Yesterday was Patch Tuesday for September, and Microsoft provided security updates that address 80 new vulnerabilities.
Microsoft categorized eight of the vulnerabilities in Windows and Office as critical, but none of them have been exploited for attacks in the wild yet. Sadly, Microsoft provides sparse details on the security vulnerabilities for self-searching in the Security Update Guide.
The next Patch Tuesday is scheduled for October 14th, 2025. That’s also the long-awaited date of Windows 10’s end of support. Don’t wait until it’s too late! Learn what your options are going forward.
Critical Windows vulnerabilities
A large number of the vulnerabilities—58 this time—are spread across the various Windows versions for which Microsoft still offers security updates: Windows 10, Windows 11, and Windows Server.
Windows 7 and 8.1 are no longer getting security updates, so they remain as vulnerable as ever. If you’re still on these versions and your system requirements allow for it, you should switch to Windows 11 as soon as possible to continue receiving security updates.
Microsoft has categorized 7 security vulnerabilities in Windows as critical, including four remote code execution (RCE) vulnerabilities. Five of these critical vulnerabilities are in graphics components. It can be enough to open an infected image file (say, loaded from a website) to execute malicious code. The CVE-2025-53799 data leak vulnerability stands out because its exploitation can only expose a small part of working memory. It remains unclear why this one’s considered critical.
Microsoft has also fixed 5 security vulnerabilities in Hyper-V, one of which (CVE-2025-55224) is categorized as critical. The others are elevation of privilege (EOP) vulnerabilities. CVE-2025-54918 in the NT LAN Manager is also an EOP vulnerability classified as critical. An attacker with user rights can obtain system authorizations via the network, and it’s simple enough that it could be used as part of a targeted attack.
Other Windows vulnerabilities
The vulnerability with the highest vulnerability score is CVE-2025-55232 in the High Performance Compute (HPC) Pack. An attacker could remotely inject code without a user account and execute it on their own. This makes the vulnerability potentially wormable within an HPC network. As a rule, it only affects clusters of high-performance computers that are already secure. Microsoft recommends blocking TCP port 5999.
Microsoft has eliminated 10 vulnerabilities in the Routing and Remote Access Service (RRAS) this month, compared to 12 last month. This time there are only two RCE vulnerabilities, the rest are data leaks. All are categorized as high risk. In the Windows Firewall service, Microsoft has fixed 6 EOP vulnerabilities that are considered high risk. An attacker with user rights could use these to obtain the authorizations of a local system account in order to execute malicious code.
Critical Office vulnerabilities
Microsoft has fixed 16 vulnerabilities in its Office product family, including 12 remote code execution (RCE) vulnerabilities. One of these RCE vulnerabilities (CVE-2025-54910) is labeled as critical because the preview window is considered an attack vector. This means that an attack could occur simply by displaying an infected file in the preview, even if the user doesn’t click on it or open it.
Microsoft categorizes the other Office vulnerabilities as high risk. Here, a user must open an infected file for the exploit code to take effect (“open to own”). There are 8 fixed RCE vulnerabilities in Excel alone.
Browser security updates
The latest security update to Edge 140.0.3485.54 was released on September 5th and is based on Chromium 140.0.7339.81. It fixes several Chromium vulnerabilities as well as an Edge-specific vulnerability. Google has since released a new security update, which Microsoft will have to respond to later this week.
This article originally appeared on our sister publication PC-WELT and was translated and localized from German.
