Microsoft Patch Tuesday – September 2025

⚡ TL;DR | Go Straight to the September 2025 Patch Tuesday Audit Report

Patch Tuesday is once again upon us. As always, our team has put together the monthly Patch Tuesday Report to help you manage your update progress. The audit report gives you a quick and clear overview of your Windows machines and their patching status. The September 2025 edition of Patch Tuesday brings us 82 new fixes, with 8 rated as critical. We’ve listed the most important changes below.

Windows NTLM Elevation of Privilege Vulnerability

CVE-2025-54918 is a vulnerability with a CVSS base score of 8.8 and is the only vulnerability this month that is rated as critical and also more likely to be exploited.

Someone who exploits the vulnerability can gain SYSTEM privileges. As usual Microsoft doesn’t provide much additional information to prevent active exploitation.

NTLM is a legacy Windows authentication protocol still present across many domains and services (SMB, HTTP/IIS, RPC, WinRM, etc.). An NTLM EoP vulnerability means a flaw in how NTLM requests or tokens are validated can be abused so a low-privileged user or an attacker positioned on the network can escalate privileges on the target system, often to SYSTEM or a high-privileged account.

Windows NTFS Remote Code Execution Vulnerability

CVE-2025-54916 is a Remote Code Execution vulnerability with a CVSS score of 7.8. Microsoft has it listed as one of the vulnerabilities that is more likely to be exploited.

This vulnerability doesn’t require elevated permissions for exploitation, making it more severe. Microsoft hasn’t released any additional information yet for this vulnerability.

NTFS is the Windows file system; the kernel-mode driver (ntfs.sys) parses on-disk structures like the MFT, attributes, reparse points, compression, and EFS metadata. An NTFS RCE means a crafted file, directory, or volume layout can trigger a parsing bug in ntfs.sys, letting an attacker run code with SYSTEM privileges.

Windows Kernel Elevation of Privilege Vulnerability

The last highlight of this month is CVE-2025-54110, a vulnerability where an integer overflow/wraparound in the Windows kernel lets a local, authenticated attacker supply values that miscompute sizes/offsets, leading to undersized buffers or out-of-bounds access. Exploitation can corrupt kernel memory and run code as SYSTEM, turning a low-privilege foothold into full device control.

Similar to the previous highlights, this vulnerability is more likely to be exploited. It has a CVSS base score of 8.8 and successful exploitation can provide SYSTEM privileges.

Run the Patch Tuesday September 2025 Audit

To help manage your update progress, we’ve created the Patch Tuesday Audit that checks if the assets in your network are on the latest patch updates. The report has been color-coded to see which machines are up-to-date and which ones still need to be updated. As always, system administrators are urged to update their environment as soon as possible to ensure all endpoints are secured.

The Lansweeper Patch Tuesday report is automatically added to your Lansweeper Site. Lansweeper Sites is included in all our licenses without any additional cost and allows you to federate all your installations into one single view so all you need to do is look at one report, automatically added every patch Tuesday!

Patch Tuesday September 2025 CVE Codes & Titles

CVE Number	CVE Title
CVE-2025-55317	Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability
CVE-2025-55316	Azure Arc Elevation of Privilege Vulnerability
CVE-2025-55245	Xbox Gaming Services Elevation of Privilege Vulnerability
CVE-2025-55243	Microsoft OfficePlus Spoofing Vulnerability
CVE-2025-55236	Graphics Kernel Remote Code Execution Vulnerability
CVE-2025-55234	Windows SMB Elevation of Privilege Vulnerability
CVE-2025-55232	Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability
CVE-2025-55228	Windows Graphics Component Remote Code Execution Vulnerability
CVE-2025-55227	Microsoft SQL Server Elevation of Privilege Vulnerability
CVE-2025-55226	Graphics Kernel Remote Code Execution Vulnerability
CVE-2025-55225	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
CVE-2025-55224	Windows Hyper-V Remote Code Execution Vulnerability
CVE-2025-55223	DirectX Graphics Kernel Elevation of Privilege Vulnerability
CVE-2025-54919	Windows Graphics Component Remote Code Execution Vulnerability
CVE-2025-54918	Windows NTLM Elevation of Privilege Vulnerability
CVE-2025-54917	MapUrlToZone Security Feature Bypass Vulnerability
CVE-2025-54916	Windows NTFS Remote Code Execution Vulnerability
CVE-2025-54915	Windows Defender Firewall Service Elevation of Privilege Vulnerability
CVE-2025-54913	Windows UI XAML Maps MapControlSettings Elevation of Privilege Vulnerability
CVE-2025-54912	Windows BitLocker Elevation of Privilege Vulnerability
CVE-2025-54911	Windows BitLocker Elevation of Privilege Vulnerability
CVE-2025-54910	Microsoft Office Remote Code Execution Vulnerability
CVE-2025-54908	Microsoft PowerPoint Remote Code Execution Vulnerability
CVE-2025-54907	Microsoft Office Visio Remote Code Execution Vulnerability
CVE-2025-54906	Microsoft Office Remote Code Execution Vulnerability
CVE-2025-54905	Microsoft Word Information Disclosure Vulnerability
CVE-2025-54904	Microsoft Excel Remote Code Execution Vulnerability
CVE-2025-54903	Microsoft Excel Remote Code Execution Vulnerability
CVE-2025-54902	Microsoft Excel Remote Code Execution Vulnerability
CVE-2025-54901	Microsoft Excel Information Disclosure Vulnerability
CVE-2025-54900	Microsoft Excel Remote Code Execution Vulnerability
CVE-2025-54899	Microsoft Excel Remote Code Execution Vulnerability
CVE-2025-54898	Microsoft Excel Remote Code Execution Vulnerability
CVE-2025-54897	Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2025-54896	Microsoft Excel Remote Code Execution Vulnerability
CVE-2025-54895	SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Elevation of Privilege Vulnerability
CVE-2025-54894	Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
CVE-2025-54116	Windows MultiPoint Services Elevation of Privilege Vulnerability
CVE-2025-54115	Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2025-54114	Windows Connected Devices Platform Service (Cdpsvc) Denial of Service Vulnerability
CVE-2025-54113	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2025-54112	Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability
CVE-2025-54111	Windows UI XAML Phone DatePickerFlyout Elevation of Privilege Vulnerability
CVE-2025-54110	Windows Kernel Elevation of Privilege Vulnerability
CVE-2025-54109	Windows Defender Firewall Service Elevation of Privilege Vulnerability
CVE-2025-54108	Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability
CVE-2025-54107	MapUrlToZone Security Feature Bypass Vulnerability
CVE-2025-54106	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2025-54105	Microsoft Brokering File System Elevation of Privilege Vulnerability
CVE-2025-54104	Windows Defender Firewall Service Elevation of Privilege Vulnerability
CVE-2025-54103	Windows Management Service Elevation of Privilege Vulnerability
CVE-2025-54102	Windows Connected Devices Platform Service Elevation of Privilege Vulnerability
CVE-2025-54101	Windows SMB Client Remote Code Execution Vulnerability
CVE-2025-54099	Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2025-54098	Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2025-54097	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
CVE-2025-54096	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
CVE-2025-54095	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
CVE-2025-54094	Windows Defender Firewall Service Elevation of Privilege Vulnerability
CVE-2025-54093	Windows TCP/IP Driver Elevation of Privilege Vulnerability
CVE-2025-54092	Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2025-54091	Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2025-53810	Windows Defender Firewall Service Elevation of Privilege Vulnerability
CVE-2025-53809	Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability
CVE-2025-53808	Windows Defender Firewall Service Elevation of Privilege Vulnerability
CVE-2025-53807	Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2025-53806	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
CVE-2025-53805	HTTP.sys Denial of Service Vulnerability
CVE-2025-53804	Windows Kernel-Mode Driver Information Disclosure Vulnerability
CVE-2025-53803	Windows Kernel Memory Information Disclosure Vulnerability
CVE-2025-53802	Windows Bluetooth Service Elevation of Privilege Vulnerability
CVE-2025-53801	Microsoft DWM Core Library Elevation of Privilege Vulnerability
CVE-2025-53800	Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2025-53799	Windows Imaging Component Information Disclosure Vulnerability
CVE-2025-53798	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
CVE-2025-53797	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
CVE-2025-53796	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
CVE-2025-53773	GitHub Copilot and Visual Studio Remote Code Execution Vulnerability
CVE-2025-49734	PowerShell Direct Elevation of Privilege Vulnerability
CVE-2025-49692	Azure Connected Machine Agent Elevation of Privilege Vulnerability
CVE-2025-47997	Microsoft SQL Server Information Disclosure Vulnerability
CVE-2024-21907	VulnCheck: CVE-2024-21907 Improper Handling of Exceptional Conditions in Newtonsoft.Json