September Patch Tuesday 2025

Microsoft has released 86 patches this September, with updates to Microsoft Office, Windows, and SQL Server. No zero-days so the Readiness team does not have a Patch Now recommendation for this September update cycle. This is an incredible sign of success for the Microsoft update group. To further reinforce this fact, we have patches for Microsoft’s browser platform that have (I believe for the first time) been rated at a much lower security rating of “moderate” (as opposed to critical or important). More detail has been added to September’s testing recommendations given the reduced urgency (and therefore extra time) to deploy this months’ patches. To help navigate these changes to their platforms, the team from Readiness has provided a helpful infographic detailing the risks of deploying updates to each platform.

Known Issues 

Microsoft has reported an edge case affecting hot patched devices that have installed the September 2025 Hotpatch update (KB5065306) or the September 2025 security update (KB5065432). These devices may experience failures with PowerShell Direct (PSDirect) connections when the host and guest virtual machines (VMs) are both not fully updated. This issue is currently being investigated by Microsoft. A major issue with August’s update caused some of our clients unwarranted UAC prompts on MSI Installer package repair. This issue has been resolved and our testing has confirmed that MSI Installer repairs are working as intended. Thank you (Microsoft) for the rapid fix.

Major Revisions and Mitigations

The following three revisions to previous Microsoft updates require administrator attention and potentially additional actions on top of this month’s September release:

• CVE-2025-48807: Windows Hyper-V Remote Code Execution Vulnerability. To comprehensively address this vulnerability, Microsoft has released September 2025 security updates for the following versions of Windows: Windows Server 2016, Windows 11 and newer, x64-based editions of Windows 10 Version.
  
• CVE-2025-21293: Active Directory Domain Services Elevation of Privilege Vulnerability: To comprehensively address CVE-2025-21293, Microsoft has released September 2025 security update KB5065426 for Windows Server 2025 and Windows 11 systems. Customers who install Microsoft (in-memory) HotPatch updates should install KB5065474 to be protected from this vulnerability.

• CVE-2025-49734: PowerShell Direct Elevation of Privilege Vulnerability. Microsoft has updated their “affected products” table as PowerShell 7.4 and now 7.5 are affected by this vulnerability. Additional information can be found in this GitHub posting.

Also, this month Microsoft made two “information only” changes to how two vulnerabilities (CVE-2025-29833 and CVE-2025-29954) were addressed in last month’s update cycle.

Windows Lifecycle and Enforcement Updates 

Microsoft has not published any enforcement updates this month. However, Secure Boot certificates used by most Windows devices will be set to expire by Microsoft, starting in June 2026. To avoid disruption, we recommend reviewing Microsoft’s guidance and taking action to update these certificates in advance. 

Each month, the team at Readiness analyzes the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a comprehensive analysis of the Microsoft patches and their potential impact on Windows platforms and application deployments.

This month’s Microsoft Patch Tuesday updates require focused testing across network infrastructure, graphics subsystems, and authentication components. September 2025 brings significant updates to core networking protocols, DirectX graphics functionality, and Bluetooth connectivity that demand immediate validation. These updates affect both client and server environments, with particular attention needed for organizations using Routing and Remote Access Services (RRAS) and those with complex Bluetooth device management requirements.

Network Infrastructure & Connectivity

Microsoft has updated core network communication components including socket handling and IPv6 functionality. These low level network changes can significantly impact enterprise connectivity and require comprehensive validation across different network scenarios:

• Send and receive packets over the network using both IPv4 and IPv6 protocols
• Test large file transfers over IPv6 networks to validate performance and stability
• Validate various network traffic conditions including file transmission, remote desktop connections, and web browsing
• Test messaging applications like Microsoft Teams or Skype with connect/disconnect/reconnect cycles

Graphics, DirectX & Application Guard

This month includes substantial updates to graphics subsystems and security isolation components which will require a test cycle to ensure that graphics applications render correctly without screen corruption or performance degradation:

• DirectX functionality and Windows Defender Application Guard receive critical updates that require validation:
• Execute applications and UWP apps that use DirectComposition functionality, ensuring no flickering or display anomalies occur
• Test DirectX API usage on Hyper-V guests with GPU-PV enabled across multi-threaded scenarios
• Validate Windows Defender Application Guard functionality with Office applications and Microsoft Edge

Authentication & Directory Services

Critical updates to authentication components require thorough testing of domain and workstation authentication scenarios:

• Use NTLM and Kerberos protocols to authenticate users on both workstation-joined and domain-joined machines
• Exercise the LogonUserEx API from client applications to ensure programmatic authentication works correctly
• Test secondary logon (RunAs) scenarios across different user contexts
• Validate CredSSP (Credential Security Support Provider) functionality
• Test Active Directory components including Active Directory Certificate Services and LDAP operations

Bluetooth Device Management

This month’s updates to Bluetooth require device pairing and management testing that includes:

• Simultaneous Device Management: Pair and unpair multiple Bluetooth devices (earbuds, keyboards, speakers) simultaneously via SwiftPair or Settings to stress-test concurrent operations
• Multiple Adapter Support: Connect both internal and external Bluetooth adapters and test device pairing using each adapter independently
• PIN and Consent Flow: Use Bluetooth keyboards requiring PIN entry, test pairing with correct and incorrect PINs, and verify graceful error handling and retry mechanisms
• Monitor for UI hangs, pairing failures, or stale device entries during intensive Bluetooth operations

Routing and Remote Access Services (RRAS)

Significant updates to RRAS components require comprehensive testing for organizations using routing and remote access functionality:

• Perform configuration and viewing operations using the Routing and Remote Access management console for both local and remote installations
• Test different property pages (DHCP, NAT, RIP, IGMP, BOOTP) to ensure they display correct information for valid configurations
• Validate that invalid configurations are handled correctly by showing appropriate error dialogs or preventing access to misconfigured sections
• Exercise remote RRAS server management tasks to ensure remote administration capabilities remain functional

HTTP Services & Web Infrastructure

Updates to core HTTP handling components require validation of modern web protocols and caching mechanisms:

• Enable Branch Cache and configure HTTP server applications to cache responses
• Send HTTP/2 and HTTP/3 requests to validate next-generation protocol support
• Ensure request-response cycles complete without system crashes or bug-checks

Filesystem & Storage Operations

Core filesystem components received patches and updates affecting file operations and virtual disk management will require the following tests:

• Use PowerShell’s Mount-DiskImage cmdlet to attach VHD files to NTFS volumes
• Test App Silos functionality with applications that perform filesystem access

Additional Application Testing

Privacy and capability management components require testing to ensure user privacy controls function correctly:

• Validate that privacy permission changes take effect immediately and persist across system reboot.
• Validate VPN connection scenarios across different VPN providers and protocols
• Test applications using XAML UI frameworks including Microsoft Photos and modern UWP applications
• Verify Remote PowerShell functionality using Invoke-Command and New-PSSession cmdlets

This month’s updates emphasize network reliability, graphics performance and security isolation. Organizations should prioritize testing in network-intensive environments and those with complex authentication requirements. Pay particular attention to Bluetooth device management if your environment relies heavily on wireless peripherals, and ensure RRAS functionality is thoroughly validated before deploying to production routing infrastructure.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

• Browsers (Microsoft IE and Edge) 
• Microsoft Windows (both desktop and server) 
• Microsoft Office
• Microsoft Exchange and SQL Server 
• Microsoft Developer Tools (Visual Studio and .NET)
• Adobe (if you get this far) 

Browsers

Microsoft has published five internal (rated as moderate) updates to its browser platform and four updates to the Chromium engine CVE-2025-9864, CVE-2025-9865, CVE-2025-9866 and CVE-2025-9867) this month. These low-profile changes can be added to your standard release calendar.

Microsoft Windows

The following product areas have been updated with seven critical rated patches and a further 29 remaining patches rated important for this September 2025 patch cycle. This month’s critical rated patches updated vulnerabilities found in the following features within the Windows platform:

• Graphics, Win32 (GRFX) and GDI and Kernel drivers
• Windows NTLM authentication
• Windows Imaging (Windows sub-system)

Unusually, and given the absence of reports of public disclosure or exploits, the Readiness team recommends a standard release schedule for Windows. There is plenty to test, so let’s use this extra time to our advantage.

Microsoft Office

Microsoft has released two critical-rated updates to the Microsoft platform this month (CVE-2025-54910 and CVE-2025-53799) that address vulnerabilities in the general Office platform (not specific to Word or Excel). There are a further 15 patches rated as important by Microsoft. None of these security issues include preview pane attacks and so can be added to your standard update release cycle.

Microsoft Exchange and SQL Server

Microsoft has published two updates rated as important (CVE-2025-47997 and CVE-2024-21907) this month. Neither SQL patch has reported as publicly disclosed or as exploited in the wild. As there are no Microsoft Exchange updates this month, please add these SQL Server patches to your standard server update schedule. It goes without saying that the SQL Server patches will require a reboot.

Developer Tools

No updates to Microsoft developer tools and platforms (Visual Studio and Microsoft .NET) for this patch cycle.

Adobe (and 3rd party updates)

This September, Microsoft has published a single update for 3rd party products. The Newtonsoft vulnerability (CVE-2024-21907) addresses a mishandling of exceptional conditions vulnerability in Newtonsoft.Json before version 13.0.1. Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Since there are no Adobe updates published by Microsoft this month, I will continue to promise to retire this section – maybe.