- 198/2025
- Critical
Microsoft has released its monthly patch of security updates, known as PatchTuesday. The mentioned patch addressed two zero-day vulnerabilities.
Microsoft has fixed (95) vulnerabilities, with (4) classified as critical, as they could allow the attacker to gain elevated privileges, perform denial of service attacks, obtain sensitive information, bypass security restrictions, or execute arbitrary code and gain access to the affected systems.
September’s Patch Tuesday was released to fix security flaws in several Microsoft products such as Microsoft Excel, Microsoft office, Microsoft 365 Apps for Enterprise, Azure Networking, Windows NTLM, Graphics Kernel, Windows Hyper- V, Windows DWM, SQL Server, Windows PowerShell, Windows Imaging Component, Windows Local Security Authority Subsystem Service (LSASS), Microsoft Brokering File System and Windows NTFS.
The publicly disclosed zero-day vulnerabilities in September’s Patch are:
- Windows SMB Elevation of Privilege Vulnerability “CVE-2025-55234” allowsn the attacker to perform relay attacks, and the users are subject to elevation of privilege attacks.
- Improper Handling of Exceptional Conditions in Newtonsoft.Json Vulnerability “CVE-2024-21907” allows the unauthenticated remote attacker to cause a denial of service condition.
Sample of the addressed vulnerabilities:
1. Azure Networking Elevation of Privilege Vulnerability (CVE-2025-54914):
- CVSS: 10
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Privilege
2. Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability (CVE-2025-55232):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.