Microsoft Patch Tuesday September 2025

Published: 2025-09-09. Last Updated: 2025-09-09 17:42:34 UTC
by Johannes Ullrich (Version: 1)

As part of its September patch Tuesday, Microsoft addressed 177 different vulnerabilities, 86 of which affect Microsoft products. None of the vulnerabilities has been exploited before today. Two of the vulnerabilities were already made public. Microsoft rates 13 of the vulnerabilities are critical.

You will see a number of vulnerabilities without assigned severity. These vulnerabilities affect Linux distributions like Mariner, Microsoft's Linux distribution used in its cloud environments, and Azure Linux.

Vulnerabilities of Interest:

CVE-2025-54107, CVE-2025-54917: Microsoft assigns URLs to different security zones, like "Intranet" and "Internet". URLs may be misclassified. An attacker could use this vulnerability to bypass security features that restrict more risky URLs.

CVE-2025-55226, CVE-2025-55236: The description for these vulnerabilities is a bit odd. Microsoft labels them as "remote code execution" vulnerabilities, but states that they allow an "authorized attacker to execute code locally." I suspect that the remote part refers to a user unknowingly executing the code by viewing an image. The CVSS score is still low for a "critical" vulnerability.

Overall, there is no "patch now" vulnerability included. Apply patches in line with your local vulnerability management policy (hopefully before next month's patch Tuesday).

Description
CVE	Disclosed	Exploited	Exploitability (old versions)	current version	Severity	CVSS Base (AVG)	CVSS Temporal (AVG)
ACPI: pfr_update: Fix the driver update version check
CVE-2025-39701	No	No	-	-	-
ALSA: usb-audio: Validate UAC3 power domain descriptors, too
CVE-2025-38729	No	No	-	-	-	7.0	7.0
ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()
CVE-2025-38706	No	No	-	-	-	4.7	4.7
Azure Arc Elevation of Privilege Vulnerability
CVE-2025-55316	No	No	-	-	Important	7.8	6.8
Azure Bot Service Elevation of Privilege Vulnerability
CVE-2025-55244	No	No	-	-	Critical	9.0	7.8
Azure Connected Machine Agent Elevation of Privilege Vulnerability
CVE-2025-49692	No	No	-	-	Important	7.8	6.8
Azure Entra Elevation of Privilege Vulnerability
CVE-2025-55241	No	No	-	-	Critical	9.0	7.8
Azure Networking Elevation of Privilege Vulnerability
CVE-2025-54914	No	No	-	-	Critical	10.0	8.7
Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability
CVE-2025-54108	No	No	-	-	Important	7.0	6.1
DirectX Graphics Kernel Elevation of Privilege Vulnerability
CVE-2025-55223	No	No	-	-	Important	7.0	6.1
Dynamics 365 FastTrack Implementation Assets Information Disclosure Vulnerability
CVE-2025-55238	No	No	-	-	Critical	7.5	6.5
Glib: buffer under-read on glib through glib/gfileutils.c via get_tmp_file()
CVE-2025-7039	No	No	-	-	-	3.7	3.7
Graphics Kernel Remote Code Execution Vulnerability
CVE-2025-55226	No	No	-	-	Critical	6.7	5.8
CVE-2025-55236	No	No	-	-	Critical	7.3	6.4
HTTP.sys Denial of Service Vulnerability
CVE-2025-53805	No	No	-	-	Important	7.5	6.5
Libsoup: improper handling of http vary header in libsoup caching
CVE-2025-9901	No	No	-	-	-	5.9	5.6
Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability
CVE-2025-53809	No	No	-	-	Important	6.5	5.7
Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
CVE-2025-54894	No	No	-	-	Important	7.8	6.8
LoongArch: BPF: Fix jump offset calculation in tailcall
CVE-2025-38723	No	No	-	-	-	5.5	5.5
MIPS: Don't crash in stack_top() for tasks without ABI or vDSO
CVE-2025-38696	No	No	-	-	-	5.5	5.5
MapUrlToZone Security Feature Bypass Vulnerability
CVE-2025-54107	No	No	-	-	Important	4.3	3.8
CVE-2025-54917	No	No	-	-	Important	4.3	3.8
Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability
CVE-2025-55317	No	No	-	-	Important	7.8	6.8
Microsoft Brokering File System Elevation of Privilege Vulnerability
CVE-2025-54105	No	No	-	-	Important	7.0	6.1
Microsoft DWM Core Library Elevation of Privilege Vulnerability
CVE-2025-53801	No	No	-	-	Important	7.8	6.8
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
CVE-2025-53791	No	No	-	-	Moderate	4.7	4.1
Microsoft Excel Information Disclosure Vulnerability
CVE-2025-54901	No	No	-	-	Important	5.5	4.8
Microsoft Excel Remote Code Execution Vulnerability
CVE-2025-54896	No	No	-	-	Important	7.8	6.8
CVE-2025-54898	No	No	-	-	Important	7.8	6.8
CVE-2025-54899	No	No	-	-	Important	7.8	6.8
CVE-2025-54902	No	No	-	-	Important	7.8	6.8
CVE-2025-54903	No	No	-	-	Important	7.8	6.8
CVE-2025-54904	No	No	-	-	Important	7.8	6.8
CVE-2025-54900	No	No	-	-	Important	7.8	6.8
Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability
CVE-2025-55232	No	No	-	-	Important	9.8	8.5
Microsoft Office Remote Code Execution Vulnerability
CVE-2025-54906	No	No	-	-	Important	7.8	6.8
CVE-2025-54910	No	No	-	-	Critical	8.4	7.3
Microsoft Office Visio Remote Code Execution Vulnerability
CVE-2025-54907	No	No	-	-	Important	7.8	6.8
Microsoft OfficePlus Spoofing Vulnerability
CVE-2025-55243	No	No	-	-	Important	7.5	6.5
Microsoft PowerPoint Remote Code Execution Vulnerability
CVE-2025-54908	No	No	-	-	Important	7.8	6.8
Microsoft SQL Server Elevation of Privilege Vulnerability
CVE-2025-55227	No	No	-	-	Important	8.8	7.7
Microsoft SQL Server Information Disclosure Vulnerability
CVE-2025-47997	No	No	-	-	Important	6.5	5.7
Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2025-54897	No	No	-	-	Important	8.8	7.7
Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability
CVE-2025-54112	No	No	-	-	Important	7.0	6.1
Microsoft Word Information Disclosure Vulnerability
CVE-2025-54905	No	No	-	-	Important	7.1	6.2
NFS: Fix a race when updating an existing write
CVE-2025-39697	No	No	-	-	-	5.5	5.5
NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()
CVE-2025-39730	No	No	-	-	-	7.5	7.5
Podman: podman kube play command may overwrite host files
CVE-2025-9566	No	No	-	-	-	8.1	8.1
PowerShell Direct Elevation of Privilege Vulnerability
CVE-2025-49734	No	No	-	-	Important	7.0	6.1
SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Elevation of Privilege Vulnerability
CVE-2025-54895	No	No	-	-	Important	7.8	6.8
VulnCheck: CVE-2024-21907 Improper Handling of Exceptional Conditions in Newtonsoft.Json
CVE-2024-21907	Yes	No	-	-	-
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2025-54099	No	No	-	-	Important	7.0	6.1
Windows BitLocker Elevation of Privilege Vulnerability
CVE-2025-54911	No	No	-	-	Important	7.3	6.4
CVE-2025-54912	No	No	-	-	Important	7.8	6.8
Windows Bluetooth Service Elevation of Privilege Vulnerability
CVE-2025-53802	No	No	-	-	Important	7.0	6.1
Windows Connected Devices Platform Service (Cdpsvc) Denial of Service Vulnerability
CVE-2025-54114	No	No	-	-	Important	7.0	6.1
Windows Connected Devices Platform Service Elevation of Privilege Vulnerability
CVE-2025-54102	No	No	-	-	Important	7.8	6.8
Windows Defender Firewall Service Elevation of Privilege Vulnerability
CVE-2025-53808	No	No	-	-	Important	6.7	5.8
CVE-2025-53810	No	No	-	-	Important	6.7	5.8
CVE-2025-54094	No	No	-	-	Important	6.7	5.8
CVE-2025-54104	No	No	-	-	Important	6.7	5.8
CVE-2025-54109	No	No	-	-	Important	6.7	5.8
CVE-2025-54915	No	No	-	-	Important	6.7	5.8
Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2025-53800	No	No	-	-	Critical	7.8	6.8
CVE-2025-53807	No	No	-	-	Important	7.0	6.1
Windows Graphics Component Remote Code Execution Vulnerability
CVE-2025-54919	No	No	-	-	Important	7.5	6.5
CVE-2025-55228	No	No	-	-	Critical	7.8	6.8
Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2025-54091	No	No	-	-	Important	7.8	6.8
CVE-2025-54092	No	No	-	-	Important	7.8	6.8
CVE-2025-54098	No	No	-	-	Important	7.8	6.8
CVE-2025-54115	No	No	-	-	Important	7.0	6.1
Windows Hyper-V Remote Code Execution Vulnerability
CVE-2025-55224	No	No	-	-	Critical	7.8	6.8
Windows Imaging Component Information Disclosure Vulnerability
CVE-2025-53799	No	No	-	-	Critical	5.5	4.8
Windows Kernel Elevation of Privilege Vulnerability
CVE-2025-54110	No	No	-	-	Important	8.8	7.7
Windows Kernel Memory Information Disclosure Vulnerability
CVE-2025-53803	No	No	-	-	Important	5.5	4.8
Windows Kernel-Mode Driver Information Disclosure Vulnerability
CVE-2025-53804	No	No	-	-	Important	5.5	4.8
Windows Management Service Elevation of Privilege Vulnerability
CVE-2025-54103	No	No	-	-	Important	7.4	6.4
Windows MultiPoint Services Elevation of Privilege Vulnerability
CVE-2025-54116	No	No	-	-	Important	7.3	6.4
Windows NTFS Remote Code Execution Vulnerability
CVE-2025-54916	No	No	-	-	Important	7.8	6.8
Windows NTLM Elevation of Privilege Vulnerability
CVE-2025-54918	No	No	-	-	Critical	8.8	7.7
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
CVE-2025-53797	No	No	-	-	Important	6.5	5.7
CVE-2025-53798	No	No	-	-	Important	6.5	5.7
CVE-2025-54095	No	No	-	-	Important	6.5	5.7
CVE-2025-54096	No	No	-	-	Important	6.5	5.7
CVE-2025-54097	No	No	-	-	Important	6.5	5.7
CVE-2025-55225	No	No	-	-	Important	6.5	5.7
CVE-2025-53796	No	No	-	-	Important	6.5	5.7
CVE-2025-53806	No	No	-	-	Important	6.5	5.7
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2025-54106	No	No	-	-	Important	8.8	7.7
CVE-2025-54113	No	No	-	-	Important	8.8	7.7
Windows SMB Client Remote Code Execution Vulnerability
CVE-2025-54101	No	No	-	-	Important	4.8	4.2
Windows SMB Elevation of Privilege Vulnerability
CVE-2025-55234	Yes	No	-	-	Important	8.8	7.7
Windows TCP/IP Driver Elevation of Privilege Vulnerability
CVE-2025-54093	No	No	-	-	Important	7.0	6.1
Windows UI XAML Maps MapControlSettings Elevation of Privilege Vulnerability
CVE-2025-54913	No	No	-	-	Important	7.8	6.8
Windows UI XAML Phone DatePickerFlyout Elevation of Privilege Vulnerability
CVE-2025-54111	No	No	-	-	Important	7.8	6.8
Xbox Certification Bug Copilot Djando Information Disclosure Vulnerability
CVE-2025-55242	No	No	-	-	Critical	6.5	5.7
Xbox Gaming Services Elevation of Privilege Vulnerability
CVE-2025-55245	No	No	-	-	Important	7.8	6.8
cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via the decode_array_index_from_pointer function in cJSON_Utils.c, allowing remote attackers to bypass array bounds checking and access restricted data via malformed JSON pointer strings containing alphanumeric characters.
CVE-2025-57052	No	No	-	-	-	9.8	9.8
comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()
CVE-2025-39684	No	No	-	-	-	5.5	5.5
comedi: Make insn_rw_emulate_bits() do insn->n samples
CVE-2025-39686	No	No	-	-	-	5.5	5.5
comedi: fix race between polling and detaching
CVE-2025-38687	No	No	-	-	-	5.5	5.5
comedi: pcl726: Prevent invalid irq number
CVE-2025-39685	No	No	-	-	-	5.5	5.5
crypto: qat - flush misc workqueue during device shutdown
CVE-2025-39721	No	No	-	-	-	7.0	7.0
drbd: add missing kref_get in handle_write_conflicts
CVE-2025-38708	No	No	-	-	-	6.3	6.3
drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session()
CVE-2025-39675	No	No	-	-	-	5.5	5.5
drm/amd/display: Avoid a NULL pointer dereference
CVE-2025-39693	No	No	-	-	-	5.5	5.5
drm/amd/display: fix a Null pointer dereference vulnerability
CVE-2025-39705	No	No	-	-	-	5.5	5.5
drm/amd/pm: fix null pointer access
CVE-2025-38705	No	No	-	-	-	5.5	5.5
drm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities
CVE-2025-39707	No	No	-	-	-	5.5	5.5
drm/amdkfd: Destroy KFD debugfs after destroy KFD wq
CVE-2025-39706	No	No	-	-	-	5.5	5.5
drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor().
CVE-2025-39679	No	No	-	-	-	5.5	5.5
drm/xe: Make dma-fences compliant with the safe access rules
CVE-2025-38703	No	No	-	-	-	7.8	7.8
exfat: add cluster chain loop check for dir
CVE-2025-38692	No	No	-	-	-	7.0	7.0
ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr
CVE-2025-38701	No	No	-	-	-	7.0	6.4
f2fs: vm_unmap_ram() may be called from an invalid context
CVE-2025-39731	No	No	-	-	-	5.5	5.5
fbdev: Fix vmalloc out-of-bounds write in fast_imageblit
CVE-2025-38685	No	No	-	-	-	7.8	7.8
fbdev: fix potential buffer overflow in do_register_framebuffer()
CVE-2025-38702	No	No	-	-	-	7.8	7.1
fs/buffer: fix use-after-free when call bh_read() helper
CVE-2025-39691	No	No	-	-	-	7.1	7.1
fs/ntfs3: Add sanity check for file name
CVE-2025-38707	No	No	-	-	-	5.5	5.5
ftrace: Also allocate and copy hash for reading of filter files
CVE-2025-39689	No	No	-	-	-	7.1	6.5
gfs2: Validate i_depth for exhash directories
CVE-2025-38710	No	No	-	-	-	7.0	6.4
gve: prevent ethtool ops after shutdown
CVE-2025-38735	No	No	-	-	-	7.0	7.0
habanalabs: fix UAF in export_dmabuf()
CVE-2025-38722	No	No	-	-	-	5.5	5.5
hfs: fix general protection fault in hfs_find_init()
CVE-2025-38716	No	No	-	-	-	5.5	5.5
hfs: fix slab-out-of-bounds in hfs_bnode_read()
CVE-2025-38715	No	No	-	-	-	5.5	5.5
hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file()
CVE-2025-38712	No	No	-	-	-	5.5	5.5
hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read()
CVE-2025-38714	No	No	-	-	-	9.0	8.2
hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
CVE-2025-38713	No	No	-	-	-	6.1	6.1
iio: imu: bno055: fix OOB access of hw_xlate array
CVE-2025-39719	No	No	-	-	-	5.5	5.5
iio: light: as73211: Ensure buffer holes are zeroed
CVE-2025-39687	No	No	-	-	-	5.5	5.5
io_uring/net: commit partial buffers on retry
CVE-2025-38730	No	No	-	-	-	5.5	5.5
iommufd: Prevent ALIGN() overflow
CVE-2025-38688	No	No	-	-	-	7.1	7.1
ipv6: sr: Fix MAC comparison to be constant-time
CVE-2025-39702	No	No	-	-	-	7.1	7.1
jfs: Regular file corruption check
CVE-2025-38698	No	No	-	-	-	7.1	6.5
jfs: upper bound check of tree index in dbAllocAG
CVE-2025-38697	No	No	-	-	-	7.1	7.1
ksmbd: fix refcount leak causing resource not released
CVE-2025-39720	No	No	-	-	-	5.5	5.5
loop: Avoid updating block size under exclusive owner
CVE-2025-38709	No	No	-	-	-	7.0	6.4
media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls
CVE-2025-39711	No	No	-	-	-	7.0	7.0
media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()
CVE-2025-39713	No	No	-	-	-	7.0	7.0
media: usbtv: Lock resolution while streaming
CVE-2025-39714	No	No	-	-	-	5.5	5.5
media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()
CVE-2025-38680	No	No	-	-	-	3.3	3.3
media: venus: Add a check for packet size after reading from shared memory
CVE-2025-39710	No	No	-	-	-
media: venus: Fix OOB read due to missing payload bound check
CVE-2025-38679	No	No	-	-	-	5.5	5.5
media: venus: protect against spurious interrupts during probe
CVE-2025-39709	No	No	-	-	-	5.5	5.5
mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()
CVE-2025-38681	No	No	-	-	-	5.5	5.5
net, hsr: reject HSR frame if skb can't hold tag
CVE-2025-39703	No	No	-	-	-	7.0	6.4
net/sched: Fix backlog accounting in qdisc_dequeue_internal
CVE-2025-39677	No	No	-	-	-	7.0	6.4
net/sched: ets: use old 'nbands' while purging unused classes
CVE-2025-38684	No	No	-	-	-	7.0	7.0
net/smc: fix UAF on smcsk after smc_listen_out()
CVE-2025-38734	No	No	-	-	-	5.5	5.5
net: kcm: Fix race condition in kcm_unattach()
CVE-2025-38717	No	No	-	-	-	5.5	5.5
net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization
CVE-2025-38736	No	No	-	-	-	5.5	5.5
net: usb: asix_devices: add phy_mask for ax88772 mdio bus
CVE-2025-38725	No	No	-	-	-	5.5	5.5
netfilter: ctnetlink: fix refcount leak on table dump
CVE-2025-38721	No	No	-	-	-	5.5	5.5
netfilter: nf_reject: don't leak dst refcount for loopback packets
CVE-2025-38732	No	No	-	-	-	7.0	7.0
netfilter: nf_tables: reject duplicate device on updates
CVE-2025-38678	No	No	-	-	-	6.0	6.0
nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
CVE-2025-38724	No	No	-	-	-	6.8	6.8
pNFS: Fix uninited ptr deref in block/scsi layout
CVE-2025-38691	No	No	-	-	-	5.5	5.5
parisc: Revise __get_user() to probe user read access
CVE-2025-39716	No	No	-	-	-	5.5	5.5
parisc: Revise gateway LWS calls to probe user read access
CVE-2025-39715	No	No	-	-	-	5.5	5.5
ppp: fix race conditions in ppp_fill_forward_path
CVE-2025-39673	No	No	-	-	-	7.0	7.0
rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access
CVE-2025-38704	No	No	-	-	-	5.5	5.5
s390/ism: fix concurrency management in ism_cmd()
CVE-2025-39726	No	No	-	-	-	5.5	5.5
s390/sclp: Fix SCCB present check
CVE-2025-39694	No	No	-	-	-	7.0	7.0
scsi: bfa: Double-free fix
CVE-2025-38699	No	No	-	-	-	7.8	7.8
scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated
CVE-2025-38700	No	No	-	-	-	4.7	4.7
scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure
CVE-2025-38695	No	No	-	-	-	7.0	6.4
scsi: qla4xxx: Prevent a potential error pointer dereference
CVE-2025-39676	No	No	-	-	-	5.5	5.5
sctp: linearize cloned gso packets in sctp_rcv
CVE-2025-38718	No	No	-	-	-	7.0	6.4
serial: 8250: fix panic due to PSLVERR
CVE-2025-39724	No	No	-	-	-	5.5	5.5
smb/server: avoid deadlock when linking with ReplaceIfExists
CVE-2025-38711	No	No	-	-	-	5.5	5.5
smb3: fix for slab out of bounds on mount to ksmbd
CVE-2025-38728	No	No	-	-	-	5.5	5.5
smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy()
CVE-2025-39692	No	No	-	-	-	5.5	5.5
tls: fix handling of zero-length records on the rx_list
CVE-2025-39682	No	No	-	-	-	6.5	6.5
tracing: Limit access to parser->buffer when trace_get_user failed
CVE-2025-39683	No	No	-	-	-	7.1	7.1
vsock/virtio: Validate length in packet header before skb_put()
CVE-2025-39718	No	No	-	-	-	5.5	5.5
wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask()
CVE-2025-39732	No	No	-	-	-	7.0	7.0
x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper
CVE-2025-39681	No	No	-	-	-	5.5	5.5

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords: microsoft patch tuesday

0 comment(s)

ISC Stormcast For Tuesday, September 9th, 2025 https://isc.sans.edu/podcastdetail/9604

Internet Storm Center

Microsoft Patch Tuesday September 2025

Comments