Microsoft shipped 86 security patches on September 9, 2025, addressing a sprawling set of vulnerabilities in Windows, Office, SQL Server, and other platforms. Yet only hours after the release, a sharp disagreement emerged over whether any of those flaws were already being exploited in the wild. Computerworld's initial read said no zero-days; several independent trackers countered that at least one or two had been publicly disclosed, setting off a round of confusion that IT administrators are still navigating.

Here's what's really happening, which bugs demand immediate triage, and how to cut through the conflicting signals.

Inside the September 2025 Patch Load

This month's payload touches nearly every corner of Microsoft's ecosystem. Cumulative updates rolled out for all supported Windows client and server versions, accompanied by servicing stack updates (SSUs) that are now bundled directly into the cumulative packages. Product-specific advisories covered .NET, Office, SQL Server, the High Performance Compute (HPC) pack, and Hyper-V. Microsoft also issued hardening controls—notably for SMB and NTLM—that shift the operational calculus for enterprises.

The headline CVE count varies depending on who's counting. Computerworld reported 86 fixes. BleepingComputer, SecPod, and several security vendors tallied 81. The gap stems from inclusion rules: some trackers count cloud-only, Edge, Xbox, or Mariner fixes, while others stick to on-premises Windows CVEs. The number isn't trivia; it's a reminder that raw counts mask the real question: which bugs matter for your environment?

The Vulnerabilities That Should Top Your List

SMB and NTLM Hardening (CVE-2025-55234)

This advisory is as much about configuration as code. Microsoft patched an SMB server weakness that could allow privilege escalation through relay attacks, but they shipped it with an audit-first approach. The update adds new event IDs to help admins discover endpoints lacking SMB signing or Extended Protection for Authentication (EPA) before flipping the switch to enforce those protections. For any organization with legacy storage appliances, network backups, or exposed file shares, that telemetry is gold—but the underlying fix itself is critical.

HPC Pack Remote Code Execution (CVE-2025-55232)

A critical rating and a high CVSS score make this one the cycle's most urgent for research labs, universities, and financial modeling shops that rely on Microsoft's HPC Pack. The management interface often listens on TCP/5999, and if it's reachable from the network, an unauthenticated attacker could gain remote code execution. Microsoft's guidance is blunt: isolate clusters behind firewalls, block or filter that port, and patch aggressively.

Office Document Parsing (CVE-2025-54910)

A heap overflow in the way Office handles crafted documents got patched, and like so many Office bugs before it, this one can be triggered through the preview pane or thumbnail rendering in Explorer and Outlook. That lowers the exploitation bar significantly in environments with shared mailboxes, VDI pools, or heavy document collaboration. Administrators should consider disabling preview panes temporarily until Office updates propagate.

SQL Server and Newtonsoft.Json

Server-side apps that deserialize untrusted JSON got a fix for a denial-of-service vulnerability in older versions of the Newtonsoft.Json library. This isn't just a SQL Server problem; the library is bundled into many Microsoft server components. Upgrading to Newtonsoft.Json 13.0.1 or later, and applying the vendor KBs that address the embedded dependency, closes the StackOverflow vector that could crash services.

Other High-Value Targets

  • NTFS-related RCEs and kernel/driver privilege-escalation bugs: patch quickly if your systems mount untrusted file systems or network shares.
  • Hyper-V fixes: hypervisors are lateral movement multipliers; prioritize them when hosting multi-tenant or business-critical workloads.

The Zero-Day Controversy

Computerworld's summary was unequivocal: "There were no zero-days, so there's no 'patch now' recommendation from the Readiness team this month." The article even applauded the update group for delivering browser-platform fixes rated only "moderate," suggesting a calm patch cycle.

That narrative clashed with multiple independent analyses. SecurityWeek, Intrucept, and several readout blogs pointed to one or two publicly disclosed zero-days, citing the SMB advisory (CVE-2025-55234) and the Newtonsoft.Json/SQL Server issue as candidates. These outlets urged faster triage for those items, characterizing them as actively exploited or publicly known before the patch landed.

Why the discrepancy? It may come down to definitions. Microsoft's own severity and exploitation index sometimes classifies a bug as "Exploitation Less Likely" even when public proof-of-concept code exists, while third-party trackers might label that same bug a "zero-day" simply because it was known before patch day. Without a definitive statement from the Microsoft Security Response Center (MSRC) on each CVE's exploit status—something that often arrives after the initial release—teams are left reading tea leaves.

Operationally, the safe path is to treat the highest-RCE and elevation-of-privilege bugs as if they are under active exploitation until you can confirm otherwise from MSRC. Assume there are publicly disclosed, high-priority issues and validate each against the official Security Update Guide.

Testing and Deployment: A Prioritized Checklist

Blanket "patch now" or "patch later" edicts are too blunt. The forum's community guidance, echoed by several enterprise readiness groups, offers a measured sequence:

  1. Inventory and Risk Triage – Identify internet-facing services, domain controllers, hypervisors, HPC clusters, SQL instances, and heavy Office endpoints.
  2. Backups and Snapshots – SSU+LCU bundles complicate rollback. Snapshot VMs and export critical app states. Test restoration on at least one pilot server.
  3. Pilot Ring – Deploy to a representative group (including a domain controller in an isolated test domain if possible). Monitor for 24–72 hours, watching authentication flows (Kerberos, NTLM, service accounts) and app compatibility.
  4. Application Compatibility – Pay special attention to OLE DB drivers, third-party backup agents, and any software that calls Newtonsoft.Json.
  5. SMB Auditing – Before enabling strict SMB signing or EPA, turn on the new audit events to discover legacy clients. Use that data to remediate incompatible devices.
  6. Staged Rollout – Expand to server classes (domain controllers, internet-facing systems) before pushing to all endpoints.
  7. Mitigations When Patching Immediately Isn't Possible – Disable Office/Explorer preview panes, block TCP/5999 at the perimeter for HPC, enable SMB signing where feasible, and tighten firewall rules for SQL endpoints.

Strengths and Risks in Microsoft's Approach

September's release brings several welcome moves:
- The SMB audit-first tooling is a pragmatic nod to enterprises that can't break legacy overnight. It mirrors the kind of progressive hardening that makes real-world adoption possible.
- Bundling SSU inside the LCU eliminates the classic "missing servicing stack" errors, simplifying patch orchestration in large environments.
- Per-CVE documentation on MSRC provides explicit mitigation steps, which is essential for compliance-driven organizations.

But there are real downsides:
- Combined SSU packages make rollback difficult. Once a servicing stack updates, reverting often requires a full image restore. This raises the stakes for snapshot discipline.
- SMB hardening and legacy cipher deprecation can silently break old NAS devices, scanners, and third-party backup tools. Enterprises must treat DES migration and SMB signing as programs, not simple patch applications.
- Conflicting external reports on zero-days undermine confidence and can lead to either over-prioritization (wasting resources) or under-prioritization (leaving exposure). The only cure is to verify directly against Microsoft's Security Update Guide.

Who Needs to Act First

If you manage any of these, move within the next 24–72 hours:
- Internet-facing SharePoint, SQL Server, RDP gateways, or SMB shares.
- Domain controllers and identity infrastructure (Kerberos/NTLM).
- Hyper-V hosts, cloud hypervisors, and HPC clusters with management ports exposed.
- Systems that routinely handle documents from external parties (mail servers, VDI pools, shared desktops).

Cutting Through the Noise

The September 2025 Patch Tuesday is operationally significant, even if one outlet paints it as routine. It mixes critical RCE fixes, a heavy cluster of elevation-of-privilege bugs, and hardening controls that demand careful planning. The 86-patch figure from Computerworld is a useful headline, but the real work is mapping CVEs to your inventory and prioritizing based on exposure. The zero-day debate won't be settled by blog posts; it requires each security team to consult Microsoft's official bulletins and make a risk-informed call. In a cycle where even the security community can't agree on the urgency, disciplined verification is the only thing that reliably protects your network.