September 2025 Patch Tuesday: Two Publicly Disclosed Zero-Days and Eight Critical Vulnerabilities Among 84 CVEs

Publicly Disclosed Zero-Day Vulnerability in Windows SMB

CVE-2025-55234 is an Important elevation of privilege vulnerability affecting Windows SMB Server and has a CVSS score of 8.8. This vulnerability allows unauthenticated remote attackers to perform relay attacks by exploiting improper authentication mechanisms in SMB Server configurations over a network connection. While the vulnerability has been publicly disclosed, there is no evidence of active exploitation in the wild, though exploitation is considered more likely.

The vulnerability affects Windows systems running SMB Server without proper hardening measures such as SMB Server signing or Extended Protection for Authentication (EPA). When successfully exploited, attackers can perform relay attacks that enable elevation of privilege, potentially allowing them to gain the privileges of compromised users and compromise the confidentiality, integrity, and availability of affected systems.

Publicly Disclosed Zero-Day Vulnerability in Improper Handling of Exceptional Conditions in Newtonsoft.Json

CVE-2024-21907 is an Important denial of service vulnerability affecting Newtonsoft.Json library versions before 13.0.1, which is incorporated into Microsoft SQL Server. It has a CVSS score of 7.5. This vulnerability allows attackers to cause a StackOverflow exception by passing crafted data to the JsonConvert.DeserializeObject method, resulting in denial of service conditions. Depending on the library's usage, an unauthenticated remote attacker may be able to trigger this denial of service condition.

While the vulnerability has been publicly disclosed, there is no evidence of active exploitation in the wild, and exploitation is considered less likely. The vulnerability affects multiple SQL Server versions that utilize the vulnerable Newtonsoft.Json library, including SQL Server 2022, 2019, 2017, and 2016. When successfully exploited, attackers can cause application crashes and service disruptions, compromising the availability of affected SQL Server systems.

Critical Vulnerability in Windows NTLM

CVE-2025-54918 is a Critical elevation of privilege vulnerability affecting Windows NTLM and has a CVSS score of 8.8. This vulnerability allows authenticated remote attackers with low privileges to elevate their privileges to SYSTEM level by exploiting improper authentication mechanisms in Windows NTLM over a network connection.

The vulnerability has not been publicly disclosed, and there is no evidence of active exploitation in the wild, though exploitation is considered more likely. The vulnerability affects Windows systems utilizing NTLM authentication and can be exploited remotely from the internet with low attack complexity, requiring no user interaction. When successfully exploited, attackers can gain SYSTEM privileges, potentially allowing them to completely compromise the confidentiality, integrity, and availability of affected Windows systems.

Critical Vulnerabilities in Microsoft Office

CVE-2025-54910 is a Critical remote code execution vulnerability affecting Microsoft Office with a CVSS score of 8.4. This vulnerability allows unauthenticated local attackers to execute arbitrary code by exploiting a heap-based buffer overflow in Microsoft Office without requiring user interaction. While the vulnerability has not been publicly disclosed, there is no evidence of active exploitation in the wild and exploitation is considered less likely. The vulnerability affects Microsoft Office applications and can be exploited through the Preview Pane as an attack vector, with low attack complexity and no privileges required.

We have seen the Preview Pane many times in other vulnerabilities (April 2023, July 2023, December 2023, October 2024, January 2025, February 2025, April 2025, June 2025).

Critical Vulnerabilities in Windows Graphics Component

CVE-2025-55228 is a Critical remote code execution vulnerability affecting Windows Graphics Component and has a CVSS score of 7.8. This vulnerability allows authenticated local attackers with low privileges to execute arbitrary code by exploiting a race condition and use-after-free condition in Windows Win32K - GRFX. This component is partially responsible for the Graphical user interface shown to the user. The vulnerability has not been publicly disclosed and there is no evidence of active exploitation, though exploitation is considered less likely due to high attack complexity. Successful exploitation from a low-privilege Hyper-V guest could allow attackers to escape the virtualization boundary and execute code on the Hyper-V host system.

CVE-2025-53800 is a Critical elevation of privilege vulnerability affecting Windows Graphics Component and has a CVSS score of 7.8. This vulnerability allows authenticated local attackers with low privileges to gain SYSTEM privileges by exploiting incorrect initialization of resources in Microsoft Graphics Component. The vulnerability has not been publicly disclosed and there is no evidence of active exploitation, though exploitation is considered less likely. The attack has low complexity and requires no user interaction, making it relatively straightforward to exploit once local access is obtained.

Critical Vulnerability in Windows Hyper-V

CVE-2025-55224 is a Critical remote code execution vulnerability affecting Windows Hyper-V and has a CVSS score of 7.8. This vulnerability allows authenticated local attackers with low privileges to execute arbitrary code by exploiting a race condition and use-after-free condition in Windows Win32K - GRFX. The vulnerability has not been publicly disclosed and there is no evidence of active exploitation, though exploitation is considered less likely due to high attack complexity. Successful exploitation from a low-privilege Hyper-V guest could allow attackers to escape the virtualization boundary and execute code on the Hyper-V host system.

Critical Vulnerabilities in Graphics Kernel

CVE-2025-55236 is a Critical remote code execution vulnerability affecting Graphics Kernel and has a CVSS score of 7.3. This vulnerability allows authenticated local attackers with low privileges to execute arbitrary code by exploiting a time-of-check time-of-use (TOCTOU) race condition and type confusion in Graphics Kernel. The vulnerability has not been publicly disclosed and there is no evidence of active exploitation, though exploitation is considered less likely. The attack requires user interaction and could be triggered through social engineering tactics, such as convincing a victim to download and open a specially crafted file.

CVE-2025-55226 is a Critical remote code execution vulnerability affecting Graphics Kernel and has a CVSS score of 6.7. This vulnerability allows authenticated local attackers with low privileges to execute arbitrary code by exploiting a race condition in Graphics Kernel. The vulnerability has not been publicly disclosed and there is no evidence of active exploitation, though exploitation is considered less likely due to high attack complexity requiring the attacker to win a race condition. The attack requires user interaction and could be triggered through social engineering tactics, such as convincing a victim to download and open a specially crafted file.

Critical Vulnerability in Windows Imaging Component

CVE-2025-53799 is a Critical information disclosure vulnerability affecting Windows Imaging Component and has a CVSS score of 5.5. This vulnerability allows unauthorized attackers to disclose information locally by exploiting a use of uninitialized resource condition in the Windows Imaging Component. The vulnerability has not been publicly disclosed and there is no evidence of active exploitation, though exploitation is considered unlikely due to the requirement for user interaction. Successful exploitation requires an attacker to send a malicious file to a user and convince them to open it, potentially allowing the attacker to read small portions of heap memory.

Patch Tuesday Dashboard in the Falcon Platform

For a visual overview of the systems impacted by this month's vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it's critically important to develop a response plan for how to defend your environments when no patching protocol exists.

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization's methods for cybersecurity and improve your overall security posture.

In October 2025, Microsoft plans to discontinue support for Microsoft Windows 10. As part of a robust cybersecurity strategy, CrowdStrike encourages organizations to ensure their planning takes this upcoming date into consideration. End of support implies that in the near term, these systems will likely receive no further security updates. Organizations should be planning for and upgrading their systems to newer and supported OS versions to continue receiving critical security updates for issues like those mentioned above.

The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities' severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.

Additional Resources