Article
September 2025 Patch Tuesday: Key Vulnerabilities Overview
Introduction
September security update addresses 84 vulnerabilities, with some being more critical than others. These updates cover a wide range of issues affecting Windows and Microsoft Office software. While there are no actively exploited threats reported this time, flaws such as those in Windows NTLM and Windows SMB still pose significant risks if left unaddressed, with the overall focus being on preventing unauthorized access and protecting sensitive information. In this article, we’ll recap the highlights of this month’s updates and provide some easy tips to help you stay safe online.
Summary of September 2025 Patch Tuesday
This month’s Patch Tuesday covers a wide range of issues affecting Windows and Microsoft Office software. Microsoft fixed 84 vulnerabilities, with some being more critical than others. Among the notable ones are security issues with Windows NTLM, which helps manage network authentication, and Windows SMB, used for sharing files over networks. Although there are no actively exploited threats this time, some flaws still pose significant risks if left unaddressed. Overall, the updates focus on preventing unauthorized access and protecting sensitive information.
Understanding these updates is crucial in protecting enterprise environments. Below, we categorize the vulnerabilities based on their exposure to the internet.
Updates are listed according to their CVSS Score
Exposed to internet
September 2025 Patch Tuesday
Internal Network
Exposed to the Internet
Windows SMB Server – Elevation of Privilege
Windows SMB Server, used for file sharing over a network, has a vulnerability that enables unauthenticated remote attackers to perform relay attacks. This is due to the exploitation of improper authentication mechanisms, potentially elevating privileges.
Windows SMB v3 Client/Server – Remote Code Execution
The SMB v3 protocol, used for network communication, is vulnerable to remote code execution due to a use-after-free condition. Successful exploitation requires the attacker to win a race condition, potentially compromising systems.
Internal Network
Windows NTLM – Elevation of Privilege
Windows NTLM, a protocol used for authentication in Windows network environments, is vulnerable to an elevation of privilege attack. This vulnerability allows unauthorized attackers to gain SYSTEM privileges through improper authentication over a network connection.
Microsoft Office – Remote Code Execution
Microsoft Office, a suite of productivity applications, contains a remote code execution vulnerability caused by a heap-based buffer overflow. This can be exploited locally, posing a significant risk to user environments.
Windows Graphics Component – Elevation of Privilege
Windows Graphics Component, responsible for rendering operations and UI display, has a vulnerability due to incorrect initialization of resources. This flaw could allow an attacker to elevate their privileges on the system.
Graphics Kernel – Remote Code Execution
The Graphics Kernel, managing low-level operations for rendering graphics on Windows, is susceptible to a remote code execution vulnerability. This is caused by a TOCTOU race condition, which could be exploited maliciously.
Windows Hyper-V – Elevation of Privilege
Windows Hyper-V, a virtualization product allowing multiple OSs to run on one host, has a vulnerability exploiting a race condition. This flaw can be used to execute code, elevating privileges undesirably.
Windows NTFS – Remote Code Execution
Windows NTFS, the default filesystem for modern Windows versions, has a remote code execution vulnerability. This is due to a stack buffer overflow, allowing attackers to execute code over the network.
Windows TCP/IP Driver – Elevation of Privilege
The Windows TCP/IP Driver, handling network communications via the TCP/IP protocol, contains an elevation of privilege vulnerability. Attackers could exploit this to escalate their privileges unauthorizedly.
Graphics Kernel – Remote Code Execution
Windows’ Graphics Kernel has a remote code execution vulnerability caused by concurrent execution issues using shared resources and improper synchronization. This affects graphics rendering efficiency and security.
Conclusion
In conclusion, staying up-to-date with software patches is a simple yet effective way to protect your devices from security threats. Ensure that your systems are set to automatically receive updates, and check for any available updates regularly. By keeping your software current, you’re not just fixing bugs, but also preventing potential cyberattacks. Stay informed, stay updated, and keep your devices secure!
Have questions about implementing these patches or securing your IT environment? Schedule a call with At-Bay’s Advisory Services team to get started.
About CVSS
The Common Vulnerability Scoring System (CVSS) is an industry-standard framework for evaluating and communicating the severity of software vulnerabilities. It provides a numerical score that helps organizations prioritize and address security issues effectively. CVSS scores quantify the severity of a vulnerability on a scale from 0 (no severity) to 10 (critical severity). CVSS considers multiple factors, including; Exploitability, Impact, Exploit code maturity, Remediation level, Report confidence. The system enables organizations to compare and prioritize vulnerabilities based on their potential impact on IT infrastructure.
References
- https://msrc.microsoft.com/update-guide/releasenote/2025-sep
- https://krebsonsecurity.com/2025/09/microsoft-patch-tuesday-september-2025-edition/
- https://blog.talosintelligence.com/microsoft-patch-tuesday-september-2025/
- https://www.crowdstrike.com/content/crowdstrike-www/locale-sites/us/en-us/blog/patch-tuesday-analysis-september-2025.html