Redazione RHC : 10 September 2025 13:24
The recent September Patch Tuesday security update saw Microsoft release a comprehensive series of updates, addressing a total of 81 vulnerabilities in its products and services.
Specifically, 9 of these vulnerabilities were classified as critical, with 2 of them reported as zero-day, meaning they were already known and exploited before the fixes were released.
These latter vulnerabilities have attracted particular attention among industry experts, as they were exploited or described in detail even before security solutions were deployed.
The first vulnerability, identified as CVE-2025-55234, affects the SMB server. It allows attackers to perform relay attacks and escalate privileges. Microsoft emphasizes that the system itself already has protection mechanisms in place, namely SMB Server Signing and Extended Protection for Authentication, but enabling them could cause compatibility issues with older devices. Therefore, administrators should enable auditing and carefully review configurations before moving to strict policies.
The second issue, CVE-2024-21907, is related to the Newtonsoft.Json library used in SQL Server. When processing specially crafted data using the JsonConvert.DeserializeObject method, a stack overflow occurs, which can lead to a denial of service. The bug was disclosed as early as 2024, but has only now been included in Microsoft’s official patch package.
In addition to these two, the September release fixes dozens of other critical and important bugs. In Microsoft Office, several vulnerabilities have been fixed in Excel, PowerPoint, Visio, and SharePoint that allowed arbitrary code execution when opening malicious documents. For Windows, vulnerabilities have been closed in the graphics component, the Hyper-V subsystem, and NTLM, the latter being particularly dangerous as it could be used to compromise credentials in the domain infrastructure. Additionally, bugs in BitLocker and LSASS that allowed privilege escalation, as well as bugs in the Defender Firewall, Bluetooth, and Connected Devices services, have been fixed.
Among other issues, it’s worth highlighting a vulnerability in Windows NTFS, where an attack could lead to remote code execution, as well as critical bugs in DirectX drivers and Win32K components. These bugs potentially allow bypassing kernel defenses and executing malicious instructions at the system level.
Microsoft also emphasizes that this update cycle has expanded SMB client auditing capabilities. This is necessary so that administrators can assess compatibility in advance when transitioning to new security policies that will become mandatory in the future.
Microsoft wasn’t the only company to patch critical vulnerabilities in September. Adobe closed the SessionReaper vulnerability in Magento, which allowed users to intercept sessions. Google released the September Android patch, which fixed 84 bugs, including two actively exploited in real-world attacks. SAP has fixed a maximum severity vulnerability in NetWeaver, which allowed command execution with system privileges. TP-Link has recognized a vulnerability in several home routers, which is still under investigation, but the company is already preparing patches for US users. Cisco has updated WebEx, ASA, and other networking products, eliminating the risks of remote access and data leaks.
September’s Patch Tuesday was one of the busiest of the year. Two publicly disclosed zero-day vulnerabilities in SMB and SQL Server highlight the need to install updates as quickly as possible, while a long list of vulnerabilities in Windows and Office demonstrates that attackers can use a variety of vectors to compromise corporate infrastructure. Administrators and security professionals should immediately verify the relevance of installed patches and conduct a thorough review.
Redazione