Microsoft Patch Tuesday – September 2025

Microsoft is addressing 176 vulnerabilities today, which seems like a lot, and it is. Curiously, Microsoft’s own Security Update Guide (SUG) for September 2025 Patch Tuesday only lists 86 vulns, and that’s because the SUG doesn’t include a large number of open source software (OSS) fixes published today as part of updates for Azure Linux/CBL-Mariner. Microsoft is aware of public disclosure for just two of the vulnerabilities published today, and claims no evidence of in-the-wild exploitation. Yet again, there are zero-day vulnerabilities patched, but none of them evaluate as critical severity. Today’s release includes the publication of five critical remote code execution (RCE) vulnerabilities, although Microsoft expects that none of these are particularly likely to see exploitation. Five browser vulnerabilities have already been published separately this month, and are not included in the total.

SQL Server: zero-day DoS

What happens if you ask SQL Server to deserialize a JSON object with thousands of levels of nested objects? If you guessed denial of service, then you are good at guessing, because that’s what CVE-2024-21907 describes. As zero-day vulnerabilities go, it doesn’t seem particularly terrifying, since presumably the worst an attacker can do is knock down a service, which can then be picked up again. Of course, that’s all relative, since some SQL Server instances are doing very important work: think hospitals, airports, and other critical infrastructure. Taking a step back: if an unauthenticated attacker can send arbitrary queries directly into your SQL Server instances, then that’s already a broader security architecture issue.

Perhaps the most interesting thing about CVE-2024-21907 is its long and convoluted history. The underlying defect is not in SQL Server, but in Newtonsoft.Json, which is the de facto standard for handling JSON in .NET applications, including SQL Server and many other products. Versions of Newtonsoft.Json prior to 13.0.1 are vulnerable, and this isn’t new information; CVE-2024-21907 was originally made public on 2024-01-03 with some help from VulnCheck, so Microsoft is playing catch-up here. The underlying defect has been public knowledge for way longer than that, however, since Aleph Security first flagged it up way back in 2018 without attaching a CVE number. It remains unclear why Microsoft chose to address this now, but better late than never.

SMB server: zero-day(?) EoP

How’s your SMB server configuration? Is it fully hardened, with SMB server signing and Extended Protection for Authentication enabled? If not, then CVE-2025-55234 set out clearly why you should be worrying about SMB Server relay attacks, where an attacker pretends to be a legitimate server using ARP spoofing, DNS poisoning, or some other suitable trickery. Any pen testers or threat actors reading this will no doubt be thinking of the popular OSS tool Responder, which streamlines exactly this sort of attack. Options for attackers include credential relaying (which is mitigated by SMB signing), as well as offline cracking of the hash to reveal the password.

The key takeaway from the CVE-2025-55234 advisory, other than the explanation of the well-known attack surface around SMB authentication, is that this is one of those times where simply patching isn’t enough; in fact, the patches provide administrators with more auditing options to determine whether their SMB Server is interacting with clients that won’t support the recommended hardening options. Other Microsoft server products (e.g. Exchange) offer a similar tough choice: lock out less capable clients, or leave your server in a state which permits relay attacks. None of the attack techniques covered are new, so this isn’t really a zero-day vulnerability, except inasmuch as it was published today, and describes an attack which is already publicly disclosed.

Azure Networking: critical EoP

It’s not every day that we see a perfect(?) 10.0 CVSS v3 base score, but CVE-2025-54914 is one such rare beast, thanks to the seldom-seen scope change described by the CVSS v3 vector. However, that’s all we get; the aggressively minimalist advisory fails to explain the nature of the vulnerability in any way at all. Mercifully, the advisory does pour a little oil on its own troubled waters by clarifying that this is a cloud service vulnerability, Microsoft has already fixed it, and there is no action to be taken by users of the service. Other reasons to consider not panicking: the Acknowledgements section lists only Microsoft researchers, so we can hope that no one else knows enough to do any damage. For anyone wondering which cloud service was impacted, the answer is Azure Networking, which is probably only important if your cloud assets ever need to communicate with anything at all.

Azure HPC: critical RCE

Azure High Performance Computer (HPC) admins should pay close attention to CVE-2025-55232, a critical unauthenticated RCE exploitable over the network. The advisory sets out the pre-requisites for the actual patch, and also hints that appropriate firewall rules should be in place, especially for TCP port 5999. The advisory doesn’t describe exactly what those firewall rules should look like or what they’re protecting, but port 5999 is the default port for the HpcScheduler, which orchestrates HPC jobs, resource management, and cluster communication.

Microsoft lifecycle update

There are no significant changes to Microsoft product lifecycles this month. A few Azure services move into retirement towards the end of September: Azure Basic Load Balancer, Azure Database for MariaDB, Azure HPC Cache, Azure Remote Rendering, Azure Service Map, Azure SQL Edge, Azure Unmanaged Disks, and Azure vFXT. As Rapid7 noted previously, there will be a number of significant changes in October, including the categorical end of support for non-LTSC versions of Windows 10.