer reports on the Patch Tuesday security updates, we only count those released on Patch Tuesday.

Therefore, the number of flaws does not include three Azure, one Dynamics 365 FastTrack Implementation Assets, two Mariner, five Microsoft Edge, and 1 Xbox vulnerabilities fixed earlier this month.

To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5065426 & KB5065431 cumulative updates and the Windows 10 KB5065429 update.

Two publicly disclosed zero-days fixed

This month's Patch Tuesday fixes two publicly disclosed zero-day flaws in Windows SMB Server and Microsoft SQL Server. Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited while no official fix is available.

The two publicly disclosed zero-days are:

CVE-2025-55234 - Windows SMB Elevation of Privilege Vulnerability

Microsoft fixed an elevation of privileges flaw in SMB Server that is exploited through relay attacks.

"SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks," explains Microsoft.

Microsoft says that Windows already includes settings to harden the SMB Server against relay attacks, including enabling SMB Server Signing and SMB Server Extended Protection for Authentication (EPA).

However, enabling these features could cause compatibility issues with older devices and implementations.

Microsoft recommends that admins enable auditing on SMB servers to determine if they will encounter any issues when those hardening features are fully enforced.

"As part of the Windows updates released on and after September 9, 2025 (CVE-2025-55234), support is enabled for auditing SMB client compatibility for SMB Server signing as well as SMB Server EPA," explains Microsoft.

Microsoft has not attributed the flaw to any researchers, and it is unclear where it was disclosed.

CVE-2024-21907 - VulnCheck: CVE-2024-21907 Improper Handling of Exceptional Conditions in Newtonsoft.Json

Microsoft has fixed a previously known vulnerability in Newtonsoft.Json that is included as part of Microsoft SQL Server.

"CVE-2024-21907 addresses a mishandling of exceptional conditions vulnerability in Newtonsoft.Json before version 13.0.1," explains Microsoft.

"Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition."

"The documented SQL Server updates incorporate updates in Newtonsoft.Json which address this vulnerability."

This flaw was publicly disclosed in 2024.

Recent updates from other companies

Other vendors who released updates or advisories in September 2025 include:

• Adobe released security updates for a "SessionReaper" flaw impacting Magento eCommerce stores.
• Argo fixed an Argo CD vulnerability that allows low-privileged API tokens to access API endpoints and retrieve all repository credentials associated with the project.
• Cisco released patches for WebEx, Cisco ASA, and other products.
• Google released the September Android security updates that address a total of 84 vulnerabilities, including two actively exploited flaws.
• SAP released the September security updates for multiple products, including a fix for a maximum severity command execution bug in Netweaver.
• Sitecore released security updates for a zero day vulnerability tracked as CVE-2025-53690 that was actively exploited in attacks.
• TP-Link confirmed a new zero-day exists in some of its routers, with the company exploring its exploitability and is creating patches for US customers.

The September 2025 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the September 2025 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.