Microsoft has rolled out its latest updates during this month’s Patch Tuesday, addressing a total of 81 vulnerabilities. Among these, two have been classified as zero-day vulnerabilities, meaning they have been disclosed but not yet exploited in the wild.
Details of the Zero-Day Vulnerabilities
The first zero-day, identified as CVE-2024-21907, pertains to the improper handling of exceptional conditions in Newtonsoft.Json, a component of SQL Server. This bug first came to light in January 2024, although it may have been recognized as early as 2018, according to Adam Barnett, lead software engineer at Rapid7. He elaborated on the potential impact of this vulnerability:
“What happens if you ask SQL Server to deserialize a JSON object with thousands of levels of nested objects? If you guessed denial of service, then you are good at guessing, because that’s what CVE-2024-21907 describes.”
While this vulnerability may not seem particularly alarming at first glance, Barnett cautioned that the implications could be significant, especially for SQL Server instances that support critical operations in sectors such as healthcare and transportation.
The second zero-day, CVE-2025-55234, involves a Windows SMB elevation of privilege (EoP) vulnerability that can be exploited remotely. Kev Breen, senior director of threat research at Immersive, explained the mechanics of this vulnerability:
“Microsoft says that an attacker with network access would be able to perform a replay attack against a target host, which could result in the attacker gaining additional privileges, which could lead to code execution.”
Breen also noted that the SMB Server has built-in capabilities to mitigate replay attacks through features like SMB Server Signing and Extended Protection for Authentication. However, organizations are advised to evaluate the potential impact of enabling these features, as they may disrupt certain third-party integrations or network configurations. To assist users, Microsoft is providing audit capabilities to help assess compatibility issues prior to activating these additional security measures.
Additional Vulnerabilities of Concern
Breen highlighted several other EoP vulnerabilities that were addressed in this Patch Tuesday, which Microsoft has flagged as “exploitation more likely.” These include:
- CVE-2025-54110, affecting the Windows Kernel
- CVE-2025-54093, related to the Windows TCP/IP Driver
- CVE-2025-54098, found in the Windows Hyper-V system
While local privilege escalation vulnerabilities may not always receive high CVSS scores, Breen emphasized their importance. Once a threat actor gains initial code execution through a remote code execution (RCE) vulnerability, stolen credentials, or a phishing attack, they typically seek to escalate their permissions both locally and across the domain. With elevated system or administrator-level permissions, attackers can disable security tools and logging, as well as deploy additional malware to facilitate lateral movement within the network.
In total, this month’s updates address 41 EoP vulnerabilities and 22 RCE flaws, with only two of the former and five of the latter rated as critical.
