81 Vulnerabilities Fixed Including 22 RCE
Microsoft has released its September 2025 Patch Tuesday updates, addressing a total of 81 security vulnerabilities across its product suite. The security patches cover a wide range of software, including Windows, Microsoft Office, Azure, and SQL Server.
Among the fixes are 22 Remote Code Execution (RCE) vulnerabilities, making this a significant update for system administrators. Of the 81 flaws, 8 are rated as Critical, with the remaining 73 classified as Important in severity.
| Impact | Count |
|---|---|
| Elevation of Privilege (EoP) | 38 |
| Remote Code Execution (RCE) | 22 |
| Information Disclosure | 14 |
| Denial of Service (DoS) | 4 |
| Security Feature Bypass | 2 |
| Spoofing | 1 |
| Total | 81 |
The vulnerabilities cover various categories, with Remote Code Execution (RCE), Elevation of Privilege (EoP), and Information Disclosure being the most frequently addressed types in this month’s release.
Critical Remote Code Execution Flaws
This month’s update resolves several critical RCE vulnerabilities that could allow attackers to execute arbitrary code on affected systems. Among the most severe are multiple race condition flaws in the Graphics Kernel (CVE-2025-55226, CVE-2025-55236) and the Windows Graphics Component (CVE-2025-55228), which an authorized attacker could exploit to execute code locally.
Microsoft Office also received a critical patch for a heap-based buffer overflow vulnerability (CVE-2025-54910) that enables local code execution.
Additionally, a critical RCE vulnerability in Windows Hyper-V (CVE-2025-55224) was fixed. This flaw, stemming from a race condition, could allow a local attacker to execute arbitrary code. These types of vulnerabilities are particularly dangerous as they can often be exploited to gain initial access or move laterally within a network.
Widespread Elevation of Privilege and Other Flaws
A significant portion of the September update is dedicated to fixing Elevation of Privilege vulnerabilities across the Windows ecosystem. A critical EoP flaw in Windows NTLM (CVE-2025-54918) could allow an authorized attacker to elevate their privileges over the network.
Other important EoP vulnerabilities were patched in PowerShell Direct (CVE-2025-49734), Windows Ancillary Function Driver for WinSock (CVE-2025-54099), and the Windows Kernel (CVE-2025-54110).
The update also addresses numerous information disclosure vulnerabilities, particularly in the Windows Routing and Remote Access Service (RRAS), with six distinct CVEs (CVE-2025-53797, CVE-2025-53798, CVE-2025-54095, CVE-2025-54096, CVE-2025-54097, CVE-2025-55225) related to buffer over-read and out-of-bounds read issues.
While not as severe as RCEs, these flaws can leak sensitive memory information that aids attackers in crafting more complex exploits.
Patches for SharePoint, Azure, and Excel
Beyond the core operating system, Microsoft has patched critical and important flaws in its enterprise and productivity software.
A significant RCE vulnerability in Microsoft SharePoint (CVE-2025-54897) was addressed, which could be exploited by an authorized attacker over the network through the deserialization of untrusted data.
Microsoft Excel received a barrage of fixes for seven different RCE vulnerabilities (CVE-2025-54896, CVE-2025-54898, CVE-2025-54899, CVE-2025-54900, CVE-2025-54902, CVE-2025-54903, CVE-2025-54904).
These flaws, mostly related to use-after-free and out-of-bounds read issues, allow an attacker to execute code locally if a user opens a specially crafted file.
Several Elevation of Privilege vulnerabilities were also patched in Azure services, including Azure Arc (CVE-2025-55316) and the Azure Connected Machine Agent (CVE-2025-49692).
Microsoft urges all customers to apply the September 2025 security updates promptly to protect their systems from potential exploitation. Administrators should prioritize patching the critical RCE and Elevation of Privilege vulnerabilities to mitigate the most severe risks.
Of the 81 vulnerabilities addressed in Microsoft’s September 2025 Patch Tuesday, none were reported as publicly disclosed or actively exploited. The release includes patches for 8 Critical and 73 Important severity flaws.
Below is a comprehensive table of all vulnerabilities fixed in this update:
| CVE | Vulnerability Details | Actively Exploited | Type | Severity |
|---|---|---|---|---|
| Critical Vulnerabilities | ||||
| CVE-2025-54918 | Improper authentication in Windows NTLM allows for network-based privilege elevation. | No | Elevation of Privilege | Critical |
| CVE-2025-55226 | A race condition in the Graphics Kernel can be exploited for local code execution. | No | Remote Code Execution | Critical |
| CVE-2025-55228 | A race condition in the Windows Graphics Component allows local code execution. | No | Remote Code Execution | Critical |
| CVE-2025-55236 | A race condition in the Graphics Kernel could lead to local code execution. | No | Remote Code Execution | Critical |
| CVE-2025-53799 | Use of an uninitialized resource in the Windows Imaging Component leads to information disclosure. | No | Information Disclosure | Critical |
| CVE-2025-53800 | A flaw in the Microsoft Graphics Component can be used for local privilege elevation. | No | Elevation of Privilege | Critical |
| CVE-2025-54910 | A heap-based buffer overflow in Microsoft Office allows for local remote code execution. | No | Remote Code Execution | Critical |
| CVE-2025-55224 | A race condition in Windows Hyper-V can be used for local code execution. | No | Remote Code Execution | Critical |
| Important Vulnerabilities | ||||
| CVE-2024-21907 | A flaw in Newtonsoft.Json used by SQL Server can lead to a denial-of-service condition. | No | Denial of Service | Important |
| CVE-2025-49734 | A flaw in PowerShell Direct allows for local privilege escalation. | No | Elevation of Privilege | Important |
| CVE-2025-53797 | A buffer over-read in RRAS allows for information disclosure over a network. | No | Information Disclosure | Important |
| CVE-2025-53798 | A buffer over-read in RRAS allows for information disclosure over a network. | No | Information Disclosure | Important |
| CVE-2025-54095 | An out-of-bounds read in RRAS allows for network-based information disclosure. | No | Information Disclosure | Important |
| CVE-2025-54096 | An out-of-bounds read in RRAS allows for network-based information disclosure. | No | Information Disclosure | Important |
| CVE-2025-54097 | An out-of-bounds read in RRAS allows for network-based information disclosure. | No | Information Disclosure | Important |
| CVE-2025-54099 | A stack-based buffer overflow in the Ancillary Function Driver for WinSock allows privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54101 | A use-after-free flaw in the Windows SMBv3 Client allows for remote code execution. | No | Remote Code Execution | Important |
| CVE-2025-54102 | A use-after-free flaw in the Connected Devices Platform Service can be used for privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54106 | An integer overflow in RRAS could allow an attacker to execute code over the network. | No | Remote Code Execution | Important |
| CVE-2025-54110 | An integer overflow in the Windows Kernel can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54111 | A use-after-free flaw in Windows UI XAML allows for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54894 | A vulnerability in the Local Security Authority Subsystem Service leads to privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54895 | An integer overflow in SPNEGO NEGOEX allows for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54896 | A use-after-free vulnerability in Microsoft Excel allows for local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54897 | Deserialization of untrusted data in SharePoint can lead to remote code execution. | No | Remote Code Execution | Important |
| CVE-2025-54898 | An out-of-bounds read in Microsoft Excel can be used for local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54899 | Freeing memory not on the heap in Microsoft Excel can lead to local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54902 | An out-of-bounds read in Microsoft Excel allows for local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54903 | A use-after-free vulnerability in Microsoft Excel allows for local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54904 | A use-after-free vulnerability in Microsoft Excel allows for local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54905 | An untrusted pointer dereference in Microsoft Word can lead to information disclosure. | No | Information Disclosure | Important |
| CVE-2025-54906 | Freeing memory not on the heap in Microsoft Office can lead to local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54907 | A heap-based buffer overflow in Microsoft Visio allows for local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54908 | A use-after-free vulnerability in Microsoft PowerPoint allows for local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54913 | A race condition in Windows UI XAML Maps can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54916 | A stack-based buffer overflow in Windows NTFS allows for local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54919 | A race condition in the Windows Graphics Component leads to local code execution. | No | Remote Code Execution | Important |
| CVE-2025-55223 | A race condition in the DirectX Graphics Kernel allows for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-55225 | An out-of-bounds read in RRAS allows for network-based information disclosure. | No | Information Disclosure | Important |
| CVE-2025-55232 | Deserialization of untrusted data in HPC Pack can lead to remote code execution. | No | Remote Code Execution | Important |
| CVE-2025-55245 | Improper link resolution in Xbox Gaming Services can lead to local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-55243 | Exposure of sensitive information in Microsoft OfficePlus can lead to spoofing. | No | Spoofing | Important |
| CVE-2025-55316 | External control of a file name or path in Azure Arc allows for privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-55317 | Improper link resolution in Microsoft AutoUpdate can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-49692 | Improper access control in the Azure Connected Machine Agent allows local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-47997 | A race condition in SQL Server can lead to network-based information disclosure. | No | Information Disclosure | Important |
| CVE-2025-53796 | A buffer over-read in RRAS allows for information disclosure over a network. | No | Information Disclosure | Important |
| CVE-2025-53801 | An untrusted pointer dereference in the DWM Core Library can lead to local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-53802 | A use-after-free flaw in the Windows Bluetooth Service can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-53803 | An error message in the Windows Kernel could disclose sensitive information locally. | No | Information Disclosure | Important |
| CVE-2025-53804 | Exposure of sensitive information in a Windows Kernel-Mode Driver can lead to local information disclosure. | No | Information Disclosure | Important |
| CVE-2025-53805 | An out-of-bounds read in HTTP.sys can lead to a denial of service. | No | Denial of Service | Important |
| CVE-2025-53806 | A buffer over-read in RRAS allows for information disclosure over a network. | No | Information Disclosure | Important |
| CVE-2025-53807 | A race condition in the Microsoft Graphics Component allows for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-53808 | A type confusion flaw in the Windows Defender Firewall Service can lead to local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-53809 | Improper input validation in LSASS can lead to a denial of service. | No | Denial of Service | Important |
| CVE-2025-53810 | A type confusion flaw in the Windows Defender Firewall Service can lead to local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54091 | An integer overflow in Windows Hyper-V can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54092 | A race condition in Windows Hyper-V can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54093 | A race condition in the Windows TCP/IP Driver allows for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54094 | A type confusion flaw in the Windows Defender Firewall Service can lead to local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54098 | Improper access control in Windows Hyper-V can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54103 | A use-after-free flaw in Windows Management Service can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54104 | A type confusion flaw in the Windows Defender Firewall Service can lead to local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54105 | A race condition in the Brokering File System can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54107 | Improper path resolution in MapUrlToZone can lead to a security feature bypass. | No | Security Feature Bypass | Important |
| CVE-2025-54108 | A race condition in the Capability Access Management Service allows for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54109 | A type confusion flaw in the Windows Defender Firewall Service can lead to local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54112 | A use-after-free flaw in Microsoft Virtual Hard Disk can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54113 | A heap-based buffer overflow in RRAS allows for remote code execution. | No | Remote Code Execution | Important |
| CVE-2025-54114 | A race condition in the Connected Devices Platform Service can lead to a denial of service. | No | Denial of Service | Important |
| CVE-2025-54115 | A race condition in Windows Hyper-V can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54116 | Improper access control in Windows MultiPoint Services allows for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54900 | A heap-based buffer overflow in Microsoft Excel allows for local code execution. | No | Remote Code Execution | Important |
| CVE-2025-54901 | A buffer over-read in Microsoft Excel can lead to local information disclosure. | No | Information Disclosure | Important |
| CVE-2025-54911 | A use-after-free flaw in Windows BitLocker can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54912 | A use-after-free flaw in Windows BitLocker can be used for local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54915 | A type confusion flaw in the Windows Defender Firewall Service can lead to local privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-54917 | A protection mechanism failure in MapUrlToZone can lead to a security feature bypass. | No | Security Feature Bypass | Important |
| CVE-2025-55227 | A command injection vulnerability in SQL Server allows for network-based privilege elevation. | No | Elevation of Privilege | Important |
| CVE-2025-55234 | A flaw in Windows SMB could allow an attacker to perform relay attacks, leading to privilege elevation. | No | Elevation of Privilege | Important |
It is also essential to ensure the latest servicing stack updates, as detailed in advisory ADV990001, are installed to ensure successful patching.