This week, Microsoft released the September updates, which addressed 81 vulnerabilities across the company’s products. Among them were two zero-day vulnerabilities whose details were disclosed before the patches were released.
This month, nine critical vulnerabilities were patched, five of which are related to remote code execution, one to information disclosure, and another two to elevation of privilege.
As a reminder, Microsoft classifies as 0-day those vulnerabilities whose details were publicly disclosed before patches were released, as well as issues that are actively exploited in attacks. The two zero-day vulnerabilities this month were not used by attackers in the wild, but were disclosed before fixes were released.
CVE-2025-55234 (8.8 on the CVSS scale) is a privilege escalation issue in Windows SMB Server that can be exploited via relay attacks.
“The SMB Server may be vulnerable to relay attacks depending on its configuration. An attacker who successfully exploits these vulnerabilities could carry out relay attacks and make users the target of privilege escalation attacks,” Microsoft representatives write.
Microsoft reports that Windows includes settings to protect the SMB Server against relay attacks, including enabling SMB Server Signing and SMB Server Extended Protection for Authentication (EPA).
However, the company warned that enabling these features could cause compatibility issues with older devices and implementations. Microsoft recommends that administrators audit their SMB servers to determine the likelihood of any issues.
Microsoft does not disclose who exactly discovered this bug, or where and when information about it was disclosed.
CVE-2024-21907 (7.5 on the CVSS scale) is related to improper exception handling in Newtonsoft.Json, which is included with Microsoft SQL Server. This vulnerability was publicly disclosed back in 2024.
“Specially crafted data passed to the JsonConvert.DeserializeObject method can trigger a StackOverflow exception, leading to a denial of service. Depending on how the library is used, an unauthenticated remote attacker can cause a denial of service,” the developers write.
It is also worth noting that in September a vulnerability with the highest CVSS score (10 out of 10) — CVE-2025-54914. This critical bug affected Azure networking services and could be used for privilege escalation. The vulnerability requires no action from users, as it is related to the company’s cloud services.
Two more vulnerabilities worth calling out are a remote code execution flaw in the Microsoft High Performance Compute (HPC) Pack (CVE-2025-55232, CVSS score of 9.8) and a privilege escalation issue affecting Windows NTLM (CVE-2025-54918, CVSS score of 8.8) that allowed attackers to gain SYSTEM-level privileges.
“Customers should ensure that HPC Pack clusters are running on a trusted network protected by firewall rules, especially for TCP port 5999,” Microsoft warns.