September Patch Tuesday handles 81 CVEs

.Microsoft on Tuesday announced 81 patches affecting 15 product families. Nine of the addressed issues are considered by Microsoft to be of Critical severity, and nine have a CVSS base score of 8.0 or higher — though, to be clear, they’re not the same nine issues. None are known to be under active exploit in the wild, though one Windows issue (CVE-2025-55234, affecting SMB) has been publicly disclosed.

At patch time, eight CVEs are judged more likely to be exploited in the next 30 days by the company’s estimation. Various of this month’s issues are amenable to direct detection by Sophos protections, and we include information on those in a table below. In addition, several CVEs not included in this month’s count, all but one affecting Edge, are already patched. We have included titles and CVEs for all of these in Appendix D, along with information on two patches this month for Adobe Reader, one Critical in severity.

We are as always including at the end of this post additional appendices listing all Microsoft’s patches sorted by severity, by predicted exploitability timeline and CVSS Base score, and by product family. Another appendix covers advisory-style updates and the list of issues discussed in this month’s release materials but mitigated prior to the release, and another provides breakout of the patches affecting the various Windows Server platforms still in support.

By the numbers

• Total CVEs: 81
• Publicly disclosed: 1
• Exploit detected: 0
• Severity
  • Critical: 9
  • Important: 72
• Impact
  • Elevation of Privilege: 38
  • Remote Code Execution: 22
  • Information Disclosure: 15
  • Denial of Service: 3
  • Security Feature Bypass: 2
  • Spoofing: 1
• CVSS base score 9.0 or greater: 1
• CVSS base score 8.0 or greater: 9

Figure 1: Elevation of Privilege vulnerabilities outpace Remote Code Execution flaws for the third month in a row, but RCE issues once again account for more Critical-severity patches

Products

• Windows: 58
• 365: 13
• Office: 13
• Excel: 8
• SharePoint: 3
• Azure: 2
• SQL: 2
• Microsoft AutoUpdate (MAU) for Macintosh: 1
• Microsoft High Performance Compute Pack: 1
• Nuance PowerScribe: 1
• Office for Android: 1
• OfficePLUS: 1
• PowerPoint: 1
• Word: 1
• Xbox Gaming System: 1

As is our custom for this list, CVEs that apply to more than one product family are counted once for each family they affect. We note, by the way, that CVE names don’t always reflect affected product families closely. In particular, some CVEs names in the Office family may mention products that don’t appear in the list of products affected by the CVE, and vice versa. (CVE-2025-54907, “Microsoft Office Visio Remote Code Execution Vulnerability,” is an excellent example of this for September; Visio does not appear in the list of products affected by this issue.)

OfficePLUS is an add-on to the usual Office suite. As such, Microsoft identifies it as being in its own product family. We’ve also chosen to list the sole Office for Android patch as existing in its own family as well; see below for discussion of this CVE.

Figure 2: Windows accounts for nearly three-quarters of the September patch set, which is perhaps less surprising than the appearance of Xbox in this roundup

Notable September updates

In addition to the issues discussed above, a variety of specific items merit attention.

CVE-2025-55234 — Windows SMB Elevation of Privilege Vulnerability

This authentication Elevation of Privilege issue in Windows’ Server Message Block protocol is the only vulnerability this month already known to be public, and Microsoft expects it to be more likely than most to be exploited within the next 30 days. That said, the SMB Server has multiple mechanisms for hardening against relay attacks such as this might allow, and the company directs concerned administrators’ attention to more information on those methods.

CVE-2025-55232 — Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability

This issue, which Microsoft assigns an Important severity but a CVSS Base score of 9.8, could potentially allow an attacker to accomplish remote code execution without user interaction. The problem involves port 5999, and the company recommends that users run their HPC Pack clusters in a trusted network secured by firewall rules especially for that TCP port, which is commonly enabled for remote management.

CVE-2025-53799 — Windows Imaging Component Information Disclosure Vulnerability

This Critical-severity Information Disclosure issue is, unusually, shared between Windows and Office for Android (but no other version of Office). The attacker would have to convince the target to open a maliciously constructed file, and would in return be able to read small portions of heap memory, making this likely to serve as a small part of a greater attack chain.

CVE-2025-54897 — Microsoft SharePoint Remote Code Execution Vulnerability

It’s kitten on the keys time again with the return to the MAPP finder roll of zcgonvh’s cat Vanilla, that fearsome hunter of SharePoint bugs. This month’s catch is an Important-severity RCE weighing in at a sturdy 8.8 CVSS Base score. Good kitty.

CVE-2025-54107, CVE-2025-54917 — MapUrlToZone Security Feature Bypass Vulnerability (two CVEs)

As Windows 10 enters its last month of mainstream support, these two identically named CVEs – brought to you by the letters I and E – remind us that the past is never dead; it’s not even past, at least if your operating system’s DNA includes bits from that long-retired browser. Both are Security Feature Bypass issues of Important severity. Forty-four of this month’s patches apply to Windows 10, including these two.

Figure 3: After three straight months of outpacing Remote Code Execution in the monthly tallies, Elevation of Privilege this month rises to the top of the 2025 bug count

Sophos protections

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of September patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Elevation of Privilege (38 CVEs)

Remote Code Execution (22 CVEs)

Information Disclosure (15 CVEs)

Denial of Service (3 CVEs)

Security Feature Bypass (2 CVEs)

Spoofing (1 CVE)

Appendix B: Exploitability and CVSS

This is a list of the September CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release. Since none of the September issues are known to be already exploited in the wild, that list does not appear this month. The list is arranged by CVE.

This is a list of September CVEs with a Microsoft-assessed CVSS Base score of 8.0 or higher. They are arranged by score and further sorted by CVE. For more information on how CVSS works, please see our series on patch prioritization schema.

Appendix C: Products Affected

This is a list of September’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family. Certain issues for which advisories have been issued are covered in Appendix D, and issues affecting Windows Server are further sorted in Appendix E. All CVE titles are accurate as made available by Microsoft; for further information on why certain products may appear in titles and not product families (or vice versa), please consult Microsoft.

Windows (58 CVEs)

365 (13 CVEs)

Office (13 CVEs)

Excel (8 CVEs)

SharePoint (3 CVEs)

Azure (2 CVEs)

SQL (2 CVEs)

Microsoft AutoUpdate (MAU) for Mac (1 CVE)

Microsoft High Performance Compute Pack (1 CVE)

Nuance PowerScribe (1 CVE)

Office for Android (1 CVE)

OfficePLUS (1 CVE)

PowerPoint (1 CVE)

Word (1 CVE)

Xbox (1 CVE)

Appendix D: Advisories and Other Products

There are 5 Edge-related advisories in September’s release, all but one of which originated outside Microsoft.

This month also includes the periodic Servicing Stack Updates, ADV990001.

Microsoft also included in this month’s release information on CVE-2024-21907 (VulnCheck: CVE-2024-21907 Improper Handling of Exceptional Conditions in Newtonsoft.Json), which addresses a mishandling of exceptional conditions vulnerability in Newtonsoft.Json before version 13.0.1. The CVE for this flaw was issued by VulnCheck, but the SQL patches from Microsoft this month also touch on this vulnerability, so Microsoft included advisory information on the issue in the release. This CVE does not figure into any of our tallies this month.

There were two Adobe Reader advisories included in the September release, both affecting versions 25.001.20521, 24.001.30235, 20.005.30763 and earlier.

Appendix E: Affected Windows Server versions

This is a table of the 58 CVEs in the September release affecting Windows Server versions 2008 through 2025. The table differentiates among major versions of the platform but doesn’t go into deeper detail (eg., Server Core). Critical-severity issues are marked in red; an “x” indicates that the CVE does not apply to that version. Administrators are encouraged to use this appendix as a starting point to ascertain their specific exposure, as each reader’s situation, especially as it concerns products out of mainstream support, will vary. For specific Knowledge Base numbers, please consult Microsoft.