All new patches will be approved in our patch policy.

 

This month Microsoft released patches for 81 vulnerabilities with 13 rated “Critical” in severity.

This month’s Patch Tuesday includes 13 critical updates but no true actively exploited zero-day vulnerabilities.

• CVE-2025-54918 is a flaw with Windows NTLM allowing an authorized attacker to elevate privileges over a network.
• Windows SMB Elevation of Privilege vulnerability (CVE-2025-55234) could allow SMB relay attacks to escalate privileges on the target system.
• CVE-2024-21907 could cause the denial-of-service condition exploiting the.NET library Newtonsoft.Json.
• Remote Code Execution vulnerability CVE-2025-54916 using a stack-based buffer overflow in Windows NTFS allowing an authorized attacker to execute code locally.
• A few new SSUs for Windows Server 2012/2016 and Windows 10 versions 1507/1607.

 

Disclosed: CVE-2024-21907,CVE-2025-55234

Exploited: None

 

Security Update Guide

https://msrc.microsoft.com/update-guide/en-us

 

Microsoft Security Advisories

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:9/09/2025)

https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001

Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.

NOTE: The Windows 10/11 Security Stack Updates are included in the monthly Cumulative Updates.

 

FYI: Lenovo laptops crashing on Teams/Zoom meetings

Issue occurred with Intel Graphics driver v32.0.101.6913. Roll back the Intel Graphics driver to a previous version such as v32.0.101.6326 or v32.0.101.6733.

https://community.zoom.com/t5/Zoom-Meetings/Lenovo-laptops-crashing-on-Zoom-meetings-please-help/m-p/239776

https://pcsupport.lenovo.com/us/en/solutions/HT518017

 

Known Issues

Microsoft confirmed an issue affecting hotpatched Windows 11 v24H2 and Windows Server 2022/2025 devices.

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

“PSDirect connections failing in hot-patched devices”

https://support.microsoft.com/en-us/topic/september-9-2025-hotpatch-kb5065306-os-build-20348-4106-7d03b352-1c3e-48ac-bf4e-acac39b1d9cb

Affected platforms: Windows 11 v24H2, Windows Server 2022/2025

Symptoms: We are aware of an edge case affecting hotpatched devices that have installed the September 2025 Hotpatch update or the September 2025 security update. These devices might experience failures with PowerShell Direct (PSDirect) connections when the host and guest virtual machines (VMs) are both not fully updated.

When a patched guest VM attempts to connect to an unpatched host (or vice versa), the system is expected to fall back to a legacy handshake and clean up the socket gracefully. However, this fallback mechanism fails intermittently, resulting in socket cleanup issues. The connection failure might appear random, and users might observe Event ID 4625 logged in the Security Event log within Windows Event Viewer.

Workaround: This issue is addressed in KB5066359, KB5066360. If your hot-patched device is experiencing issues with PSDirect connection, we recommend updating both the host and guest VM with these updates.

KB5066359—Security Update for Windows PowerShell (Hotpatch)
https://support.microsoft.com/en-us/topic/kb5066359-security-update-for-windows-powershell-hotpatch-e7476f72-c231-4014-bb45-bbbc97629be6

KB5066360—Security Update for Windows PowerShell on Windows 11 Enterprise LTSC 2024 (Hotpatch)
https://support.microsoft.com/en-us/topic/kb5066360-security-update-for-windows-powershell-on-windows-11-enterprise-ltsc-2024-hotpatch-1168dc4c-fa82-439d-9fc8-7d4231de0d5c

 

Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.

Windows release health

https://docs.microsoft.com/en-us/windows/release-health/

 

Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022,2025 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

• KB5065507 – Windows Server 2012 R2 (ESU)
• KB5065509 – Windows Server 2012 (ESU)

 

Cumulative Updates

Windows 10

• KB5065430 – Original release version 1507 (OS Build 10240)
• KB5065427 – Version 1607 “Anniversary Update” (OS Build 14393)
• KB5065428 – Version 1809 “October 2018 Update” (OS Build 17763)
• KB5065429 – Version 21H2 “November 2021 Update” (OS Build 19044)
• KB5065429 – Version 22H2 “November 2022 Update” (OS Build 19045)

(Versions 1511,1703,1709,1803,1903,1909,2004,20H2,21H1 are no longer under support)

 

Windows 11

• KB5065431 – 22H2 (OS Build 22621)
• KB5065431 – 23H2 (OS Build 22631)
• KB5065426 – 24H2 (OS Build 26100)

(Version 21H2 is no longer under support)

 

Windows Server

• KB5065427 – Server 2016 (same KB as Windows 10 Version 1607)
• KB5065428 – Server 2019 (same KB as Windows 10 Version 1809)
• KB5065432 – Server 2022 (OS Build 20348)
• KB5065425 – Server 23H2 (OS Build 25398)
• KB5065426 – Server 2025 (OS Build 26100)

 

September 2025 updates for Microsoft Office

https://support.microsoft.com/en-us/topic/september-2025-updates-for-microsoft-office-815945e2-7b55-4134-b8c9-f2ac15f6d4b5

 

Notable CVEs

 

CVE-2024-21907 | Improper Handling of Exceptional Conditions in Newtonsoft.Json (KB5065222,KB5065223,KB5065224,KB5065225,KB5065226,KB5065227)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21907

Addresses a mishandling of exceptional conditions vulnerability in Newtonsoft.Json before version 13.0.1. Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition.

 

CVE-2025-54910 | Microsoft Office Remote Code Execution Vulnerability (Click to Run,KB5002781)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54910

The Preview Pane is an attack vector. The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. An attacker who successfully exploits this vulnerability could achieve remote code execution without user interaction.

 

CVE-2025-54916 | Windows NTFS Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54916

Stack-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.

 

CVE-2025-54918 | Windows NTLM Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54918

Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

 

CVE-2025-55232 | Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55232

Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network.

 

CVE-2025-55234 | Windows SMB Elevation of Privilege Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55234

SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks. An attacker who successfully exploited this vulnerability could gain the privileges of the compromised user.