Microsoft has rolled out its September 2025 Patch Tuesday updates, addressing a total of 86 security vulnerabilities across Windows and other Microsoft products. While none of these flaws have been reported as actively exploited in the wild, several are considered particularly concerning.

Among the patched issues, eight vulnerabilities received an “exploitation more likely” rating. These include:

• Information disclosure and privilege escalation flaws in the Windows kernel
• Remote code execution vulnerability in Windows NTFS
• Privilege escalation issues in Windows TCP/IP driver, Windows Hyper-V, Windows NTLM, and Windows SMB

Most of the vulnerabilities have been rated as high severity, with the NTLM and SMB issues scoring the highest on the CVSS scale at 8.8/10.

The most critical vulnerability addressed this month is CVE-2025-55232, a remote code execution flaw in the High Performance Compute (HPC) Pack, which carries a CVSS score of 9.8. Microsoft advises that HPC Pack clusters should operate within a trusted network protected by firewall rules, especially regarding TCP port 5999.

Other notable high-severity vulnerabilities with CVSS scores above 8.0 include:

• CVE-2025-54106 and CVE-2025-54113 – remote code execution in Routing and Remote Access Service
• CVE-2025-54897 – remote code execution in SharePoint
• CVE-2025-54910 – remote code execution in Office
• CVE-2025-55227 – privilege escalation in SQL Server

Although these vulnerabilities are critical, Microsoft’s exploitability assessment indicates that most are less likely or unlikely to be exploited at this time.

In addition, Adobe’s Patch Tuesday for September 2025 addressed nearly two dozen vulnerabilities across nine products, including critical flaws in ColdFusion and Commerce.

Organizations are strongly encouraged to apply these patches promptly to maintain system security and reduce exposure to potential attacks.

Source: https://www.securityweek.com/microsoft-patches-86-vulnerabilities