Microsoft’s September 2025 Patch Tuesday addressed 81 vulnerabilities, with elevation of privilege flaws making up nearly half of the total. In coverage by Dark Reading, Fortra’s Tyler Reguly questioned Microsoft’s use of CVE identifiers, noting that the approach could significantly expand how many CVEs are issued each year.
Originally published in Dark Reading.
Excerpt: "CVEs mean that a vulnerability exists," says Tyler Reguly, associate director, security R&D at Fortra, in comments to Dark Reading. In this case, Microsoft appears to be using a CVE identifier to indicate that a new configuration/audit capability is available. "That is a major expansion of the meaning of CVEs, and if this starts happening on a regular basis, it will greatly increase the already large number of CVEs issued each year."
