Microsoft Patch Tuesday September 2025 Including CVSS 10.0 Azure Flaw

By /
microsoft patch tuesday

Microsoft has rolled out its latest Patch Tuesday security update for September 2025, addressing 80 vulnerabilities across Windows, Azure, and other products. Among these flaws, some carry the highest severity ratings, with one already publicly disclosed at the time of release. Security experts warn that these issues, if left unpatched, could open the door to privilege escalation, remote code execution, and data theft

Out of the 80 vulnerabilities:

  • 8 are rated Critical

  • 72 are rated Important

  • 38 involve privilege escalation

  • 22 involve remote code execution (RCE)

  • 14 allow information disclosure

  • 3 can cause denial-of-service (DoS)

Interestingly, privilege escalation flaws make up nearly half of the vulnerabilities (47.5%), continuing a trend seen in recent months. None of the flaws are being actively exploited in the wild as zero-days, but their potential impact remains serious.

In addition, Microsoft also fixed 12 security flaws in the Edge browser since the August 2025 updates, including a security bypass issue (CVE-2025-53791, CVSS 4.7).

1. Windows SMB Privilege Escalation (CVE-2025-55234, CVSS 8.8)

This flaw in the Windows SMB protocol is already publicly known. It could be exploited in relay attacks, where attackers intercept authentication attempts and escalate privileges.

Microsoft has introduced new auditing features for SMB client compatibility, allowing admins to check if their environment supports stronger protections like SMB signing and Extended Protection for Authentication (EPA).

Experts note that patching alone is not enough—administrators must review their configurations and enable hardening measures to block potential relay attacks.

2. Azure Networking Vulnerability (CVE-2025-54914, CVSS 10.0)

This is the most severe flaw this month, with a perfect CVSS score of 10.0. It affects Azure Networking and could lead to privilege escalation. Fortunately, Microsoft states no customer action is required since it’s a cloud-side vulnerability already addressed in Azure.

3. Microsoft HPC Pack RCE (CVE-2025-55232, CVSS 9.8)

This remote code execution flaw in Microsoft’s High Performance Compute (HPC) Pack allows attackers to send malicious packets over the network to gain SYSTEM-level privileges.

4. Windows NTLM Privilege Escalation (CVE-2025-54918, CVSS 8.8)

This bug affects Windows NTLM authentication. If exploited, an attacker could gain SYSTEM privileges, although they may need valid credentials or hashes to succeed.

5. BitLocker Vulnerabilities

Two privilege escalation issues in Windows BitLocker (CVE-2025-54911 and CVE-2025-54912) have been patched. These flaws add to a set of four previously patched BitLocker bypass vulnerabilities from July 2025, collectively known as BitUnlocker.

Attackers with physical access to a device could potentially bypass BitLocker encryption to steal sensitive data. Microsoft recommends enabling TPM+PIN pre-boot authentication and applying the new REVISE mitigation to prevent downgrade attacks against BitLocker and Secure Boot.

6. Third-Party Component Flaw in SQL Server (CVE-2024-21907, CVSS 7.5)

A flaw in Newtonsoft.Json, a component used in SQL Server, could cause denial-of-service (DoS) attacks.

update now

Security researchers also revealed a new technique called BitLockMove, which manipulates BitLocker’s registry keys through Windows Management Instrumentation (WMI). By hijacking COM objects, attackers could execute malicious code. If the compromised user has elevated privileges, this could lead to domain-wide compromise.

Microsoft is not the only company releasing critical patches this month. Security updates were also rolled out by Adobe, Cisco, VMware, Google, Dell, HP, IBM, Juniper, Linux distributions, NVIDIA, SAP, Samsung, Sophos, Zoom, and more. This highlights how organizations must remain alert and update not only Microsoft products but also third-party tools in their environment.

  1. Prioritize Critical Flaws – Pay special attention to the SMB vulnerability (CVE-2025-55234) and the Azure CVSS 10.0 flaw.

  2. Enable SMB Hardening – Turn on SMB signing and EPA to block relay attacks.

  3. Secure BitLocker – Use TPM+PIN for pre-boot authentication and enable REVISE mitigation.

  4. Apply Updates Promptly – Don’t delay Patch Tuesday updates; attackers often move quickly once details are public.

  5. Audit Environments – Use Microsoft’s new auditing features to check compatibility before hardening SMB servers.

Microsoft’s September 2025 Patch Tuesday is another reminder of the constant cybersecurity battle. With 80 flaws fixed, including critical vulnerabilities in Windows SMB, Azure Networking, NTLM, and BitLocker, organizations must act swiftly to secure their systems.

Even though no zero-day exploits are reported yet, the public disclosure of CVE-2025-55234 makes it an attractive target for attackers. Businesses should patch immediately, enable stronger authentication protections, and follow best practices to stay resilient against evolving threats.

Follow us on Twitter and Linkedin for real time updates and exclusive content.

Interesting Article : Plex Data Breach 2025, Users Told to Reset Passwords After Hacking Attack

1 thought on “Microsoft Patch Tuesday September 2025 Including CVSS 10.0 Azure Flaw”

  1. Pingback: Critical DELMIA Apriso Flaw CVE-2025-5086 Under Attack, CISA Alerts

Comments are closed.

Scroll to Top