Full Report
Today is Microsoft's September 2025 Patch Tuesday, which includes security updates for 81 flaws, including two publicly disclosed zero-day vulnerabilities. [...]
Analysis Summary
# Vulnerability: Microsoft September 2025 Patch Tuesday Summary (Two Zero-Days Highlighted)
## CVE Details
- CVE ID: CVE-2025-55234, CVE-2024-21907 (and 79 others not detailed)
- CVSS Score: Not specified for the zero-days in detail, but 9 vulnerabilities are rated "Critical."
- CWE: Not explicitly stated for the zero-days, but one involves Elevation of Privilege (EOP) and the other is Improper Handling of Exceptional Conditions.
## Affected Systems
- Products: Windows SMB Server, Microsoft SQL Server (using Newtonsoft.Json). General fixes cover Windows 11, Azure, Dynamics 365 FastTrack Implementation Assets, Mariner, Microsoft Edge, and Xbox.
- Versions: Specific affected versions are not listed in this summary for the zero-days, but fixes are applied through the September 2025 security updates.
- Configurations: CVE-2025-55234 is susceptible via relay attacks depending on the configuration (vulnerable if SMB Server Signing/EPA are not adequately configured or enforced).
## Vulnerability Description
This patch addresses 81 flaws, including two zero-days that were publicly disclosed:
1. **CVE-2025-55234 (Windows SMB Elevation of Privilege Vulnerability):** An Elevation of Privilege (EOP) flaw in the SMB Server susceptible to relay attacks. Successful exploitation allows an attacker to perform relay attacks and elevate privileges. Microsoft notes that enabling SMB Server Signing and Extended Protection for Authentication (EPA) can mitigate this, and support for auditing compatibility with these features is enabled in this update.
2. **CVE-2024-21907 (Newtonsoft.Json DoS):** A vulnerability in the Newtonsoft.Json library (version less than 13.0.1) included in Microsoft SQL Server. Passing crafted data to `JsonConvert.DeserializeObject` may trigger a `StackOverflowException`, leading to a Denial of Service (DoS).
## Exploitation
- Status: **CVE-2025-55234** is a **publicly disclosed zero-day** (actively exploited or publicly known while no fix was available). **CVE-2024-21907** was **publicly disclosed in 2024**.
- Complexity: Not explicitly stated, but relay attacks (SMB) often require some level of access or presence on the network segment.
- Attack Vector: Likely Network or Adjacent for both vulnerabilities based on the nature of SMB and SQL Server interaction.
## Impact
Impact depends on the specific flaw, but the overall batch includes:
- 9 Critical vulnerabilities (5 RCE, 1 Info Disclosure, 2 EOP, 1 unknown/implied).
- **CVE-2025-55234**: Elevation of Privilege.
- **CVE-2024-21907**: Denial of Service.
Specific Confidentiality, Integrity, and Availability impacts for the zero-days are implied by their type (EOP, DoS) but not scored here.
## Remediation
### Patches
- Security updates released as part of the **Microsoft September 2025 Patch Tuesday** (September 9, 2025), including fixes for CVE-2025-55234 and CVE-2024-21907.
- Updates incorporating fixed versions of Newtonsoft.Json (addressing CVE-2024-21907) are included in the SQL Server updates.
- Support for **SMB Server Auditing** related to hardening features (Signing/EPA) is enabled starting with this update for CVE-2025-55234.
### Workarounds
- For **CVE-2025-55234**: Administrators should enable auditing on SMB servers to test compatibility before fully enforcing hardening features like SMB Server Signing and SMB Server EPA, though immediate patching is critical due to active disclosure.
- For **CVE-2024-21907**: The fix is encapsulated in the SQL Server updates addressing the underlying library issue.
## Detection
- Detection methods should focus on monitoring network traffic related to SMB connection attempts and unusual exceptions/crashes within Microsoft SQL Server instances processing deserialization requests.
- **CVE-2025-55234**: Monitor for abnormal relaying activity targeting SMB sessions. Admins should use the newly enabled auditing features to check for compatibility issues with SMB signing/EPA enforcement.
## References
- Vendor Advisory: Microsoft September 2025 Patch Tuesday documentation (implied via MSRC links).
- CVE-2025-55234 Advisory Link: hXXps://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-55234
- CVE-2024-21907 Advisory Link: hXXps://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21907
- Related Information on SMB Hardening: hXXps://support.microsoft.com/en-us/topic/support-for-audit-events-to-deploy-smb-server-hardening-smb-server-signing-smb-server-epa-056f7478-ee2c-43b9-b94b-c0ff06de1d8f