September 2025 Patch Tuesday: Emergency RCE fixes, DES removal, HPC Pack alert

Microsoft pushed its September 2025 monthly security updates on Patch Tuesday, delivering a broad set of fixes that address dozens of vulnerabilities across Windows client, server, and Microsoft server products — including multiple emergency severity fixes for remote code execution and a high‑severity remote code execution flaw affecting Microsoft’s HPC Pack that Microsoft rates as critical. (msrc.microsoft.com)

Overview​

This month’s release is part of the normal Patch Tuesday cadence (second Tuesday of each month) and contains cumulative updates and hotpatch options for several Windows SKUs. Microsoft’s September 2025 bulletin highlights emergency‑level fixes for Windows 11 v24H2/v23H2, Windows 10 v22H2, Windows Server 2025 and several older server releases, plus important patches for SQL Server and updates for Office and SharePoint products. (msrc.microsoft.com)
Independent reporting and aggregated security trackers describe the release as a large, urgent cycle — multiple outlets report the package fixes dozens of CVEs (public counts vary by outlet between roughly 79 and 86 CVEs), including a handful of zero‑day or publicly disclosed vulnerabilities that administrators should prioritize. (cyberinsider.com, support.microsoft.com)

---

Background: what changed this month​

What Microsoft published​

• Monthly security updates published September 9, 2025 (US time), appearing as cumulative updates (LCU + SSU) for Windows client and server families and as product‑specific fixes for Office, SharePoint, SQL Server and Azure components. (msrc.microsoft.com, support.microsoft.com)
• Microsoft offered hotpatch(es) for certain server and Windows Server Core scenarios where immediate remediation without reboot is supported; KB numbers for the hotpatches were published alongside the main KBs. (msrc.microsoft.com)

The most attention‑grabbing items​

• A high‑severity remote code execution issue in Microsoft High Performance Compute (HPC) Pack is highlighted by Microsoft with a very high base score (MSRC explicitly flags it as high impact and urges rapid deployment). Administrators who run HPC Pack were specifically called out to triage and patch quickly. (msrc.microsoft.com)
• Microsoft will remove the DES encryption algorithm from Kerberos for Windows Server 2025 and Windows 11 version 24H2 once systems install updates released on or after September 9, 2025 — a planned deprecation to reduce legacy cipher surface and enforce stronger ciphers such as AES. Microsoft has published guidance to detect and migrate DES usage prior to the update to avoid authentication disruptions. (techcommunity.microsoft.com, msrc.microsoft.com)

---

Exactly what products are affected​

Microsoft’s bulletin lists the following product families with the maximum severity and impact callouts:

• Windows 11 v24H2 / v23H2 — emergency severity; RCEs in core components; hotpatches published for v24H2 where supported. (msrc.microsoft.com)
• Windows 10 v22H2 — emergency RCE fixes. (msrc.microsoft.com)
• Windows Server 2025 / 2022 / 23H2 / 2019 / 2016 — emergency RCEs; multiple KBs and some hotpatches available. (msrc.microsoft.com)
• Microsoft Office & SharePoint — emergency to critical RCE fixes; administrators should apply updates that match their on‑premises versions. (msrc.microsoft.com)
• Microsoft SQL Server — important updates addressing privilege escalation issues and related server concerns. (msrc.microsoft.com)
• Microsoft Azure components — emergency fixes published for certain Azure services. (msrc.microsoft.com)

The official cumulative KB for Windows 11 (example: KB5065426) outlines the package contents and additional fixes; administrators should consult the matching KB for their build and platform. (support.microsoft.com)

---

Deep dive: the HPC Pack RCE and CVE numbering confusion​

Microsoft’s September bulletin identifies a remote code execution vulnerability in Microsoft HPC Pack that it considers high impact, and it highlights a high CVSS base score in its writeup. The MSRC post calls attention to CVE‑2025‑55232 and describes exploitation conditions that allow RCE without authentication or user interaction for certain affected configurations. (msrc.microsoft.com)
Important notes and verification:

• Microsoft’s MSRC advisory explicitly flags the HPC Pack RCE as high severity and recommends immediate mitigation for affected deployments. (msrc.microsoft.com)
• At the time of publication, some third‑party trackers and advisories reference different CVE identifiers for earlier or related HPC Pack issues (for example, CVE‑2025‑21198 appears in historical advisories from February 2025). Public reporting and data feeds occasionally show overlapping or inconsistently labeled advisories for HPC components; administrators should rely on Microsoft’s MSRC bulletin and the Security Update Guide (the vendor of record) to map CVE identifiers to specific KBs and fixed product versions. (github.com, msrc.microsoft.com)

Caveat: where independent trackers show different CVE numbers or timelines, treat the MSRC advisory as the authoritative source for Microsoft‑product CVE mappings and patch availability. Any mismatch between vendor advisories and secondary feeds should be treated as a triage item (verify NVD/MITRE entries and vendor KBs before acting). (msrc.microsoft.com, github.com)

---

Kerberos: DES removal — why it matters and how to prepare​

Microsoft is intentionally removing the legacy Data Encryption Standard (DES) cipher from Kerberos on Windows Server 2025 and Windows 11 v24H2 after September 9, 2025 updates. This change is part of Microsoft’s longer‑term push to retire legacy ciphers and harden authentication. (techcommunity.microsoft.com, msrc.microsoft.com)
Why this is important:

• Compatibility risk: Some legacy applications and older third‑party devices still negotiate DES‑based Kerberos keys. If a domain environment still depends on DES keys for service principal names or older accounts, those services can break after the update unless migrated to AES ciphers. (techcommunity.microsoft.com)
• Security benefit: DES is considered weak by modern standards and susceptible to brute‑force and known cryptanalysis; removing it reduces an attack surface and enforces stronger, FIPS‑friendly ciphers such as AES. (techcommunity.microsoft.com)

Preparation checklist (practical steps for admins):

• Inventory: Identify accounts and services with legacy DES keys. Use event log analysis (Kerberos event IDs such as 4768/4769) and PowerShell detection scripts Microsoft provides. (techcommunity.microsoft.com)
• Reconfigure: Recreate service accounts or rotate keys so that AES ciphers are used. Update any devices (network appliances, legacy apps) that only support DES. (techcommunity.microsoft.com)
• Pilot: Apply the September updates in a pilot group and test authentication flows (domain join, Kerberos SSO, service-to-service crypto negotiation). (techcommunity.microsoft.com)
• Policy review: Remove any Group Policy or local policy settings that re‑enable DES; document changes, and ensure fallback/rescue processes exist. (techcommunity.microsoft.com)

Microsoft’s Tech Community guidance and official admin notices give specific detection scripts and migration guidance — follow that guidance to avoid authentication outages. (techcommunity.microsoft.com)

---

Hotpatches, reboot behavior and known issues​

• Microsoft continued to offer hotpatch (no‑reboot) options where supported; applicable hotpatch KBs were published to allow some server administrators to apply fixes with reduced downtime. Hotpatch availability depends on SKU, platform and whether the environment supports Windows hotpatch technology. (msrc.microsoft.com, support.microsoft.com)
• As with any large cumulative update, Microsoft also published a list of known issues for the KB packages (for example, an edge case affecting PowerShell Direct on hotpatched devices was documented with a specific workaround and an upcoming KB to address it). Administrators should review the per‑KB known issues before broad deployment. (support.microsoft.com, msrc.microsoft.com)
• The support KBs include servicing‑stack updates (SSU) combined with the latest LCU; Microsoft recommends installing the combined package to avoid sequencing problems in enterprise deployment pipelines. (support.microsoft.com)

---

Prioritization and triage — what to patch first​

This month’s releases contain a mix of RCEs, privilege‑escalation bugs, and service‑specific hotfixes. A practical risk‑based triage:

• Tier 1 (patch immediately):
• Internet‑exposed servers (RDP gateways, SMB servers, web and API servers) and domain controllers if there are fixes that affect authentication or Kerberos behavior. Publicly disclosed vulnerabilities that were released prior to the patch window fall into this bucket. (msrc.microsoft.com, support.microsoft.com)
• Systems running Microsoft HPC Pack (apply vendor patches quickly; treat the HPC RCE as critical for affected clusters). (msrc.microsoft.com)
• Tier 2 (validate & deploy):
• SQL Server instances and SharePoint farms — schedule maintenance windows and validate backups before applying updates; these components can be stateful and sensitive to patching order. (msrc.microsoft.com)
• Tier 3 (standard rollout):
• Endpoints and non‑critical servers; follow ring‑based staged deployment after pilot validation, using your change control process. (support.microsoft.com)

Practical deployment pattern:

• Back up critical systems and take snapshots where possible.
• Patch a small pilot group representing the broad hardware and software diversity in your environment.
• Monitor for telemetry anomalies (event logs, service availability, application telemetry) for 24–72 hours.
• If pilot is stable, proceed with wave deployments via WSUS/Windows Update for Business, or your chosen management tool. (support.microsoft.com, msrc.microsoft.com)

---

Strengths and positives in this month’s release​

• Fast response for critical vectors: Microsoft published emergency guidance and hotpatches for high‑impact vulnerabilities, enabling zero‑downtime mitigations for some workloads where hotpatching is supported. (msrc.microsoft.com)
• Proactive hardening (DES removal): Removing DES from Kerberos on modern SKUs is the right security step, pushing organizations to modernize authentication ciphers rather than keep legacy weak defaults. The advance notice and published detection guidance give organizations a runway to migrate. (techcommunity.microsoft.com)
• Consolidated KBs and combined SSU packages: Packaging SSU + LCU together simplifies deployment sequencing and reduces a common source of update failures in enterprise pipelines. (support.microsoft.com)

---

Risks, caveats and things to watch​

• Compatibility and authentication disruption risk from the DES removal. If you rely on legacy DES keys, domain authentication and older integrated apps could fail after installation of the update. This is an operational problem, not a security design flaw; it requires planning and migration. (techcommunity.microsoft.com)
• CVE identifier and third‑party feed inconsistencies. Administrators may see different CVE numbers for related issues in third‑party trackers; treat Microsoft’s MSRC advisory and the Security Update Guide as source of truth for which KB fixes which CVE and which file versions to install. Any discrepancy should be reconciled against the vendor advisory and the published KB. (msrc.microsoft.com, github.com)
• Potential regressions: Every large cumulative update carries a small risk of regression — examples from prior months included unintended UAC prompts for non‑admin users or application compatibility regressions after an update. Use pilot rings and test common business workflows before broad deployments. (support.microsoft.com)
• “Exploit Wednesday” risk window: Historically, newly published fixes are followed by increased scanning and potential exploit attempts. Systems that remain unpatched and reachable are higher‑risk over the following days and weeks. Prioritize external‑facing assets and exposed services. (msrc.microsoft.com, support.microsoft.com)

---

Quick operational checklist for administrators (copyable)​

• Inventory: identify Internet‑facing services, domain controllers, and HPC Pack installations. (msrc.microsoft.com)
• Back up: snapshot VMs, export AD system state, and create SQL/SharePoint backups before patching. (support.microsoft.com)
• Pilot: apply the September updates to a small, representative cohort and validate key authentication and application flows. (support.microsoft.com)
• Migrate DES: run Microsoft’s DES detection scripts and reconfigure service accounts and devices to use AES before installing the September update on Windows 11 v24H2 / Server 2025 hosts. (techcommunity.microsoft.com)
• Deploy in rings: escalate to broader waves only after pilot validation. Use rollback and recovery plans if issues surface. (support.microsoft.com)

---

What to tell your helpdesk and users​

• Expect reboots on many endpoints and servers; inform users about scheduled restarts and maintenance windows. (support.microsoft.com)
• If an application stops authenticating after updates on Windows 11 v24H2 or Server 2025, suspect DES migration issues and follow escalation procedures to IT. (techcommunity.microsoft.com)
• For any hotpatch failures or unexpected behavior, check the per‑KB known issues and apply the vendor’s recommended remediation KB (Microsoft published fixes for a small set of hotpatch–related edge cases). (support.microsoft.com, msrc.microsoft.com)

---

Final analysis and recommendation​

This September 2025 Patch Tuesday release is substantial and includes several emergency‑rated fixes that materially reduce the attack surface for remote code execution and privilege escalation vectors. The combination of hotpatch availability and advance notice about Kerberos/DES removal demonstrates Microsoft’s effort to balance urgent remediation with operational continuity — but the DES removal is an operational pivot point that requires careful inventory and remediation before wide deployment on Windows 11 v24H2 and Windows Server 2025 hosts. (msrc.microsoft.com, techcommunity.microsoft.com)
Administrators should treat the release as urgent but apply a disciplined, staged rollout: pilot first, verify authentication and application compatibility (especially for services that historically relied on legacy ciphers), monitor closely, and then expand. For organizations running Microsoft HPC Pack, apply the referenced security updates immediately and confirm the CVE/KB mapping in your vendor telemetry because third‑party feeds sometimes label related issues differently; trust the MSRC advisory and the Security Update Guide for authoritative mapping. (msrc.microsoft.com, github.com)
Finally, for home and small‑business users the simplest path remains to ensure automatic updates are enabled and allow Windows Update to install the cumulative update. For large environments, coordinate the steps above, and do not let the DES migration catch you by surprise. (support.microsoft.com, techcommunity.microsoft.com)

---

(Notes: this article is based on Microsoft’s September 9, 2025 MSRC bulletin and the corresponding KB release notes and support pages; independent reporting and security trackers were used to verify counts and to highlight public disclosure and hotpatch coverage. Any CVE numbering discrepancies observed in third‑party feeds were flagged for caution — always verify CVE ↔ KB mappings against Microsoft’s official Security Update Guide and the MSRC advisory before executing a large‑scale deployment.) (msrc.microsoft.com, support.microsoft.com, github.com)

---

Source: GIGAZINE Today is the monthly 'Windows Update' day.