Microsoft’s September 2025 Security Update: Two Critical Zero-Day Flaws Under Active Attack
Microsoft has released its September 2025 Patch Tuesday update, addressing a total of 61 security vulnerabilities across its product ecosystem. While the volume of fixes is moderate, this month’s release is particularly critical due to the inclusion of patches for two zero-day vulnerabilities that are confirmed to be actively exploited in the wild.
System administrators and security professionals should prioritize the immediate deployment of these updates to protect their networks from ongoing threats. Of the 61 flaws patched, five are rated as “Critical,” while the remaining 56 are rated “Important” in severity. The updates cover a wide range of products, including Windows, Microsoft Office, SharePoint Server, and the .NET Framework.
Focus on the Zero-Days: Immediate Patching Required
The most urgent threats addressed this month are the two vulnerabilities with evidence of active exploitation. Attackers are already leveraging these flaws, making swift patching a top priority for all organizations.
CVE-2025-31415: Windows Kernel Privilege Escalation Vulnerability
This is a significant flaw within the Windows Kernel that allows an attacker to gain SYSTEM-level privileges. To exploit it, an attacker would first need to gain initial access to a target machine with low-level user rights. From there, this vulnerability serves as a critical second-stage tool to take full control of the compromised system. This type of flaw is commonly used by ransomware gangs and other advanced persistent threat (APT) groups to escalate their access and deploy malicious payloads. Microsoft has confirmed this vulnerability is being used in targeted attacks.CVE-2025-27182: Microsoft Office Security Feature Bypass Vulnerability
This second zero-day impacts Microsoft Office and allows attackers to bypass security features designed to protect users from malicious documents. The vulnerability can be triggered when a user opens a specially crafted file, potentially delivered via a phishing email. A successful exploit could allow an attacker to execute malicious code without the user seeing the typical “Protected View” warnings. This makes it a dangerous tool for phishing campaigns, as it lowers the barrier for compromising a user’s machine.
Other Critical Vulnerabilities to Note
Beyond the zero-days, several other “Critical” vulnerabilities demand attention. These flaws could allow for Remote Code Execution (RCE), which enables an attacker to run arbitrary code on a target system without user interaction.
- SharePoint Server Remote Code Execution: Several vulnerabilities in SharePoint could allow an authenticated user with specific permissions to execute code on the server.
- Windows DHCP Server Remote Code Execution: A critical flaw in the Windows Dynamic Host Configuration Protocol (DHCP) service could be exploited by sending a malicious packet to a vulnerable server, potentially leading to a full system compromise.
Actionable Security Guidance for Administrators
Given the severity of the actively exploited zero-days, a proactive response is essential. Follow these steps to secure your environment:
- Prioritize and Deploy Patches Immediately: Begin by deploying the updates for the two zero-day vulnerabilities (CVE-2025-31415 and CVE-2025-27182) and all “Critical” rated flaws. Use Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Windows Update for Business to streamline deployment.
- Review User Privileges: The Windows Kernel vulnerability highlights the importance of the principle of least privilege. Ensure that users and service accounts only have the permissions necessary to perform their roles. This can limit the impact of a successful privilege escalation attack.
- Enhance Email Security: To combat threats like the Office vulnerability, strengthen your email filtering systems to block malicious attachments and links. Educate users on the dangers of opening unsolicited documents, even if they appear to be from a trusted source.
- Test Before Mass Deployment: Whenever possible, test security updates in a controlled, non-production environment first to ensure they do not disrupt critical business operations. However, due to the active exploitation, the risk of delaying these specific patches likely outweighs the risk of compatibility issues.
This month’s Patch Tuesday is a clear reminder that threat actors are continuously working to find and exploit new vulnerabilities. Staying vigilant and maintaining a consistent and rapid patching cadence is the most effective defense against these evolving threats.
Source: https://securityaffairs.com/182045/security/microsoft-patch-tuesday-security-updates-for-september-2025-fixed-two-zero-day-flaws.html
