CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Microsoft September 2025 Patch Tuesday addresses 81 vulnerabilities, including two zero-days

First reported
Last updated
5 unique sources, 13 articles

Summary

Hide ▲

Microsoft's November 2025 Patch Tuesday addressed 63 vulnerabilities, including one actively exploited zero-day vulnerability (CVE-2025-62215), a critical Remote Code Execution flaw (CVE-2025-60724), and several other notable vulnerabilities. The updates also included fixes for multiple elevation of privilege, remote code execution, information disclosure, denial-of-service, and spoofing vulnerabilities. Microsoft has released the first extended security update (ESU) for Windows 10, advising users to upgrade to Windows 11 or enroll in the ESU program. The KB5068781 update, the first Windows 10 extended security update since the operating system reached end of support on October 14, 2025, includes fixes for 63 flaws and one actively exploited elevation-of-privilege vulnerability. The September 2025 Patch Tuesday addressed 80 vulnerabilities, including 13 critical vulnerabilities. The updates fixed a range of issues, including privilege escalation, remote code execution, information disclosure, and denial-of-service vulnerabilities. The patches also covered a critical flaw in Azure Networking and addressed a new lateral movement technique dubbed BitLockMove. Additionally, security updates were released by multiple vendors, including Adobe, Cisco, Google, and others. The September 2025 update included 38 elevation of privilege (EoP) vulnerabilities. The two zero-day vulnerabilities were CVE-2025-55234 in Windows SMB Server and CVE-2024-21907 in Microsoft SQL Server. The SMB vulnerability was exploited through relay attacks, while the SQL Server flaw involved improper handling of exceptional conditions in Newtonsoft.Json. The updates also included hardening features for SMB Server to mitigate relay attacks, with recommendations for administrators to enable auditing to assess compatibility issues. The KB5065429 cumulative update for Windows 10 22H2 and 21H2 included fourteen fixes or changes, addressing unexpected UAC prompts and severe lag and stuttering issues with NDI streaming software. The update enabled auditing SMB client compatibility for SMB Server signing and SMB Server EPA, and included an opt-in feature for administrators to allow outbound network traffic from Windows 10 devices. In February 2026, Microsoft released updates to fix six actively exploited zero-day vulnerabilities, three of which have been publicly disclosed. These include CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21525, and CVE-2026-21533. None of the actively exploited vulnerabilities are rated critical. In total, 25 CVEs disclosed by Microsoft were EoP, followed by remote code execution (12), spoofing (7), information disclosure (6), and security feature bypass (5). SAP also released 26 new security notes and one update to a previously released note, including critical vulnerabilities CVE-2026-0509 and CVE-2026-0488.

Timeline

  1. 11.02.2026 11:50 1 articles · 23h ago

    Microsoft February 2026 Patch Tuesday fixes six zero-days

    Microsoft's February 2026 Patch Tuesday addressed six actively exploited zero-day vulnerabilities, three of which have been publicly disclosed. These include CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21525, and CVE-2026-21533. None of the actively exploited vulnerabilities are rated critical. In total, 25 CVEs disclosed by Microsoft were EoP, followed by remote code execution (12), spoofing (7), information disclosure (6), and security feature bypass (5). SAP also released 26 new security notes and one update to a previously released note, including critical vulnerabilities CVE-2026-0509 and CVE-2026-0488.

    Show sources
    Open in new tab
  2. 11.11.2025 20:45 6 articles · 3mo ago

    Microsoft November 2025 Patch Tuesday fixes 1 zero-day, 63 flaws

    The November 2025 Patch Tuesday includes fixes for 29 Elevation of Privilege Vulnerabilities, 2 Security Feature Bypass Vulnerabilities, 16 Remote Code Execution Vulnerabilities, 11 Information Disclosure Vulnerabilities, 3 Denial of Service Vulnerabilities, and 2 Spoofing Vulnerabilities. The actively exploited zero-day vulnerability is CVE-2025-62215, a Windows Kernel Elevation of Privilege Vulnerability with a CVSS score of 7.0. CVE-2025-62215 is a race-condition and double-free flaw that enables a locally accessible, low-privileged attacker to corrupt kernel memory and escalate to system privileges. The attack requires local code execution or local access and successful timing of a race, which is complex and fragile and typically needs pool grooming and concurrent threads. The attacker only needs low privileges and no other user interaction. When chained with other vulnerabilities, the CVE becomes a critical threat, potentially enabling server compromise, mass credential exposure, lateral movement, and ransomware deployment. The update also addresses CVE-2025-60724, a critical Remote Code Execution (RCE) flaw in the GDI+ Windows graphics component with a CVSS score of 9.8. CVE-2025-60724 can be triggered by uploading a file to a public-facing web application, making any system that processes user-supplied documents at risk. The update also includes fixes for CVE-2025-60704, a high-severity privilege escalation flaw in Windows Kerberos, codenamed CheckSum by researchers. The update also addresses CVE-2025-62220, a vulnerability affecting Windows Subsystem for Linux GUI, enabling Remote Code Execution with a CVSS score of 8.8. The update also includes fixes for CVE-2025-60719, CVE-2025-62213, and CVE-2025-62217, vulnerabilities affecting the Windows Ancillary Function Driver of WinSock, enabling privilege escalation with a CVSS score of 7.0 each.

    Show sources
    Open in new tab
  3. 10.09.2025 14:14 3 articles · 5mo ago

    Microsoft highlights upcoming end-of-life for Windows 10 and MFA for Azure

    The update highlights the upcoming end-of-life date for Windows 10 and the next phase of mandatory multifactor authentication (MFA) for Azure, both scheduled for October. The update includes fixes for 12 vulnerabilities in Microsoft's Chromium-based Edge browser, including a security bypass bug (CVE-2025-53791). The update addresses two privilege escalation vulnerabilities in Windows BitLocker (CVE-2025-54911 and CVE-2025-54912) and a security flaw in Newtonsoft.Json (CVE-2024-21907) affecting SQL Server. The update also addresses four previously patched BitLocker vulnerabilities collectively called BitUnlocker.

    Show sources
    Open in new tab
  4. 09.09.2025 23:48 7 articles · 5mo ago

    Microsoft highlights upcoming end-of-life for Windows 10 and MFA for Azure

    Microsoft released an out-of-band update (KB5071959) to address an issue in the Windows 10 Consumer Extended Security Update (ESU) enrollment process. The KB5071959 update resolves an issue where the enrollment wizard may fail during enrollment, allowing consumer devices to successfully enroll in ESU using the ESU wizard.

    Show sources
    Open in new tab
  5. 09.09.2025 20:43 9 articles · 5mo ago

    Microsoft September 2025 Patch Tuesday addresses 81 vulnerabilities, including two zero-days

    The September 2025 Patch Tuesday addresses 80 vulnerabilities, including 13 critical vulnerabilities. The updates fix a range of issues, including privilege escalation, remote code execution, information disclosure, and denial-of-service vulnerabilities. The patches also cover a critical flaw in Azure Networking and address a new lateral movement technique dubbed BitLockMove. The update includes fixes for 12 vulnerabilities in Microsoft's Chromium-based Edge browser, including a security bypass bug (CVE-2025-53791). The update addresses two privilege escalation vulnerabilities in Windows BitLocker (CVE-2025-54911 and CVE-2025-54912) and a security flaw in Newtonsoft.Json (CVE-2024-21907) affecting SQL Server. The update also addresses four previously patched BitLocker vulnerabilities collectively called BitUnlocker. Microsoft has released the final non-security preview update for Windows 10, version 22H2, which includes fixes for the out-of-box experience and SMBv1 protocol connectivity. The update improves the servicing stack, updating Windows 10 22H2 systems to build 19045.6396. It also addresses an issue causing non-admin users to receive unexpected User Account Control (UAC) prompts and fixes delays or uneven audio and video performance issues with Network Device Interface (NDI) streaming. The update includes fixes and quality improvements from the KB5065429 cumulative update, enabling support for IT administrators to deploy hardening measures for SMB.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Microsoft February 2026 Patch Tuesday Addresses 6 Zero-Days and 59 Flaws

Microsoft's February 2026 Patch Tuesday addresses 59 vulnerabilities, including 6 actively exploited zero-days and 3 publicly disclosed flaws. The updates include fixes for 5 critical vulnerabilities, with three being security feature bypass flaws in various Microsoft products. The zero-days span components such as Windows Shell, MSHTML Framework, Microsoft Word, Desktop Window Manager, Windows Remote Access Connection Manager, and Windows Remote Desktop Services. Microsoft issued an out-of-band patch for one of the zero-days, CVE-2026-21514, highlighting its urgency. The updates also cover a range of other vulnerabilities, including elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service, and spoofing flaws. Additionally, Microsoft has begun rolling out updated Secure Boot certificates to replace expiring 2011 certificates. Other vendors, including Adobe, BeyondTrust, CISA, Cisco, Fortinet, Google, n8n, and SAP, have also released security updates or advisories.

Open in new tab

Microsoft January 2026 Patch Tuesday Addresses 3 Zero-Days, 114 Flaws

Microsoft's January 2026 Patch Tuesday addressed 114 vulnerabilities, including three zero-days: one actively exploited (CVE-2026-20805) and two publicly disclosed (CVE-2026-21265 and CVE-2023-31096). The updates covered a range of flaw types, with eight classified as 'Critical,' including remote code execution and elevation-of-privilege vulnerabilities. Additionally, Microsoft released emergency out-of-band security updates to patch a high-severity Microsoft Office zero-day vulnerability (CVE-2026-21509) exploited in attacks, affecting multiple Office versions. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20805 and CVE-2026-21509 to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to apply the latest fixes by February 3, 2026, and February 16, 2026, respectively. The flaw was discovered by the Microsoft Threat Intelligence Center (MSTIC), the Microsoft Security Response Center (MSRC), and the Office Product Group Security Team, and affects several versions of Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise.

Open in new tab

Critical ASUS Live Update Flaw Added to CISA KEV Catalog

CISA has added a critical flaw in ASUS Live Update (CVE-2025-59374, CVSS 9.3) to its KEV catalog due to active exploitation. The vulnerability stems from a supply chain compromise that allowed unauthorized modifications in certain versions, enabling attackers to perform unintended actions. The flaw is linked to the 2019 Operation ShadowHammer campaign by the APT41 group, which targeted around 600 specific devices. The attack was uncovered in January 2019, and Asus released a patch by March the same year. ASUS Live Update reached end-of-support on December 4, 2025, and CISA urges FCEB agencies to discontinue its use by January 7, 2026. The CVE assignment reflects a retrospective classification effort, formally documenting a well-known attack that predated CVE issuance. The updated ASUS FAQ page from December 2025 contradicts the CVE entry, implying that support definitively ended on December 4, 2025, with version 3.6.15 being the last version. The FAQ page continues to display older remediation guidance with screenshots bearing 2019 dates, recommending upgrading to version 3.6.8 or higher to resolve security concerns.

Open in new tab

Microsoft December 2025 Patch Tuesday addresses 3 zero-days, 56 flaws

Microsoft's December 2025 Patch Tuesday addresses 56 vulnerabilities, including three zero-days. One zero-day (CVE-2025-62221) is actively exploited, allowing privilege escalation in Windows Cloud Files Mini Filter Driver. Two other zero-days (CVE-2025-64671, CVE-2025-54100) are publicly disclosed, affecting GitHub Copilot for JetBrains and PowerShell. The updates also fix 3 critical remote code execution vulnerabilities. Additionally, Microsoft released the KB5071546 extended security update for Windows 10 Enterprise LTSC and ESU program participants, addressing the same vulnerabilities and updating Windows 10 to build 19045.6691 and Windows 10 Enterprise LTSC 2021 to build 19044.6691. The update includes a fix for CVE-2025-54100, a remote code execution zero-day vulnerability in PowerShell, and introduces a confirmation prompt with a security warning for script execution risk when using the Invoke-WebRequest command in PowerShell 5.1. Microsoft patched a total of 1,275 CVEs in 2025, according to data compiled by Fortra. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-62221 to the Known Exploited Vulnerabilities (KEV) catalog, mandating FCEB agencies to apply the patch by December 30, 2025. The remaining two zero-days, CVE-2025-54100 and CVE-2025-64671, are part of a broader set of security vulnerabilities collectively named IDEsaster, affecting multiple AI coding platforms.

Open in new tab

Microsoft to Strengthen Entra ID Sign-Ins Against Script Injection Attacks

Microsoft plans to enhance the security of Entra ID authentication by implementing a strengthened Content Security Policy (CSP) starting in mid-to-late October 2026. This update will allow script downloads only from Microsoft-trusted content delivery network domains and inline script execution only from Microsoft-trusted sources during sign-ins. The policy aims to protect users against cross-site scripting (XSS) attacks, where attackers inject malicious code to steal credentials or compromise systems. The update will apply only to browser-based sign-in experiences at URLs beginning with login.microsoftonline.com, excluding Microsoft Entra External ID. Microsoft urges organizations to test sign-in scenarios before the deadline to identify and address dependencies on code-injection tools. IT administrators can review sign-in flows in the browser developer console to identify violations. Enterprise customers are advised to stop using browser extensions and tools that inject code or scripts into sign-in pages before the change takes effect. This move is part of Microsoft's Secure Future Initiative (SFI), launched in November 2023, following a report by the Cyber Safety Review Board of the U.S. Department of Homeland Security. The initiative also includes updates to Microsoft 365 security defaults to block access to SharePoint, OneDrive, and Office files via legacy authentication protocols, and the disabling of all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 apps. Additionally, Microsoft has expanded its bug bounty program to cover all online services, including third-party and open-source components, if they impact Microsoft online services. The company has paid over $17 million in bounty awards to 344 security researchers over the last 12 months, and another $16.6 million to 343 security researchers during the previous year. Microsoft has deployed over 50 new detections in its infrastructure to target high-priority tactics, techniques, and procedures. The adoption of phishing-resistant multi-factor authentication (MFA) for users and devices has hit 99.6%. Microsoft has enforced Mandatory MFA across all services, including for all Azure service users. The company has also introduced Automatic recovery capabilities via Quick Machine Recovery, expanded passkey and Windows Hello support, and improved memory safety in UEFI firmware and drivers by using Rust. Microsoft has migrated 95% of Microsoft Entra ID signing VMs to Azure Confidential Compute and moved 94.3% of Microsoft Entra ID security token validation to its standard identity Software Development Kit (SDK). The company has discontinued the use of Active Directory Federation Services (ADFS) in its productivity environment and decommissioned 560,000 additional unused and aged tenants and 83,000 unused Microsoft Entra ID apps across Microsoft production and productivity environments. Microsoft has advanced threat hunting by centrally tracking 98% of production infrastructure, achieved complete network device inventory and mature asset lifecycle management, and almost entirely locked code signing to production identities. The company has published 1,096 CVEs, including 53 no-action cloud CVEs, and paid out $17 million in bounties. Microsoft plans to introduce smartphone-style app permission prompts in Windows 11 to request user consent before apps can access sensitive resources such as files, cameras, and microphones. The "Windows Baseline Security Mode" and "User Transparency and Consent" changes will prompt for permission when apps try to install unwanted software or access sensitive resources, allowing users to change their choices at any time. Baseline Security Mode will enable runtime integrity safeguards by default, ensuring that only properly signed apps, services, and drivers can run, but allowing users and IT administrators to override these safeguards for specific apps when needed.

Open in new tab