Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234)

On September 9, Microsoft released its September 2025 Patch Tuesday release which patched 80 CVEs with eight rated as critical and 72 rated as important.

While no vulnerabilities were exploited in the wild, there was one zero-day patch this month. CVE-2025-55234 is an elevation of privilege vulnerability affecting Windows Server Message Block (SMB). It was assigned a CVSSv3 score of 8.8 and rated as important. Successful exploitation would allow an unauthenticated attacker to elevate their privileges to that of the compromised user's account.

CVE-2025-55234 appears to have been released to help customers audit and assess their environment and identify incompatibility issues prior to utilizing some of the hardening capabilities for SMB Servers.

This month’s update includes patches for:

Azure Arc
Azure Windows Virtual Machine Agent
Capability Access Management Service (camsvc)
Graphics Kernel
Microsoft AutoUpdate (MAU)
Microsoft Brokering File System
Microsoft Graphics Component
Microsoft High Performance Compute Pack (HPC)
Microsoft Office
Microsoft Office Excel
Microsoft Office PowerPoint
Microsoft Office SharePoint
Microsoft Office Visio
Microsoft Office Word
Microsoft Virtual Hard Drive
Role: Windows Hyper-V
SQL Server
Windows Ancillary Function Driver for WinSock
Windows BitLocker
Windows Bluetooth Service
Windows Connected Devices Platform Service
Windows DWM
Windows Defender Firewall Service
Windows Imaging Component
Windows Internet Information Services
Windows Kernel
Windows Local Security Authority Subsystem Service (LSASS)
Windows Management Services
Windows MapUrlToZone
Windows MultiPoint Services
Windows NTFS
Windows NTLM
Windows PowerShell
Windows Routing and Remote Access Service (RRAS)
Windows SMB
Windows SMBv3 Client
Windows SPNEGO Extended Negotiation
Windows TCP/IP
Windows UI XAML Maps MapControlSettings
Windows UI XAML Phone DatePickerFlyout
Windows Win32K GRFX
Xbox

For more information, please visit our blog.

Cyber Exposure Alerts

Vulnerability Watch

Forum Discussion

Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234)

Recent Discussions

Oracle January 2026 Critical Patch Update Addresses 158 CVEs

CVE-2025-64155: Exploit Code Released for Critical Fortinet FortiSIEM Vulnerability

Microsoft’s January 2026 Patch Tuesday Addresses 113 CVEs (CVE-2026-20805)

CVE-2025-14847 (MongoBleed): MongoDB Memory Leak Vulnerability Exploited in the Wild

CVE-2025-40602: SonicWall Secure Mobile Access (SMA) 1000 Zero-Day Exploited

Americas

Europe

Asia / Australia