Below are the security fixes for the SharePoint OnPrem versions released this month.
SharePoint Server 2016:
- KB 5002778 – SharePoint Server 2016 (language independent)
- KB 5002777 – SharePoint Server 2016 (language dependent)
Microsoft Support recommends to install the complete September 2025 CU for SharePoint 2016 rather than individual security fixes.
SharePoint Server 2019:
- KB 5002775 – SharePoint Server 2019 (language independent)
- KB 5002774 – SharePoint Server 2019 (language dependent)
Microsoft Support recommends to install the complete September 2025 CU for SharePoint 2019 rather than individual security fixes.
SharePoint Server Subscription Edition:
- KB 5002784 – SharePoint Server Subscription Edition
This security fix is identical with September 2025 CU for SharePoint Server Subscription Edition.
Office Online Server:
- KB 5002776 – Office Online Server
More information:
Please ensure to have a look at the SharePoint Patching Best Practices before applying new fixes.
Security Vulnerabilities fixed in this PU
| Vulnerability | SP 2016 | SP 2019 | SP SE | OOS | Impact | Max Severity |
|---|---|---|---|---|---|---|
| CVE-2025-54896 | x | Remote Code Execution | Important | |||
| CVE-2025-54897 | x | x | x | Remote Code Execution | Important | |
| CVE-2025-54898 | x | Remote Code Execution | Important | |||
| CVE-2025-54900 | x | Remote Code Execution | Important | |||
| CVE-2025-54902 | x | Remote Code Execution | Important | |||
| CVE-2025-54903 | x | Remote Code Execution | Important | |||
| CVE-2025-54904 | x | Remote Code Execution | Important | |||
| CVE-2025-54905 | x | x | Information Disclosure | Important | ||
| CVE-2025-54906 | x | x | Remote Code Execution | Important |
See the Security Update Guide below for more details about the relevant fixes:
Permalink
Has anyone else reported an issue for Subscription Edition where the Secure Store Service Application can’t retrieve credentials or details about entries? We’re getting “Group claim validation failed” in our Dev and Test environments after applying the patch today which has broken one of our custom applications (can’t retrieve endpoint secrets).
Decrypt Failed:System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed.
at System.Security.Cryptography.CapiSymmetricAlgorithm.DepadBlock(Byte[] block, Int32 offset, Int32 count)
at System.Security.Cryptography.CapiSymmetricAlgorithm.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
at System.Security.Cryptography.CryptoStream.FlushFinalBlock()
at System.Security.Cryptography.CryptoStream.Dispose(Boolean disposing)
at System.IO.Stream.Close()
at Microsoft.Office.SecureStoreService.Server.DotNetSecureStoreCryptoProvider.DecryptInternal(Byte[] crypt, Byte[] secureKey, Byte[]& decryptedData)
Permalink
Reposting this here in case your favorite search engine drops you here instead of the other article:
From our Microsoft rep:
“It appears there has been some changes in some of our code that was to tighten security down and it breaks how we decrypt claimshasvalues from the Secure Store. As far as I know, there is no way to fix this current issue, other than to recreate the TargetApplications on the SSSA ( Secure Store Service Application ).”
WORKAROUND (and it’s not great, but I’ve tested it):
–Delete any existing damaged entries.
–If no entries remain, reset the store passphrase, else refresh it with the original passphrase.
–Rebuild the entries the exact same way they were before the patch (hopefully you have those documented!!)
–Test affected applications.