September 2025 Patch Tuesday: 2 Zero-Days (CVE-2025-55234 & CVE-2024-21907), 81 Microsoft Flaws

Microsoft has released its September 2025 Patch Tuesday updates, addressing 81 vulnerabilities across its ecosystem, eight of which are rated critical. Two zero-day vulnerabilities have also been highlighted this month – one affecting Microsoft’s SMB protocol and another involving a third-party library used in SQL Server.

This month’s vulnerabilities span a wide array of categories:

• 38 Elevation of Privilege (EoP)
• 22 Remote Code Execution (RCE)
• 14 Information Disclosure
• 3 Denial-of-Service (DoS)
• 3 Security Feature Bypass
• 1 Spoofing

Alongside its core updates, Microsoft has republished five non-Microsoft CVEs. Notably, one of these, CVE-2024-21907, is one of this month’s zero-day vulnerabilities.

With a substantial number of privilege escalation and RCE flaws in this month’s release, organizations are strongly urged to prioritize patching efforts, especially for vulnerabilities with high exploitability. This article breaks down the most pressing issues from this month’s updates, starting with the two zero-day vulnerabilities, followed by other critical flaws that defenders should address without delay.

Microsoft Fixes Two Public Zero-Day Vulnerabilities

This month’s Patch Tuesday includes two publicly disclosed zero-day vulnerabilities, both of which were known prior to Microsoft’s release. While neither is currently under active exploitation, their public status makes them higher-risk for opportunistic attacks, especially in unpatched systems.

The two vulnerabilities are:

• CVE-2025-55234 – A privilege escalation flaw in the Windows SMB protocol, which can be exploited via relay attacks.
• CVE-2024-21907 – A Denial-of-Service (DoS) issue in Newtonsoft.Json, a popular third-party JSON library used in Microsoft SQL Server and other .NET applications.

CVE-2025-55234 (CVSS 8.8)

This vulnerability targets the Server Message Block (SMB) protocol and enables attackers to perform relay attacks that may lead to elevated privileges. Microsoft warns that systems not properly hardened, particularly those without SMB Server Signing or Extended Protection for Authentication (EPA), may be exposed.

Although these protections are available, enabling them can introduce compatibility issues with older devices. To help assess compatibility before enforcing SMB hardening, organizations can now utilize new audit capabilities introduced in the September 2025 updates.

CVE-2024-21907 (CVSS 7.5)

This flaw affects versions of Newtonsoft.Json prior to 13.0.1 and stems from improper exception handling. Microsoft has identified that SQL Server deployments using the affected library are vulnerable.

An attacker can trigger a StackOverflowException by passing malicious input to the JsonConvert.DeserializeObject method, causing the application to crash. Because this vulnerability is exploitable remotely and without authentication, it presents a risk to systems that expose APIs or process user-supplied JSON data.

Smarter Patch Prioritization with SOCRadar XTI

When new vulnerabilities are disclosed, knowing which ones to fix first is half the battle. SOCRadar’s Vulnerability Intelligence, part of its Cyber Threat Intelligence module, provides real-time insights to help security teams identify, prioritize, and respond to newly disclosed vulnerabilities.

With SOCRadar, you can:

• Filter CVEs by vendor, product, and severity.
• Prioritize based on exploit likelihood and business impact.
• Track vulnerability lifecycles for proactive mitigation.

By integrating these tools into your workflow, you will reduce risk exposure and strengthen your overall security posture.

What Critical Vulnerabilities Did Microsoft Patch in September 2025 Patch Tuesday?

Beyond the two publicly disclosed zero-days, this month’s Patch Tuesday also includes eight vulnerabilities rated as Critical by Microsoft. These flaws affect core components such as NTLM, Microsoft Office, Hyper-V, and various Windows graphics subsystems.

If exploited, many of these issues could allow attackers to escalate privileges, execute remote code, or access sensitive information.

• CVE-2025-54918 (CVSS 8.8) – Windows NTLM Elevation of Privilege Vulnerability
• CVE-2025-54910 (CVSS 8.4) – Microsoft Office Remote Code Execution Vulnerability
• CVE-2025-53800 (CVSS 7.8) – Windows Graphics Component Elevation of Privilege Vulnerability
• CVE-2025-55224 (CVSS 7.8) – Windows Hyper-V Remote Code Execution Vulnerability
• CVE-2025-55228 (CVSS 7.8) – Windows Graphics Component Remote Code Execution Vulnerability
• CVE-2025-55236 (CVSS 7.3) – Graphics Kernel Remote Code Execution Vulnerability
• CVE-2025-55226 (CVSS 6.7) – Graphics Kernel Remote Code Execution Vulnerability
• CVE-2025-53799 (CVSS 5.5) – Windows Imaging Component Information Disclosure Vulnerability

Which Vulnerabilities Are Most Likely to Be Exploited?

In addition to the critical fixes, Microsoft has marked several vulnerabilities in this month’s release as “more likely to be exploited”. These flaws are particularly concerning because there are no official workarounds available, increasing the urgency of applying updates.

Among the high-risk vulnerabilities flagged are:

• CVE-2025-54110 (CVSS 8.8) – Windows Kernel Elevation of Privilege Vulnerability
• CVE-2025-54916 (CVSS 7.8) – Windows NTFS Remote Code Execution Vulnerability
• CVE-2025-54098 (CVSS 7.8) – Windows Hyper-V Elevation of Privilege Vulnerability
• CVE-2025-54093 (CVSS 7.0) – Windows TCP/IP Driver Elevation of Privilege Vulnerability
• CVE-2025-53803 (CVSS 5.5) – Windows Kernel Memory Information Disclosure Vulnerability
• CVE-2025-53804 (CVSS 5.5) – Windows Kernel-Mode Driver Information Disclosure Vulnerability

It’s worth noting that CVE-2025-54918 and the previously discussed CVE-2025-55234 zero-day vulnerability are also included in this “more likely to be exploited” category. Given the risks, organizations should test and deploy these patches as soon as possible.

How to Strengthen Your Security Posture

With a mix of critical, high-risk, and publicly known vulnerabilities, the September 2025 Patch Tuesday represents another high-priority update cycle. Delaying patch deployment could leave systems exposed to opportunistic attacks, especially in environments with internet-facing or legacy assets.

You can review the full list of addressed CVEs in Microsoft’s official release notes.

To go beyond patching, organizations should also maintain continuous visibility into their exposed assets and attack surface. SOCRadar’s Attack Surface Management (ASM) module supports this effort by:

• Monitoring open ports and publicly exposed services
• Identifying unpatched systems and third-party software risks
• Alerting on misconfigurations and exploitable weak points

By combining patch deployment with ASM monitoring, security teams can stay one step ahead of attackers and reduce the window of exposure across their digital environment.

Additional Updates: CVE-2025-42944 & Other Critical SAP Vulnerabilities Also Patched This Month

Alongside Microsoft’s September 2025 security updates, SAP has also published several high-impact patches that deserve attention, particularly for organizations running NetWeaver and S/4HANA systems.

The most severe issue is CVE-2025-42944 (CVSS 10.0), which could allow unauthenticated attackers to remotely execute OS-level commands by sending crafted input to exposed services using the RMI-P4 protocol.

Other notable NetWeaver vulnerabilities include:

• CVE-2025-42922 (CVSS 9.9): Permits file uploads by authenticated but non-admin users, introducing risk of unauthorized code execution or system manipulation.
• CVE-2025-42958 (CVSS 9.1): Impacts IBM i-series instances of NetWeaver, where missing authentication checks could expose administrative functions and sensitive data.

While none of these vulnerabilities are currently confirmed to be exploited in the wild, their severity and potential impact make them a top priority for SAP customers. SAP recommends applying the patches immediately and, where applicable, using P4 port filtering as a temporary defense for systems exposed to CVE-2025-42944.