Microsoft’s September 2025 Patch Tuesday delivers fixes for 81 vulnerabilities across Windows, Office, SQL Server, and other products. The update addresses two publicly disclosed zero-day flaws: one in Windows SMB (CVE-2025-55234) that could enable relay attacks, and another in Newtonsoft.Json (CVE-2024-21907) used by SQL Server that can cause denial-of-service.
Nine issues are rated critical, including five remote code execution bugs. Organizations should prioritize deployment of Windows 10/11 cumulative updates, apply the SQL Server fix, and review SMB hardening settings to reduce exposure.
Microsoft Patch Breakdown
This month’s Patch Tuesday release fixes 81 vulnerabilities across Microsoft products. The distribution by category is as follows:
41 Elevation of Privilege
2 Security Feature Bypass
22 Remote Code Execution
16 Information Disclosure
3 Denial of Service
1 Spoofing
Zero-Day Vulnerabilities
CVE-2025-55234: Windows SMB Elevation of Privilege. This flaw could be exploited in relay attacks. Microsoft recommends enabling SMB Signing and Extended Protection for Authentication (EPA), with new auditing features available to detect compatibility issues before enforcement.
CVE-2024-21907: Newtonsoft.Json Denial of Service, bundled with SQL Server. This vulnerability could allow an attacker to trigger a DoS condition.
Critical Vulnerabilities (9 total)
5 Remote Code Execution issues in Windows Graphics, Hyper-V, and Microsoft Office.
3 Elevation of Privilege flaws, including NTLM authentication bypass (CVE-2025-54918).
1 Information Disclosure issue in the Windows Imaging Component (CVE-2025-53799).
Affected Products
Windows 10 and Windows 11 (cumulative updates KB5065426, KB5065431, KB5065429)
Microsoft Office and Office apps (Excel, Word, Visio, PowerPoint)
Microsoft Graphics Components and Hyper-V
SQL Server (via Newtonsoft.Json update)
Azure services, HPC Pack, and Microsoft AutoUpdate
These patches cover a broad range of components that are widely deployed in enterprise environments, making timely rollout critical.
Notable Third-Party Updates
This month also includes updates affecting third-party components:
Newtonsoft.Json (bundled with SQL Server): A denial-of-service flaw (CVE-2024-21907) has been patched. SQL Server deployments that include Newtonsoft.Json should be updated promptly to prevent exploitation.
Microsoft AutoUpdate (MAU): Fixes for privilege escalation (CVE-2025-55317) reduce the risk of local attacks on Mac endpoints.
Azure Arc and Connected Machine Agent: Updates address privilege escalation vulnerabilities (CVE-2025-55316 and CVE-2025-49692) that could affect hybrid cloud environments.
These fixes highlight the importance of monitoring not only core Windows and Office updates but also ecosystem components like developer libraries and cloud agents that may be integrated into enterprise environments.
Prioritization Guidance
Given the range of vulnerabilities patched this month, IT teams should focus on the following actions:
1. Address Zero-Days Immediately
CVE-2025-55234 (Windows SMB Elevation of Privilege): Enable SMB Signing and EPA, and use the new auditing capabilities to validate before enforcement.
CVE-2024-21907 (Newtonsoft.Json DoS): Update SQL Server instances that include Newtonsoft.Json to mitigate denial-of-service risks.
2. Deploy Windows Cumulative Updates
Roll out KB5065426 and KB5065431 for Windows 11 (24H2 and 23H2)
Roll out KB5065429 for Windows 10
These include fixes for critical Graphics and Hyper-V vulnerabilities that allow remote code execution (e.g., CVE-2025-55226, CVE-2025-55228, CVE-2025-55236, CVE-2025-55224).
3. Mitigate Critical Office Exploits
CVE-2025-54910 (Office RCE) and related Excel/Visio flaws should be prioritized in organizations with heavy Office usage.
4. Monitor High-Risk Elevation of Privilege Issues
CVE-2025-54918 (NTLM improper authentication) and CVE-2025-53800 (Graphics privilege escalation) could provide attackers with domain-level access if chained with other exploits.
5. Review CISA KEV Catalog
As CISA updates its Known Exploited Vulnerabilities (KEV) catalog, IT admins should cross-check to ensure any actively exploited CVEs from this release are prioritized for immediate patching.
How Splashtop AEM Can Help
Keeping pace with Patch Tuesday can be overwhelming, especially with zero-days in widely used services like SMB and SQL Server. Splashtop AEM gives IT teams the visibility, speed, and automation they need to stay ahead.
Stay Ahead of Exploits with CVE Insights
Splashtop AEM maps vulnerabilities directly to CVEs, helping teams quickly identify which systems are affected by high-priority flaws such as CVE-2025-55234 (Windows SMB relay attack) or CVE-2025-54910 (Office RCE).
Automate Patching Across Platforms
Instead of manually tracking KB updates or juggling multiple tools, IT teams can deploy patches across Windows, macOS, and third-party apps in real time. This means cumulative updates like KB5065426 and KB506543 for Windows 11 or the Newtonsoft.Json fix for SQL Server can be rolled out automatically.
Go Beyond Intune’s Limitations
Organizations relying on Intune often face delayed patch cycles and limited third-party coverage. Splashtop AEM closes those gaps with faster check-ins, third-party patching support, and deeper control through policy-based automation.
A Modern Alternative to Heavy RMMs
Traditional RMM platforms are complex and resource-heavy. Splashtop AEM provides the essential dashboards, scripting, and ring-based deployments IT admins need, without the overhead. This makes it easier to remediate vulnerabilities like NTLM privilege elevation (CVE-2025-54918) across environments quickly.
Real-Time Visibility and Control
From compliance reporting to endpoint inventory, Splashtop AEM ensures IT has full visibility. Security teams can see which devices are patched, automate follow-up actions, and act on alerts without delays.
With Splashtop AEM, IT teams can reduce manual effort, patch faster, and keep systems resilient against the types of vulnerabilities seen in this month’s release.
Try Splashtop AEM for Free
September’s Patch Tuesday highlights just how quickly vulnerabilities can stack up, from zero-day SMB exploits to critical Office and SQL Server flaws. Splashtop AEM helps you cut through the noise with automated patching, real-time visibility, and CVE-driven insights that keep your endpoints secure without adding extra workload.
Start your free trial today and see how easy proactive patch management can be with Splashtop AEM.
