Today’s Patch Tuesday Alert addresses Microsoft’s September 2025 Security Updates. We are actively working on coverage for these vulnerabilities and expect to ship that coverage as soon as it is completed.
In-The-Wild & Disclosed CVEs
From the advisory, “Microsoft is releasing this CVE to provide customers with audit capabilities to help them to assess their environment and to identify any potential device or software incompatibility issues before deploying SMB Server hardening measures that protect against relay attacks.” This prompts the question, is this really a vulnerability? We’re all aware of relay attacks and they aren’t necessarily new. In this situation, it feels like Microsoft is assigning a CVE instead of issuing an advisory and, if that’s the case, the CVE should likely be rejected by MITRE. Microsoft has reported this vulnerability as Exploitation More Likely.
The first thing one notices about this bulletin is that it is for a 2024 CVE that was issued by VulnCheck. The discussion around the CVE starts in January of 2024 but references an advisory from back in 2018. The vulnerability itself could allow a remote, unauthenticated attacker to perform a denial of service. Microsoft has issued updates for SQL Server, which utilizes Newtonsoft.Json, to address this vulnerability. Microsoft has reported this vulnerability as Exploitation Less Likely.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also color coded to aid with identifying key issues.
- Traditional Software
- Mobile Software
- Cloud or Cloud Adjacent
- Vulnerabilities that are being exploited or that have been disclosed will be highlighted
| Tag | CVE Count | CVEs |
| Windows PowerShell | 1 | CVE-2025-49734 |
| Windows Routing and Remote Access Service (RRAS) | 10 | CVE-2025-53797, CVE-2025-53798, CVE-2025-54095, CVE-2025-54096, CVE-2025-54097, CVE-2025-54106, CVE-2025-55225, CVE-2025-53796, CVE-2025-53806, CVE-2025-54113 |
| Windows Ancillary Function Driver for WinSock | 1 | CVE-2025-54099 |
| Windows SMBv3 Client | 1 | CVE-2025-54101 |
| Windows Connected Devices Platform Service | 2 | CVE-2025-54102, CVE-2025-54114 |
| Windows Kernel | 3 | CVE-2025-54110, CVE-2025-53803, CVE-2025-53804 |
| Windows UI XAML Phone DatePickerFlyout | 1 | CVE-2025-54111 |
| Windows Local Security Authority Subsystem Service (LSASS) | 2 | CVE-2025-54894, CVE-2025-53809 |
| Windows SPNEGO Extended Negotiation | 1 | CVE-2025-54895 |
| Microsoft Office Excel | 8 | CVE-2025-54896, CVE-2025-54898, CVE-2025-54899, CVE-2025-54902, CVE-2025-54903, CVE-2025-54904, CVE-2025-54900, CVE-2025-54901 |
| Microsoft Office SharePoint | 1 | CVE-2025-54897 |
| Microsoft Office Word | 1 | CVE-2025-54905 |
| Microsoft Office | 3 | CVE-2025-54906, CVE-2025-55243, CVE-2025-54910 |
| Microsoft Office Visio | 1 | CVE-2025-54907 |
| Microsoft Office PowerPoint | 1 | CVE-2025-54908 |
| Windows UI XAML Maps MapControlSettings | 1 | CVE-2025-54913 |
| Windows NTFS | 1 | CVE-2025-54916 |
| Windows NTLM | 1 | CVE-2025-54918 |
| Windows Win32K - GRFX | 3 | CVE-2025-54919, CVE-2025-55228, CVE-2025-55224 |
| Graphics Kernel | 3 | CVE-2025-55223, CVE-2025-55226, CVE-2025-55236 |
| Microsoft High Performance Compute Pack (HPC) | 1 | CVE-2025-55232 |
| XBox Gaming Services | 1 | CVE-2025-55245 |
| Azure Arc | 1 | CVE-2025-55316 |
| Microsoft AutoUpdate (MAU) | 1 | CVE-2025-55317 |
| Azure Windows Virtual Machine Agent | 1 | CVE-2025-49692 |
| SQL Server | 3 | CVE-2025-47997, CVE-2025-55227, CVE-2024-21907 |
| Windows Imaging Component | 1 | CVE-2025-53799 |
| Microsoft Graphics Component | 2 | CVE-2025-53800, CVE-2025-53807 |
| Windows DWM | 1 | CVE-2025-53801 |
| Windows Bluetooth Service | 1 | CVE-2025-53802 |
| Windows Internet Information Services | 1 | CVE-2025-53805 |
| Windows Defender Firewall Service | 6 | CVE-2025-53808, CVE-2025-53810, CVE-2025-54094, CVE-2025-54104, CVE-2025-54109, CVE-2025-54915 |
| Role: Windows Hyper-V | 4 | CVE-2025-54091, CVE-2025-54092, CVE-2025-54098, CVE-2025-54115 |
| Windows TCP/IP | 1 | CVE-2025-54093 |
| Windows Management Services | 1 | CVE-2025-54103 |
| Microsoft Brokering File System | 1 | CVE-2025-54105 |
| Windows MapUrlToZone | 2 | CVE-2025-54107, CVE-2025-54917 |
| Capability Access Management Service (camsvc) | 1 | CVE-2025-54108 |
| Microsoft Virtual Hard Drive | 1 | CVE-2025-54112 |
| Windows MultiPoint Services | 1 | CVE-2025-54116 |
| Windows BitLocker | 2 | CVE-2025-54911, CVE-2025-54912 |
| Windows SMB | 1 | CVE-2025-55234 |
| Microsoft Edge (Chromium-based) | 5 | CVE-2025-9867, CVE-2025-9866, CVE-2025-9865, CVE-2025-9864, CVE-2025-53791 |
| Azure Entra | 1 | CVE-2025-55241 |
| Xbox | 1 | CVE-2025-55242 |
| Azure - Networking | 1 | CVE-2025-54914 |
| Dynamics 365 FastTrack Implementation Assets | 1 | CVE-2025-55238 |
| Azure Bot Service | 1 | CVE-2025-55244 |
Other Information
At the time of publication, there were no new advisories included with the September Security Guidance.
