Overview

• Microsoft released its September updates covering roughly 80–86 vulnerabilities across Windows, Office, Azure and more, with no bugs observed in active exploitation and eight marked as exploitation more likely.
• Two publicly disclosed zero-days were addressed: CVE-2025-55234 in Windows SMB enabling relay-based privilege escalation and CVE-2024-21907 in Newtonsoft.Json causing denial of service, with new auditing to help enable SMB signing and EPA safely.
• The most severe issue, CVE-2025-55232 in Microsoft HPC Pack (CVSS 9.8), allows unauthenticated remote code execution and is potentially wormable; Microsoft urges rapid patching, cluster isolation and blocking TCP port 5999.
• CVE-2025-54918 in NTLM can let an authenticated attacker escalate to SYSTEM privileges over the network, prompting warnings about lateral movement and ransomware deployment risks.
• Researchers note a dispute over the network exploitability of CVE-2025-54916 in NTFS and emphasize that many fixes this month are elevation-of-privilege issues in Kernel, Hyper-V and TCP/IP that warrant prioritization alongside RCEs.