- One publicly disclosed zero-day fixed in Windows SMB (CVE-2025-55234); no active exploitation reported.
- Windows receives major fixes across NTLM, Graphics/Win32K and Hyper-V; Office patches include a Critical RCE (CVE-2025-54910).
- SQL Server updates address EoP and information disclosure, plus guidance around the Newtonsoft.Json DoS advisory.
- Focus your rollout on SMB, NTLM, Office RCE and SQL EoP; enable SMB signing/EPA and plan Windows 10 end-of-support moves.
Microsoft’s September 2025 Patch Tuesday rolls out comprehensive updates focused on Windows, Microsoft Office and SQL Server. In total, Microsoft documents 81 CVEs this month, with Windows carrying the bulk of the work, Office receiving multiple app-specific fixes, and SQL Server getting targeted security updates.
Importantly, this release includes a single publicly disclosed Windows issue in SMB (CVE-2025-55234) and, at publication time, none of the addressed flaws were known to be under active exploitation. Vulnerabilities this month are primarily rated Important, with nine noted as Critical in Microsoft’s severity scheme.
By the numbers: scope limited to Windows, Office and SQL Server
Focusing strictly on the products in scope, Microsoft lists Windows (58 CVEs), Office (13 CVEs) and plataforma de SQL Server (2 CVEs) among the affected families for September 2025. These counts reflect issues directly touching the desktop/server OS, Office applications (including Excel, Word, PowerPoint and SharePoint), and the SQL Server platform.
While other Microsoft services also received fixes this month, the breakdown above captures what Windows, Office and SQL admins need first when prioritizing deployment across estates that depend on these core products.
Windows highlights: SMB zero-day, NTLM, Graphics/Win32K and Hyper-V
The headline item for Windows is CVE-2025-55234, an Elevation of Privilege flaw in SMB with a CVSS base score of 8.8. It has been publicly disclosed and is considered more likely to be exploited. The risk centers on relay attacks against improperly hardened SMB configurations; Microsoft points administrators to enabling SMB signing and Extended Protection for Authentication (EPA) where feasible.
Also noteworthy is the Critical NTLM issue CVE-2025-54918 (CVSS 8.8), which could allow an authenticated remote attacker to elevate to SYSTEM due to weaknesses in authentication. Although not publicly disclosed at release time, Microsoft flags this as more likely to be exploited, so it deserves early attention in patch sequencing.
Windows Graphics/Win32K and related components receive several significant fixes, including CVE-2025-55228 (RCE), CVE-2025-55226 (RCE) and CVE-2025-55236 (RCE). These are rooted in race conditions and use-after-free or type confusion scenarios that could allow arbitrary code execution from low-privilege contexts. In environments using virtualization, take note that exploitation paths may enable guest-to-host impact if other preconditions are met.
For virtualization specifically, CVE-2025-55224 addresses a Windows Hyper-V RCE tied to Graphics/Win32K behaviors. Although exploitation is considered less likely, administrators running virtualization hosts should still prioritize this alongside the broader Graphics fixes because of potential boundary escapes.
Further Windows items to keep on your radar include CVE-2025-54101 (SMB client/server RCE, Important), CVE-2025-54916 (NTFS RCE, marked as more likely to be exploited), and CVE-2025-53799 (Windows Imaging Component information disclosure, Critical severity rating with user interaction required). Microsoft also ships Important-rated bypass or disclosure fixes such as MapUrlToZone security feature bypasses (CVE-2025-54107, CVE-2025-54917) and kernel information exposure (CVE-2025-53803, CVE-2025-53804), some of which are more likely to be exploited according to Microsoft’s guidance.
Office updates you should prioritize
On the Office side, a key fix is CVE-2025-54910, a Critical remote code execution vulnerability that may be triggered via the Preview Pane under certain conditions. The attack complexity is low and exploitation does not require privileges, so patching this across user endpoints should be scheduled promptly.
Multiple Excel vulnerabilities are addressed this month, all rated Important for remote code execution (CVE-2025-54896, CVE-2025-54898, CVE-2025-54899, CVE-2025-54900, CVE-2025-54902, CVE-2025-54903, CVE-2025-54904), plus an information disclosure issue (CVE-2025-54901). Standard hardening advice still applies: maintain Protected View defaults, limit macro execution, and educate users to avoid opening unexpected files.
Admins should also note Office-adjacent fixes like CVE-2025-54897 (SharePoint RCE, CVSS 8.8, Important) and CVE-2025-54908 (PowerPoint RCE, Important). There’s additionally an OfficePlus spoofing patch, CVE-2025-55243 (Important), to reduce social engineering risk in document trust surfaces.
SQL Server: EoP, info disclosure and Newtonsoft.Json advisory
SQL Server receives two product fixes this month: CVE-2025-55227 (Elevation of Privilege, Important; flagged by Microsoft among the higher CVSS items this cycle) and CVE-2025-47997 (information disclosure, Important). Both are squarely aimed at tightening procedimientos almacenados and other server-side controls in supported releases of SQL Server.
Alongside these, Microsoft references the previously disclosed Newtonsoft.Json CVE-2024-21907 (denial of service via StackOverflow exception in DeserializeObject) as advisory material connected to this month’s SQL updates. The vulnerability is publicly known and considered less likely to be exploited, but administrators should ensure affected components are updated to versions that include Newtonsoft.Json 13.0.1 or later where applicable.
Prioritization, hardening and rollout tips
Given the breadth of changes, a pragmatic plan is to fast-track Windows SMB (CVE-2025-55234), NTLM (CVE-2025-54918), Graphics/Win32K and Hyper-V on servers and VDI hosts, while concurrently pushing the Office Critical RCE (CVE-2025-54910) and the IDENTITY_INSERT and SQL Server EoP (CVE-2025-55227) to production in aligned maintenance windows.
Where patching may be delayed on specific assets, enable or verify SMB signing and EPA to blunt relay attacks, review NTLM policies to reduce legacy exposure, and apply least-privilege and network segmentation around file-sharing and virtualization tiers. For HPC Pack deployments running on Windows infrastructure, follow Microsoft’s guidance to constrain management ports to trusted networks and adjust firewall rules accordingly.
One more operational note: Microsoft plans to end support for Windows 10 in October 2025. If you still rely on Windows 10 systems in regulated or high-risk environments, use this month’s cycle to reaffirm upgrade timelines so those devices continue receiving security updates for issues like the ones addressed here.
This month’s Patch Tuesday for Windows, Office and SQL Server balances one publicly disclosed SMB flaw with a wide slate of Important- and Critical-rated fixes; the practical play is to prioritize SMB, NTLM, Graphics/Win32K, Hyper-V, the Office Preview Pane RCE and SQL Server EoP, while applying hardening such as SMB signing/EPA and revisiting OS lifecycle plans to keep core platforms protected.
