September Patch Tuesday handles 81 CVEs – Sophos Information

.Microsoft on Tuesday introduced 81 patches affecting 15 product households. 9 of the addressed points are thought of by Microsoft to be of Essential severity, and 9 have a CVSS base rating of 8.0 or greater — although, to be clear, they’re not the identical 9 points. None are identified to be beneath lively exploit within the wild, although one Home windows difficulty (CVE-2025-55234, affecting SMB) has been publicly disclosed.  

At patch time, eight CVEs are judged extra prone to be exploited within the subsequent 30 days by the corporate’s estimation. Numerous of this month’s points are amenable to direct detection by Sophos protections, and we embody info on these in a desk under. As well as, a number of CVEs not included on this month’s depend, all however one affecting Edge, are already patched. We have now included titles and CVEs for all of those in Appendix D, together with info on two patches this month for Adobe Reader, one Essential in severity. 

We’re as at all times together with on the finish of this put up further appendices itemizing all Microsoft’s patches sorted by severity, by predicted exploitability timeline and CVSS Base rating, and by product household. One other appendix covers advisory-style updates and the checklist of points mentioned on this month’s launch supplies however mitigated previous to the discharge, and one other offers breakout of the patches affecting the assorted Home windows Server platforms nonetheless in assist.  

By the numbers 

• Whole CVEs: 81
• Publicly disclosed: 1
• Exploit detected: 0
• Severity
  • Essential: 9
  • Essential: 72
• Influence
  • Elevation of Privilege: 38
  • Distant Code Execution: 22
  • Data Disclosure: 15
  • Denial of Service: 3
  • Safety Characteristic Bypass: 2
  • Spoofing: 1
• CVSS base rating 9.0 or higher: 1
• CVSS base rating 8.0 or higher: 9

Determine 1: Elevation of Privilege vulnerabilities outpace Distant Code Execution flaws for the third month in a row, however RCE points as soon as once more account for extra Essential-severity patches 

Merchandise 

• Home windows: 58
• 365: 13
• Workplace: 13
• Excel: 8
• SharePoint: 3
• Azure: 2
• SQL: 2
• Microsoft AutoUpdate (MAU) for Macintosh: 1
• Microsoft Excessive Efficiency Compute Pack: 1
• Nuance PowerScribe: 1
• Workplace for Android: 1
• OfficePLUS: 1
• PowerPoint: 1
• Phrase: 1
• Xbox Gaming System: 1

As is our customized for this checklist, CVEs that apply to a couple of product household are counted as soon as for every household they have an effect on. We word, by the way in which, that CVE names don’t at all times mirror affected product households carefully. Specifically, some CVEs names within the Workplace household might point out merchandise that don’t seem within the checklist of merchandise affected by the CVE, and vice versa. (CVE-2025-54907, “Microsoft Workplace Visio Distant Code Execution Vulnerability,” is a superb instance of this for September; Visio doesn’t seem within the checklist of merchandise affected by this difficulty.) 

OfficePLUS is an add-on to the same old Workplace suite. As such, Microsoft identifies it as being in its personal product household. We’ve additionally chosen to checklist the only real Workplace for Android patch as present in its family as properly; see under for dialogue of this CVE.

Determine 2: Home windows accounts for practically three-quarters of the September patch set, which is probably much less stunning than the looks of Xbox on this roundup 

Notable September updates 

Along with the problems mentioned above, quite a lot of particular objects advantage consideration.  

CVE-2025-55234 — Home windows SMB Elevation of Privilege Vulnerability 

This authentication Elevation of Privilege difficulty in Home windows’ Server Message Block protocol is the one vulnerability this month already identified to be public, and Microsoft expects it to be extra possible than most to be exploited inside the subsequent 30 days. That stated, the SMB Server has a number of mechanisms for hardening towards relay assaults resembling this would possibly permit, and the corporate directs involved directors’ consideration to extra info on these strategies.  

CVE-2025-55232 — Microsoft Excessive Efficiency Compute (HPC) Pack Distant Code Execution Vulnerability 

This difficulty, which Microsoft assigns an Essential severity however a CVSS Base rating of 9.8, might probably permit an attacker to perform distant code execution with out consumer interplay. The issue includes port 5999, and the corporate recommends that customers run their HPC Pack clusters in a trusted community secured by firewall guidelines particularly for that TCP port, which is often enabled for distant administration. 

CVE-2025-53799 — Home windows Imaging Element Data Disclosure Vulnerability 

This Essential-severity Data Disclosure difficulty is, unusually, shared between Home windows and Workplace for Android (however no different model of Workplace). The attacker must persuade the goal to open a maliciously constructed file, and would in return be capable to learn small parts of heap reminiscence, making this prone to function a small a part of a higher assault chain. 

CVE-2025-54897 — Microsoft SharePoint Distant Code Execution Vulnerability 

It’s kitten on the keys time once more with the return to the MAPP finder roll of zcgonvh’s cat Vanilla, that fearsome hunter of SharePoint bugs. This month’s catch is an Essential-severity RCE weighing in at a sturdy 8.8 CVSS Base rating. Good kitty. 

CVE-2025-54107, CVE-2025-54917  — MapUrlToZone Safety Characteristic Bypass Vulnerability (two CVEs) 

As Home windows 10 enters its final month of mainstream assist, these two identically named CVEs – dropped at you by the letters I and E – remind us that the previous is rarely lifeless; it’s not even previous, at the least in case your working system’s DNA consists of bits from that long-retired browser. Each are Safety Characteristic Bypass problems with Essential severity. Forty-four of this month’s patches apply to Home windows 10, together with these two. 

Determine 3: After three straight months of outpacing Distant Code Execution within the month-to-month tallies, Elevation of Privilege this month rises to the highest of the 2025 bug depend 

Sophos protections 

As you possibly can each month, should you don’t need to wait to your system to drag down Microsoft’s updates itself, you possibly can obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe instrument to find out which construct of Home windows 10 or 11 you’re working, then obtain the Cumulative Replace package deal to your particular system’s structure and construct quantity. 

Appendix A: Vulnerability Influence and Severity 

This can be a checklist of September patches sorted by affect, then sub-sorted by severity. Every checklist is additional organized by CVE.  

Elevation of Privilege (38 CVEs) 

Distant Code Execution (22 CVEs) 

Data Disclosure (15 CVEs) 

Denial of Service (3 CVEs) 

Safety Characteristic Bypass (2 CVEs) 

Spoofing (1 CVE) 

Appendix B: Exploitability and CVSS 

This can be a checklist of the September CVEs judged by Microsoft to be extra prone to be exploited within the wild inside the first 30 days post-release. Since not one of the September points are identified to be already exploited within the wild, that checklist doesn’t seem this month. The checklist is organized by CVE.  

This can be a checklist of September CVEs with a Microsoft-assessed CVSS Base rating of 8.0 or greater. They’re organized by rating and additional sorted by CVE. For extra info on how CVSS works, please see our sequence on patch prioritization schema.  

Appendix C: Merchandise Affected 

This can be a checklist of September’s patches sorted by product household, then sub-sorted by severity. Every checklist is additional organized by CVE. Patches which are shared amongst a number of product households are listed a number of occasions, as soon as for every product household. Sure points for which advisories have been issued are coated in Appendix D, and points affecting Home windows Server are additional sorted in Appendix E. All CVE titles are correct as made out there by Microsoft; for additional info on why sure merchandise might seem in titles and never product households (or vice versa), please seek the advice of Microsoft. 

Home windows (58 CVEs) 

365 (13 CVEs) 

Workplace (13 CVEs) 

Excel (8 CVEs) 

SharePoint (3 CVEs) 

Azure (2 CVEs) 

SQL (2 CVEs) 

Microsoft AutoUpdate (MAU) for Mac (1 CVE) 

Microsoft Excessive Efficiency Compute Pack (1 CVE) 

Nuance PowerScribe (1 CVE) 

Workplace for Android (1 CVE) 

OfficePLUS (1 CVE) 

PowerPoint (1 CVE) 

Phrase (1 CVE) 

Xbox (1 CVE) 

Appendix D: Advisories and Different Merchandise 

There are 5 Edge-related advisories in September’s launch, all however one in all which originated outdoors Microsoft. 

This month additionally consists of the periodic Servicing Stack Updates, ADV990001. 

Microsoft additionally included on this month’s launch info on CVE-2024-21907 (VulnCheck: CVE-2024-21907 Improper Dealing with of Distinctive Situations in Newtonsoft.Json), which addresses a mishandling of remarkable circumstances vulnerability in Newtonsoft.Json earlier than model 13.0.1. The CVE for this flaw was issued by VulnCheck, however the SQL patches from Microsoft this month additionally contact on this vulnerability, so Microsoft included advisory info on the difficulty within the launch. This CVE doesn’t determine into any of our tallies this month. 

There have been two Adobe Reader advisories included within the September launch, each affecting variations 25.001.20521, 24.001.30235, 20.005.30763 and earlier. 

Appendix E: Affected Home windows Server variations 

This can be a desk of the 58 CVEs within the September launch affecting Home windows Server variations 2008 by way of 2025. The desk differentiates amongst main variations of the platform however doesn’t go into deeper element (eg., Server Core). Essential-severity points are marked in pink; an “x” signifies that the CVE doesn’t apply to that model. Directors are inspired to make use of this appendix as a place to begin to determine their particular publicity, as every reader’s state of affairs, particularly because it issues merchandise out of mainstream assist, will range. For particular Data Base numbers, please seek the advice of Microsoft.