.Microsoft on Tuesday introduced 81 patches affecting 15 product households. 9 of the addressed points are thought-about by Microsoft to be of Important severity, and 9 have a CVSS base rating of 8.0 or larger\u00a0\u2014 although, to be clear, they\u2019re not the identical 9 points. None are identified to be underneath energetic exploit within the wild, although one Home windows subject (CVE-2025-55234, affecting SMB) has been publicly disclosed.\u00a0<\/span>\u00a0<\/span><\/p>\n At patch time, eight CVEs are judged extra prone to be exploited within the subsequent 30 days by the corporate\u2019s estimation. Numerous of this month\u2019s points are amenable to direct detection by Sophos protections, and we embrace data on these in a desk beneath. As well as, a number of CVEs not included on this month\u2019s depend, all however one affecting Edge, are already patched. Now we have included titles and CVEs for all of those in Appendix D, together with data on two patches this month for Adobe Reader, one Important in severity.<\/span>\u00a0<\/span><\/p>\n We’re as all the time together with on the finish of this put up further appendices itemizing all Microsoft\u2019s patches sorted by severity, by predicted exploitability timeline and CVSS Base rating, and by product household. One other appendix covers advisory-style updates and the listing of points mentioned on this month\u2019s launch supplies however mitigated previous to the discharge, and one other gives breakout of the patches affecting the assorted Home windows Server platforms nonetheless in help.\u00a0<\/span>\u00a0<\/span><\/p>\n By the numbers<\/span><\/b>\u00a0<\/span><\/p>\n Determine 1: Elevation of Privilege vulnerabilities outpace Distant Code Execution flaws for the third month in a row, however RCE points as soon as once more account for extra Important-severity patches<\/span><\/i>\u00a0<\/span><\/p>\n Merchandise<\/span><\/b>\u00a0<\/span><\/p>\n As is our customized for this listing, CVEs that apply to multiple product household are counted as soon as for every household they have an effect on. We notice, by the way in which, that CVE names don\u2019t all the time mirror affected product households carefully. Specifically, some CVEs names within the Workplace household could point out merchandise that don\u2019t seem within the listing of merchandise affected by the CVE, and vice versa.\u00a0(CVE-2025-54907, \u201c<\/span>Microsoft Workplace Visio Distant Code Execution Vulnerability<\/span>,\u201d is a superb instance of this for September; Visio doesn’t seem within the listing of merchandise affected by this subject.)<\/span>\u00a0<\/span><\/p>\n OfficePLUS is an add-on to the standard Workplace suite. As such, Microsoft identifies it as being in its personal product household. We\u2019ve additionally chosen to listing the only Workplace for Android patch as present in its family as effectively; see beneath for dialogue of this CVE.<\/span> Determine 2: Home windows accounts for practically three-quarters of the September patch set, which is probably much less shocking than the looks of Xbox on this roundup<\/span><\/i>\u00a0<\/span><\/p>\n Notable September updates<\/span><\/b>\u00a0<\/span><\/p>\n Along with the problems mentioned above, a wide range of particular gadgets benefit consideration.\u00a0<\/span>\u00a0<\/span><\/p>\n CVE-2025-55234 \u2014 Home windows SMB Elevation of Privilege Vulnerability<\/span><\/b>\u00a0<\/span><\/p>\n This authentication Elevation of Privilege subject in Home windows\u2019 Server Message Block protocol is the one vulnerability this month already identified to be public, and Microsoft expects it to be extra doubtless than most to be exploited throughout the subsequent 30 days. That stated, the SMB Server has a number of mechanisms for hardening towards relay assaults corresponding to this would possibly permit, and the corporate directs involved directors\u2019 consideration to <\/span>extra data<\/span><\/a> on these strategies.\u00a0<\/span>\u00a0<\/span><\/p>\n CVE-2025-55232 \u2014 Microsoft Excessive Efficiency Compute (HPC) Pack Distant Code Execution Vulnerability<\/span><\/b>\u00a0<\/span><\/p>\n This subject, which Microsoft assigns an Essential severity however a CVSS Base rating of 9.8, might probably permit an attacker to perform distant code execution with out person interplay. The issue includes port 5999, and the corporate recommends that customers run their HPC Pack clusters in a trusted community secured by firewall guidelines particularly for <\/span>that TCP port<\/span><\/a>, which is often enabled for distant administration.<\/span>\u00a0<\/span><\/p>\n CVE-2025-53799 \u2014 Home windows Imaging Part Info Disclosure Vulnerability<\/span><\/b>\u00a0<\/span><\/p>\n This Important-severity Info Disclosure subject is, unusually, shared between Home windows and Workplace for Android (however no different model of Workplace). The attacker must persuade the goal to open a maliciously constructed file, and would in return be capable to learn small parts of heap reminiscence, making this prone to function a small a part of a better assault chain.<\/span>\u00a0<\/span><\/p>\n CVE-2025-54897 \u2014 Microsoft SharePoint Distant Code Execution Vulnerability<\/span><\/b>\u00a0<\/span><\/p>\n It\u2019s <\/span>kitten on the keys<\/span><\/a> time once more with the return to the MAPP finder roll of zcgonvh\u2019s cat Vanilla, that fearsome hunter of SharePoint bugs. This month\u2019s catch is an Essential-severity RCE weighing in at a sturdy 8.8 CVSS Base rating. <\/span>Good kitty.<\/span>\u00a0<\/span><\/p>\n CVE-2025-54107, CVE-2025-54917\u00a0 \u2014 MapUrlToZone Safety Function Bypass Vulnerability (two CVEs)<\/span><\/b>\u00a0<\/span><\/p>\n As Home windows 10 enters its <\/span>final month of mainstream help<\/span><\/a>, these two identically named CVEs \u2013 delivered to you by the letters I and E \u2013 remind us that <\/span>the previous isn’t useless; it\u2019s not even previous<\/span><\/a>, a minimum of in case your working system\u2019s DNA contains bits from that long-retired browser. Each are Safety Function Bypass problems with Essential severity. Forty-four of this month\u2019s patches apply to Home windows 10, together with these two.<\/span>\u00a0<\/span><\/p>\n\n
\n
\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/09\/2509pt-fig01.png\")
<\/a><\/p>\n\n
<\/a><\/span><\/p>\n