Microsoft Patch Tuesday September 2025: Critical Fixes & Updates

Microsoft’s September Patch Tuesday: 81 Fixes, Featuring many High-Risk Threats

The release consists of:

• 10 Critical, 71 Important, 0 High, 0 Medium, 0 Low
• Coverage across Windows, Microsoft Office, Microsoft Exchange, Graphics, NTLM, and more
• A combined CVSS score of 585.5, with an average severity of 7.2
• 0 vulnerabilities were marked as Weaponized and 1 were Publicly Known this month

Robert Brown, Senior Director of Technical Services at Absolute, emphasizes the importance of prioritization in vulnerability management.

Patch Tuesday Review: Top 5 Vulnerabilities You Need to Know

CVE-2025-55234: Windows SMB Elevation of Privilege Vulnerability

Improper restriction of communication channel to intended endpoints in Windows PowerShell allows an authorized attacker to elevate privileges locally.

Not Weaponized, Publicly Known

• Severity: Important | CVSS Score: 8.8
• Attack Vector: Local | Privileges Required: Low
• User Interaction: None | Complexity: High

This flaw could enable attackers to elevate privileges on affected systems through improperly restricted PowerShell communications.

CVE-2025-54918: Windows NTLM Elevation of Privilege Vulnerability

Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network.

Not Weaponized, Not Publicly Known

• Severity: Critical | CVSS Score: 8.8
• Attack Vector: Network | Privileges Required: Low
• User Interaction: None | Complexity: High

This flaw could enable lateral movement and domain compromise in NTLM-reliant environments, granting elevated privileges to attackers.

CVE-2025-54910: Microsoft Office Remote Code Execution Vulnerability

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

Not Weaponized, Not Publicly Known

• Severity: Critical | CVSS Score: 9.8
• Attack Vector: Local | Privileges Required: Low
• User Interaction: None | Complexity: High

This flaw could enable attackers to run arbitrary code via crafted Office content, resulting in full compromise in the user’s context.

CVE-2025-55236: Windows Kernel Remote Code Execution Vulnerability

Time-of-check time-of-use (TOCTOU) race condition in Windows Kernel allows an authorized attacker to execute code locally.

Not Weaponized, Not Publicly Known

• Severity: Important | CVSS Score: 7.3
• Attack Vector: Local | Privileges Required: Low
• User Interaction: None | Complexity: High

This flaw could enable attackers to achieve local code execution by exploiting a TOCTOU condition in the kernel.

CVE-2025-55228: Microsoft Word Remote Code Execution Vulnerability

Improper conversion in Microsoft Word allows an unauthorized attacker to execute code locally.

Not Weaponized, Not Publicly Known

• Severity: Important | CVSS Score: 7.8
• Attack Vector: Local | Privileges Required: Low
• User Interaction: None | Complexity: High

This flaw could enable attackers to trigger code execution when targets open a malicious Word document.

Jump Point Vulnerabilities: Risks for Lateral Movement

These vulnerabilities have Scope = Changed, meaning they can cross trust or privilege boundaries, enabling lateral movement, escalation, or wider impact:

• CVE-2025-54110 (Windows Kernel Elevation of Privilege Vulnerability). Important; CVSS 8.8; Exploitation More Likely.
• CVE-2025-54111 (Windows Kernel Elevation of Privilege Vulnerability). Important; CVSS 8.4; Exploitation Less Likely.
• CVE-2025-54895 (SPNEGO Extended Negotiation NEGOEX Elevation of Privilege Vulnerability). Important; CVSS 7.8; Exploitation Less Likely.
• CVE-2025-54913 (Windows NTLM Elevation of Privilege Vulnerability). Critical; CVSS 8.8; Exploitation More Likely.
• CVE-2025-54919 (Windows Graphics Component Remote Code Execution Vulnerability). Critical; CVSS 9.0; Exploitation More Likely.
• CVE-2025-55228 (Microsoft Word Remote Code Execution Vulnerability). Critical; CVSS 7.8; Exploitation Less Likely.
• CVE-2025-55224 (Windows Kernel Elevation of Privilege Vulnerability). Important; CVSS 8.1; Exploitation Less Likely.
• CVE-2025-53791 (Microsoft Exchange Server Elevation of Privilege Vulnerability). Important; CVSS 7.8; Exploitation Less Likely.

Final Thoughts

This month’s updates reinforce the need for a resilient, prioritized patch strategy. Absolute’s Risk Scoring methodology highlights the top threats with high CVSS scores, critical impacts, and high exploitation potential.

Key recommendations:

1. Prioritize all remote code execution flaws with network vectors.
2. Address NTLM-related vulnerabilities to prevent privilege escalation.
3. Patch Office and graphics rendering components before exploit chains emerge.

While timely patching reduces exposure, CISOs must also prepare for the rare but high-impact scenario where a patch causes company-wide instability. Having the capability to rehydrate devices back to a known, golden image at scale can transform recovery from days or weeks into hours, restoring operational capability rapidly and consistently. This not only limits productivity loss and financial impact but also reduces strain on IT teams during crisis response.

Stay vigilant, patch smart, and patch resilient keeping endpoints protected without overwhelming your teams.

See the September, 2025 Patch Tuesday Chart (PDF).