Microsoft Patch Tuesday security updates for September 2025 fixed two zero-day flaws
微软9月修复了80个漏洞,包括两个零日漏洞和一个严重远程代码执行漏洞。其中两个零日分别影响Windows SMB Server和SQL Server的 Newtonsoft.Json组件。最严重的是HPC Pack中的远程代码执行漏洞(CVSS 9.8),可能被蠕虫利用。微软建议采取安全措施以应对这些风险。 2025-9-10 07:48:55 Author: securityaffairs.com(查看原文) 阅读量:19 收藏

Microsoft Patch Tuesday security updates for September 2025 fixed two zero-day flaws

Pierluigi Paganini September 10, 2025

Microsoft Patch Tuesday security updates for September 2025 fixed 80 vulnerabilities, including two publicly disclosed zero-day flaws.

Microsoft Patch Tuesday security updates for September 2025 addressed 80 vulnerabilities in Windows and Windows Components, Office and Office Components, Microsoft Edge (Chromium-based), Azure, Hyper-V, SQL Server, Defender Firewall Service, and Xbox (yup – Xbox!).

Eight of the flaws fixed by Microsoft are rated Critical in severity, and the rest are rated Important.

Two of these vulnerabilities are publicly disclosed zero-day flaws, and neither has been actively exploited in the wild. All vulnerabilities are rated as “exploitation less likely” or “exploitation unlikely.”

The two publicly disclosed zero-days are CVE-2025-55234 (CVSS score of 8.8) and CVE-2024-21907 (CVSS score of 7.5). CVE-2025-55234 affects Windows SMB Server, enabling relay attacks that could escalate privileges; Microsoft advises enabling SMB signing and EPA, though they may cause legacy compatibility issues, and has added auditing features in the Sept 2025 updates. CVE-2024-21907, disclosed in 2024, impacts Newtonsoft.Json in SQL Server, where crafted data can trigger a StackOverflow exception and denial of service, now fixed in updated libraries.

The most severe flaw, tracked as CVE-2025-55232 (CVSS score of 9.8), is a Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability. It resides in Microsoft HPC Pack and allows remote, unauthenticated code execution without user interaction, making it potentially wormable. Microsoft urges deploying clusters in secure enclaves, blocking TCP port 5999, and prioritizing patching.

“An attacker who successfully exploits this vulnerability could achieve remote code execution without user interaction.” reads the advisory published by Microsoft,

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Patch Tuesday)


文章来源: https://securityaffairs.com/182045/security/microsoft-patch-tuesday-security-updates-for-september-2025-fixed-two-zero-day-flaws.html
如有侵权请联系:admin#unsafe.sh