CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Microsoft September 2025 Patch Tuesday addresses 81 vulnerabilities, including two zero-days

First reported
Last updated
5 unique sources, 12 articles

Summary

Hide ▲

Microsoft's November 2025 Patch Tuesday addressed 63 vulnerabilities, including one actively exploited zero-day vulnerability (CVE-2025-62215), a critical Remote Code Execution flaw (CVE-2025-60724), and several other notable vulnerabilities. The updates also included fixes for multiple elevation of privilege, remote code execution, information disclosure, denial-of-service, and spoofing vulnerabilities. Microsoft has released the first extended security update (ESU) for Windows 10, advising users to upgrade to Windows 11 or enroll in the ESU program. The KB5068781 update, the first Windows 10 extended security update since the operating system reached end of support on October 14, 2025, includes fixes for 63 flaws and one actively exploited elevation-of-privilege vulnerability. The September 2025 Patch Tuesday addressed 80 vulnerabilities, including 13 critical vulnerabilities. The updates fixed a range of issues, including privilege escalation, remote code execution, information disclosure, and denial-of-service vulnerabilities. The patches also covered a critical flaw in Azure Networking and addressed a new lateral movement technique dubbed BitLockMove. Additionally, security updates were released by multiple vendors, including Adobe, Cisco, Google, and others. The September 2025 update included 38 elevation of privilege (EoP) vulnerabilities. The two zero-day vulnerabilities were CVE-2025-55234 in Windows SMB Server and CVE-2024-21907 in Microsoft SQL Server. The SMB vulnerability was exploited through relay attacks, while the SQL Server flaw involved improper handling of exceptional conditions in Newtonsoft.Json. The updates also included hardening features for SMB Server to mitigate relay attacks, with recommendations for administrators to enable auditing to assess compatibility issues. The KB5065429 cumulative update for Windows 10 22H2 and 21H2 included fourteen fixes or changes, addressing unexpected UAC prompts and severe lag and stuttering issues with NDI streaming software. The update enabled auditing SMB client compatibility for SMB Server signing and SMB Server EPA, and included an opt-in feature for administrators to allow outbound network traffic from Windows 10 devices.

Timeline

  1. 11.11.2025 20:45 6 articles · 6d ago

    Microsoft November 2025 Patch Tuesday fixes 1 zero-day, 63 flaws

    The November 2025 Patch Tuesday includes fixes for 29 Elevation of Privilege Vulnerabilities, 2 Security Feature Bypass Vulnerabilities, 16 Remote Code Execution Vulnerabilities, 11 Information Disclosure Vulnerabilities, 3 Denial of Service Vulnerabilities, and 2 Spoofing Vulnerabilities. The actively exploited zero-day vulnerability is CVE-2025-62215, a Windows Kernel Elevation of Privilege Vulnerability with a CVSS score of 7.0. CVE-2025-62215 is a race-condition and double-free flaw that enables a locally accessible, low-privileged attacker to corrupt kernel memory and escalate to system privileges. The attack requires local code execution or local access and successful timing of a race, which is complex and fragile and typically needs pool grooming and concurrent threads. The attacker only needs low privileges and no other user interaction. When chained with other vulnerabilities, the CVE becomes a critical threat, potentially enabling server compromise, mass credential exposure, lateral movement, and ransomware deployment. The update also addresses CVE-2025-60724, a critical Remote Code Execution (RCE) flaw in the GDI+ Windows graphics component with a CVSS score of 9.8. CVE-2025-60724 can be triggered by uploading a file to a public-facing web application, making any system that processes user-supplied documents at risk. The update also includes fixes for CVE-2025-60704, a high-severity privilege escalation flaw in Windows Kerberos, codenamed CheckSum by researchers. The update also addresses CVE-2025-62220, a vulnerability affecting Windows Subsystem for Linux GUI, enabling Remote Code Execution with a CVSS score of 8.8. The update also includes fixes for CVE-2025-60719, CVE-2025-62213, and CVE-2025-62217, vulnerabilities affecting the Windows Ancillary Function Driver of WinSock, enabling privilege escalation with a CVSS score of 7.0 each.

    Show sources
    Open in new tab
  2. 10.09.2025 14:14 3 articles · 2mo ago

    Microsoft highlights upcoming end-of-life for Windows 10 and MFA for Azure

    The update highlights the upcoming end-of-life date for Windows 10 and the next phase of mandatory multifactor authentication (MFA) for Azure, both scheduled for October. The update includes fixes for 12 vulnerabilities in Microsoft's Chromium-based Edge browser, including a security bypass bug (CVE-2025-53791). The update addresses two privilege escalation vulnerabilities in Windows BitLocker (CVE-2025-54911 and CVE-2025-54912) and a security flaw in Newtonsoft.Json (CVE-2024-21907) affecting SQL Server. The update also addresses four previously patched BitLocker vulnerabilities collectively called BitUnlocker.

    Show sources
    Open in new tab
  3. 09.09.2025 23:48 7 articles · 2mo ago

    Microsoft highlights upcoming end-of-life for Windows 10 and MFA for Azure

    Microsoft released an out-of-band update (KB5071959) to address an issue in the Windows 10 Consumer Extended Security Update (ESU) enrollment process. The KB5071959 update resolves an issue where the enrollment wizard may fail during enrollment, allowing consumer devices to successfully enroll in ESU using the ESU wizard.

    Show sources
    Open in new tab
  4. 09.09.2025 20:43 9 articles · 2mo ago

    Microsoft September 2025 Patch Tuesday addresses 81 vulnerabilities, including two zero-days

    The September 2025 Patch Tuesday addresses 80 vulnerabilities, including 13 critical vulnerabilities. The updates fix a range of issues, including privilege escalation, remote code execution, information disclosure, and denial-of-service vulnerabilities. The patches also cover a critical flaw in Azure Networking and address a new lateral movement technique dubbed BitLockMove. The update includes fixes for 12 vulnerabilities in Microsoft's Chromium-based Edge browser, including a security bypass bug (CVE-2025-53791). The update addresses two privilege escalation vulnerabilities in Windows BitLocker (CVE-2025-54911 and CVE-2025-54912) and a security flaw in Newtonsoft.Json (CVE-2024-21907) affecting SQL Server. The update also addresses four previously patched BitLocker vulnerabilities collectively called BitUnlocker. Microsoft has released the final non-security preview update for Windows 10, version 22H2, which includes fixes for the out-of-box experience and SMBv1 protocol connectivity. The update improves the servicing stack, updating Windows 10 22H2 systems to build 19045.6396. It also addresses an issue causing non-admin users to receive unexpected User Account Control (UAC) prompts and fixes delays or uneven audio and video performance issues with Network Device Interface (NDI) streaming. The update includes fixes and quality improvements from the KB5065429 cumulative update, enabling support for IT administrators to deploy hardening measures for SMB.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Microsoft Releases Emergency Update for Windows 10 ESU Enrollment Bug

Microsoft has issued an emergency out-of-band update (KB5071959) to fix a bug preventing Windows 10 users from enrolling in the Extended Security Updates (ESU) program. This update resolves an issue in the ESU enrollment wizard that caused failures during the enrollment process. Once installed, users can successfully enroll their devices and receive ongoing security updates. Windows 10 reached end-of-support on October 14, 2025, making ESU enrollment crucial for continued security updates. The ESU program costs $30 for home users and $61 per device per year for enterprises, with escalating costs for multi-year commitments.

Open in new tab

Windows 10 update bug triggers incorrect end-of-support alerts

A bug in the October 2025 Windows 10 updates triggers incorrect end-of-support alerts on systems running Windows 10 Enterprise LTSC 2021, Windows 10 IoT Enterprise LTSC 2021, and Windows 10 22H2 enrolled in the Extended Security Updates program. The bug causes affected devices to display 'Your version of Windows has reached the end of support' messages, despite the systems still being under active support or security coverage. Microsoft has deployed a cloud configuration update to correct the erroneous message, but some devices may not receive it due to connectivity or configuration issues. IT administrators can use Known Issue Rollback (KIR) to remove the incorrect messages on enterprise-managed devices. Microsoft released the first Windows 10 extended security update (KB5068781) on November 11, 2025, to address the bug for all customers enrolled in the Extended Security Updates (ESU) program. However, the KB5068781 update is failing to install with 0x800f0922 errors on devices with corporate licensing, and Microsoft is currently investigating the issue.

Open in new tab

Privilege Escalation Vulnerability in Linux Kernel Exploited in Ransomware Attacks

A high-severity privilege escalation flaw in the Linux kernel (CVE-2024-1086) is being exploited in ransomware attacks. Disclosed in January 2024, the vulnerability allows attackers with local access to escalate privileges to root level. It affects multiple major Linux distributions, including Debian, Ubuntu, Fedora, and Red Hat. The flaw was introduced in February 2014 and fixed in January 2024. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed the exploitation in ransomware campaigns and added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog in May 2024. Federal agencies were ordered to secure their systems by June 20, 2024. Mitigations include blocking 'nf_tables', restricting access to user namespaces, or loading the Linux Kernel Runtime Guard (LKRG) module.

Open in new tab

Active Exploitation of Critical Microsoft WSUS Flaw

A critical vulnerability in Microsoft Windows Server Update Service (WSUS), CVE-2025-59287, is being actively exploited in the wild. This flaw, with a CVSS score of 9.8, allows attackers to drop malicious payloads and execute arbitrary commands on infected hosts. The vulnerability affects WSUS versions 3.32.x and was discovered by Eye Security and Huntress. The Cybersecurity and Infrastructure Security Agency (CISA) has ordered U.S. government agencies to patch the flaw, which was added to the Known Exploited Vulnerabilities catalog. Organizations using WSUS are advised to apply the out-of-band security updates provided by Microsoft to mitigate the risk of exploitation. The flaw was originally patched by Microsoft as part of its Patch Tuesday updates, but attackers have since weaponized it to deploy .NET executables and Base64-encoded PowerShell scripts. Shadowserver is tracking over 2,800 WSUS instances with default ports exposed online. The vulnerability is a deserialization of untrusted data flaw that allows unauthenticated attackers to achieve remote code execution with system privileges by sending malicious encrypted cookies to the GetCookie() endpoint. A compromised WSUS server could potentially be used to distribute malicious updates to the entire network of client computers, making it particularly dangerous for large enterprises. Huntress advised isolating network access to WSUS and blocking inbound traffic to TCP ports 8530 and 8531 as remediation steps. The out-of-band (OOB) security update KB5070881 for CVE-2025-59287 broke hotpatching on some Windows Server 2025 devices. Microsoft has released a new update, KB5070893, to address the issue without disrupting hotpatching. Administrators are advised to install this update to maintain hotpatching functionality.

Open in new tab

Critical WSUS RCE Vulnerability Exploited in the Wild

A critical remote code execution (RCE) vulnerability (CVE-2025-59287) in Windows Server Update Service (WSUS) is being actively exploited in the wild. The flaw allows attackers to run malicious code with SYSTEM privileges on Windows servers with the WSUS Server role enabled. Microsoft has released out-of-band patches for all affected Windows Server versions. Cybersecurity firms have observed exploitation attempts and the presence of publicly available proof-of-concept exploit code. The vulnerability is considered potentially wormable between WSUS servers and poses a significant risk to organizations. The flaw concerns a case of deserialization of untrusted data in WSUS. The vulnerability was discovered and reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH. CISA and NSA, along with international partners, have issued guidance to secure Microsoft Exchange Server instances, including recommendations to restrict administrative access, implement multi-factor authentication, and enforce strict transport security configurations. The agencies advise decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Sophos reported threat actors exploiting the vulnerability to harvest sensitive data from U.S. organizations across various industries, with at least 50 victims identified. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update. Attackers use Base64-encoded PowerShell commands to exfiltrate data to a webhook[.]site endpoint. Michael Haag of Splunk noted an alternate attack chain involving the Microsoft Management Console binary (mmc.exe) to trigger cmd.exe execution.

Open in new tab