Microsoft released 86 patches this week with updates for Office, Windows, and SQL Server. But there were no zero-days, so there’s no “patch now” recommendation from the Readiness team this month. This is an incredible sign of success for the Microsoft update group. 

To reinforce this fact, we have patches for Microsoft’s browser platform that have (perhaps for the first time) been rated at a much lower “moderate” security rating (as opposed to critical or important). More detail has been added to September’s testing recommendations, given the reduced urgency (and therefore extra time) to deploy this months’ patches. 

To help navigate these changes, Readiness has crafted a helpful infographic detailing the risks of deploying updates to each platform. (More information about recent Patch Tuesday releases is available here.)

Known issues

Microsoft reported an edge case affecting hot patched devices that have the September 2025 Hotpatch update (KB5065306) or the September 2025 security update (KB5065432). These devices might experience failures with PowerShell Direct (PSDirect) connections when the host and guest virtual machines (VMs) are both not fully updated. (Microsoft is investigating the problem.) A major issue with last month’s update caused some of our clients unwarranted UAC prompts on MSI Installer package repair. That’s been resolved now and our testing confirmed thatMSI Installer repairs work as intended. Thank you (Microsoft) for the quick fix.

Major revisions and mitigations

The following revisions to previous Microsoft updates require administrator attention and possibly additional actions on top of this month’s release:

• CVE-2025-48807: Windows Hyper-V Remote Code Execution Vulnerability. To comprehensively address this vulnerability, Microsoft released September 2025 security updates for Windows Server 2016, Windows 11, and newer x64-based editions of Windows 10.
• CVE-2025-21293: Active Directory Domain Services Elevation of Privilege Vulnerability: To comprehensively address CVE-2025-21293, Microsoft has released \security update KB5065426 for Windows Server 2025 and Windows 11 systems. Customers who install Microsoft (in-memory) HotPatch updates should install KB5065474 to be protected.

• CVE-2025-49734: PowerShell Direct Elevation of Privilege Vulnerability. Microsoft updated its “affected products” table, as PowerShell 7.4 and now 7.5 are affected. Additional information can be found in this GitHub posting.

Also, this month Microsoft made two “information only” changes to how two vulnerabilities (CVE-2025-29833 and CVE-2025-29954) were addressed in August.

Windows lifecycle and enforcement updates

Microsoft did not publish any enforcement updates. However, Secure Boot certificates used by most Windows devices will be set to expire by Microsoft starting in June 2026. To avoid disruption, review Microsoft’s guidance and update these certificates in advance. 

Each month, Readiness analyzes the newest Patch Tuesday updates and provides detailed, actionable testing guidance. This guidance is based on assessing a large app portfolio and a comprehensive analysis of the Microsoft patches and their potential impact on Windows platforms and application deployments.

This month’s updates require focused testing across network infrastructure, graphics subsystems, and authentication components. There are significant updates to core networking protocols, DirectX graphics functionality, and Bluetooth connectivity that demand immediate validation. These updates affect both client and server environments, with particular attention needed for organizations using Routing and Remote Access Services (RRAS) and those with complex Bluetooth device management requirements.

Network infrastructure and connectivity

Microsoft updated core network communication components, including socket handling and IPv6 functionality. These low-level network changes can significantly affect enterprise connectivity and require comprehensive validation across different network scenarios:

• Send and receive packets over the network using both IPv4 and IPv6 protocols.
• Test large file transfers over IPv6 networks to validate performance and stability.
• Validate various network traffic conditions, including file transmission, remote desktop connections, and web browsing.
• Test messaging applications like Microsoft Teams or Skype with connect/disconnect/reconnect cycles.

Graphics, DirectX and Application Guard

This month sees substantial updates to graphics subsystems and security isolation components that require testing to ensure graphics applications render correctly without screen corruption or performance degradation:

• Validate the critical updates for DirectX functionality and Windows Defender Application Guard.
• Execute applications and UWP apps that use DirectComposition functionality to ensure there’s no flickering or display anomalies.
• Test DirectX API usage on Hyper-V guests with GPU-PV enabled across multi-threaded scenarios.
• Validate Windows Defender Application Guard functionality with Office apps and Microsoft Edge.

Authentication and Directory Services

Critical updates to authentication components require thorough testing of domain and workstation authentication scenarios:

• Use NTLM and Kerberos protocols to authenticate users on both workstation-joined and domain-joined machines.
• Exercise the LogonUserEx API from client applications to ensure programmatic authentication works correctly.
• Test secondary logon (RunAs) scenarios across different user contexts.
• Validate CredSSP (Credential Security Support Provider) functionality.
• Test Active Directory components including Active Directory Certificate Services and LDAP operations.

Bluetooth device management

This month’s updates to Bluetooth require device pairing and management testing that includes:

• Simultaneous Device Management: Pair and unpair multiple Bluetooth devices (earbuds, keyboards, speakers) simultaneously viaSwiftPair or Settings to stress-test concurrent operations.
• Multiple Adapter Support: Connect both internal and external Bluetooth adapters and test device pairing using each adapter independently.
• PIN and Consent Flow: Use Bluetooth keyboards requiring PIN entry, test pairing with correct and incorrect PINs, and verify graceful error handling and retry mechanisms.
• Monitor for UI hangs, pairing failures, or stale device entries during intensive Bluetooth operations.

Routing and Remote Access Services (RRAS)

Significant updates to RRAS components require comprehensive testing for organizations using routing and remote access functionality:

• Perform configuration and viewing operations using the Routing and Remote Access management console for both local and remote installations.
• Test different property pages (DHCP, NAT, RIP, IGMP, and BOOTP) to ensure they display correct information for valid configurations.
• Ensure that invalid configurations are handled correctly by showing appropriate error dialogs or preventing access to misconfigured sections.
• Exercise remote RRAS server management tasks to ensure remote administration capabilities remain functional.

HTTP services and web infrastructure

Updates to core HTTP handling components require validation of modern web protocols and caching mechanisms:

• Enable Branch Cache and configure HTTP server applications to cache responses.
• Send HTTP/2 and HTTP/3 requests to validate next-generation protocol support.
• Ensure request-response cycles complete without system crashes or bug-checks.

Filesystem and storage operations

Core filesystem components that got patches and updates affecting file operations and virtual disk management will require the following tests:

• Use PowerShell’s Mount-DiskImage cmdlet to attach VHD files to NTFS volumes.
• Test App Silos functionality with applications that perform filesystem access.

Additional app testing

Privacy and capability management components require testing to ensure user privacy controls work correctly:

• Validate that privacy permission changes take effect immediately and persist across system reboot.
• Validate VPN connection scenarios across different VPN providers and protocols.
• Test applications using XAML UI frameworks including Microsoft Photos and modern UWP applications.
• Verify Remote PowerShell functionality using Invoke-Command and New-PSSession cmdlets.

This month’s updates emphasize network reliability, graphics performance and security isolation. Organizations should prioritize testing in network-intensive environments and those with complex authentication requirements. Pay particular attention to Bluetooth device management if your environment relies heavily on wireless peripherals, and ensure RRAS functionality is thoroughly validated before deploying to production routing infrastructure.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

• Browsers (Microsoft IE and Edge) 
• Microsoft Windows (both desktop and server) 
• Microsoft Office
• Microsoft Exchange and SQL Server 
• Microsoft Developer Tools (Visual Studio and .NET)
• Adobe (if you get this far) 

Browsers

Microsoft published five internal updates (rated moderate) to its browser platform and four updates to the Chromium engine CVE-2025-9864, CVE-2025-9865, CVE-2025-9866 and CVE-2025-9867). These low-profile changes can be added to your standard release calendar.

Microsoft Windows

The following areas have been updated with seven critical patches and 29 rated important. The  critical patches update vulnerabilities found in the following features within the Windows platform:

• Graphics, Win32 (GRFX) and GDI and Kernel drivers
• Windows NTLM authentication
• Windows Imaging (Windows sub-system)

Unusually, and given the absence of reports of public disclosure or exploits, the Readiness team recommends a standard release schedule for Windows. There is plenty to test, so use this extra time to our advantage.

Microsoft Office

Microsoft released two critical updates to the Microsoft platform (CVE-2025-54910 and CVE-2025-53799) that address vulnerabilities in Office (not specific to Word or Excel). There are also 15 patches rated important. None of these issues include preview pane attacks and can be added to your standard update release cycle.

Microsoft Exchange and SQL Server

Microsoft published two updates rated important (CVE-2025-47997 and CVE-2024-21907). Neither SQL patch is reported as publicly disclosed or as exploited in the wild. As there are no Microsoft Exchange updates, add these SQL Server patches to your standard server update schedule. It goes without saying that the SQL Server patches will require a reboot.

Developer Tools

There were no updates to Microsoft developer tools and platforms (Visual Studio and Microsoft .NET) this cycle.

Adobe (and third-party updates)

Microsoft released a single update for third-party products. The Newtonsoft vulnerability (CVE-2024-21907) addresses a mishandling of exceptional conditions vulnerability in Newtonsoft.Json before version 13.0.1. Crafted data that is passed to the JsonConvert.DeserializeObject method could trigger a StackOverflow exception, resulting in denial of service. Since there are no Adobe updates from Microsoft this month, I continue to promise to retire this section —maybe.